I have a folder "foo" which resides under the root folder of my ASP.NET website.
My ASP.NET website has a file browser control which enables (authenticated) users to upload files, create folders, move folders, delete file/folders etc. in the "foo" folder.
What permissions should the "foo" folder have?
It is a Windows Server 2008 / IIS 7 box.
Many thanks.
Depending on the authentication method you are using, either the end user or the Application Pool Identity user will need Modify privileges to the foo folder.
UPDATED:
It sounds like you are using Anonymous Authentication, but are authenticating the user in your DB via your application.
Check your IIS to determine which identity Anonymous Authentication is using. The default is IUSR, but you can also decide to use the application pool identity, in which case, you will need to check your Application Pool Identity.
If you have stuck with the defaults, you will likely only need to add Modify permissions to the built-in IUSR user.
Additional backround info: Understanding Built-In User and Group Accounts in IIS 7
Related
What risk is a user exposed to if he accesses a .net web application with impersonation enabled?
What impersonation level is ASP.NET impersonation?
This is the documentation of impersonation-levels.
Can I create a website, then lure a sysadmin to open it and do some bad stuff in his name (like adding me to the local sysadmins. I can deploy web applications but I am not an admin)? What are the boundaries of this impersonation? Did not find any precise description in the docs.
First of all you need to understand what is ASP.NET Impersonation. Apart from msdn given definition, in layman language, ASP.Net impersonation is ability to get user information of Active Directory Logged-in user on machine using client side asp.net application.
As you mentioned, there are different impersonation-levels.But before going to that you need to understand that ASP.Net is managed environment. It exist under the scope of IIS application pool. So any application is ability is limited to what an web application in managed environment can do on server.
To directly answer your concerns, these are few considerations:
If you can host an application is IIS having ASP.impersonation, you should be admin of that machine(non-admin users can't even open IIS)
Any IIS application can't do Administrative tasks like Creating, deleting users, changing user permissions without calling any native application for manipulation active directory(need to configured & much work needs to be done, non admin can't think of that). That is almost impossible even somehow possible with some 3rd party unmanaged code then also non-admin user can not install those tool/sdk on server without having direct access to servers.
ASP.Net impersonation is mainly for active directory users and Active Directory exists in securely managed environments in VPN or Office Premises. You need to be active directory user to access impersonation. Even somehow you did that(not possible without admin server access) then also audit/system logs/network logs will find who is insider culprit to did something like that so what that means inside an organisation(apart from getting fired) I leave upto you.
Still you think asp.net impersonation is unsafe, you can ask questions. :)
UPDATE for comments
Impersonation Level link you got above is for desktop/windows application which runs in full trust. ASP.net application impersonation is just a way to get identity of Active Directory User with some defined attributes and it is mainly used for authentication & authorization. I again reiterate, ASP.net is managed application inside App pool which only can perform action which is authorized to Account from which you have hosted application and with that too native/administrative actions like creating or modifying Active Directory User access is not possible without calling some another SDK which is already trusted & installed on that machine.
So summarize, operations like creating files or deleting file on the place where you have given Directory access to Web App is possible(Also on network if permission exists while deploying for User used for hosting not logging in) but deleting everything on server or performing Administrative tasks like AD User creation/modification is not possible via login of Admin impersonation of ASP.net webapp without assist of already installed trusted unmanaged software that can do this.
I had a palaver with my sysadmin yesterday. If the user is authenticated by kerberos, it is possible that the webapplication accesses resources on other servers in behalf of the user (delegation). Kerberos constrained delegation works with a white-list.
If my application needs to read files on a file share with credentials of the logged in user, the security admin has to add an entry that my application (identity of app-pool) accesses this file server in the name of the logged in user. I can not create a malware application that reads all the emails of my boss just because he is visiting my webapp.
See https://blogs.technet.microsoft.com/pie/2017/06/30/credential-theft-made-easy-with-kerberos-delegation/
Following some internal documentation it says in IIS, go and allow Anonymous Access to some file.
So in IIS I found the folder and file in it, selected the file and clicked on Edit Permissions, but still can't find "Anonymous" to add it. Where can I find Anonymous?
I am on IIS 7.0, Windows 7
Since IIS 7, the user IIS uses to perform actions as when an anonymous user uses a website is the account named IUSR.
That is, unless the account used for anonymous authentication has been changed.
You will need to give read permissions to the same identity that your application's app pool is running under. If you are using the default app pool with the default settings, you can follow the instructions in this post IIS7 Permissions Overview - ApplicationPoolIdentity
I have a folder under a web site that causes a request for authentication whenever I try and access it or any of its sub-folders. In IIS, 'Authentication' only has Anonymous enabled, and '.NET Authorization Rules' is set to 'Allow all Users'.
What could make IIS request authorization when I try and access this folder? Is there anything in the web app that could cause authorization to be requested?
This is IIS 8 under Windows 8. The application was developed under Windows 7 and transferred to Windows 8.
Anonymous Authentication uses an identity to access files on disk. You can check what identity by right-clicking Anonymous Authentication in IIS and selecting Edit... It is probably using IUSR (that is the default).
You have 3 options:
Give the IUSR account or the IIS_IUSRS group permission to access the folder
Set a different specific user that has access
Set Anonymous Authentication to use the application pool identity, then grant this (virtual) account permissions to access the folder
I published my website on the IIS6.
When saving a file by File.WriteAllText("C:\" + txtSaveExport.Text + ".CSV", b.ToString());. Its gives an error as:
em.UnauthorizedAccessException: Access to the path 'C:\hj.CSV' is denied. ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via , the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
To grant ASP.NET access to a file, right-click the file in Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.``
How can this be handled?
You need to give writing permissions to the Aspnet user in that folder.
See this:
http://devnet.logixml.com/rdPage.aspx?rdReport=Article&dnDocID=209
Best regards.
It's not a good idea to write to a variable directory under C: drive. I suggest you not to give permissions to write under C, rather, write to a directory under your web app's directory, which you can get by Server.MapPath("~"). Make sure you give write access to the application pool's user account to whatever folder under your app directory, and you'll be much safer.
I want to authorize the asp.net account to access some folders in my project.
However, I get this error::
System.UnauthorizedAccessException: Access to the path 'D:\ProgramingPart\FromYamn\WebExercise\WebExercise\AccordionImgs' is denied.
I am using win 7 so what is the name of the asp.net account that I should use?
This depends on a couple of things:
What identity is the application pool running as?
What IIS authentication method are you using?
If you are using IIS7 in Classic Pipeline Mode, what authentication method are you using for ASP.NET (see your web.config file).
Try running visual studio as Administrator.
Under Win7 the default IIS user is ApplicationPoolIdentity. This is somewhat confusing as it's not a real user account. In order to adjust the permissions you need to drop to the command line first and issue
icacls D:\ProgramingPart\FromYamn\WebExercise\WebExercise\AccordionImgs /grant "IIS APPPOOL\DefaultAppPool":(OI)(CI)(RX)
From there you can return to explorer and edit the permissions using the properties tab for the directory. Or you can simply type "IIS APPPOOL\DefaultAppPool" in the add users field in explorer, but I have a preference for icacls myself :)
Probably you want to add the permissions a bit further up the tree. In real shared hosting scenarios application pools tend to get their own, full user accounts, but Server 2008/Win7 added the app pool user so pools can be created, isolated without having to do that.
This worked for me:
On the folder of your application, which might be something like:
C:\Users\YourName\Documents\YourSite
or
C:\inetpub\wwwroot\YourSite
Right-click the folder, choose Properties, go to the Security tab.
You need to add IIS_IUSRS to this list, and probably give full control.
Then, in IIS Manager, assuming you've set up your project folder as an application here, click on your folder/application. Then click the Authentication option. Right click the Anonymous Authentication, and check the user identity. Mine is IUSR.
Go back to your folder security, and add this user, with full control too.
Hopefully it works now!