Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
ASPNET Security best practices
Message
From
25/02/2003 10:17:11
Keith Payne
Technical Marketing Solutions
Florida, United States
 
General information
Forum:
ASP.NET
Category:
Other
Title:
Re: ASPNET Security best practices
Miscellaneous
Thread ID:
00757129
Message ID:
00757543
Views:
12
Beth,

If you are using SYSTEM in machine.config, make sure that all other security measures are in place. E.g. make sure the root web folder and all children have super-tight NTFS permissions. A hacker can wipe out your server if they find a way to replace a legitimate .aspx file with their own.

You might want to try the Microsoft Baseline Security tool (free on microsoft.com). I find it useful in pointing out areas that need added security.

>Okiedokie artichokies.... we got it working
>
>So it looks like the only way to fix this problem on a Domain Controller is to configure the asp.net worker process to run under the local SYSTEM account in the Machine.Config. This is the Microsoft solution that is NOT recommended. Should I be scared?.. maybe. Does it work now...yep. Is it a bug?...definately <g>. I saw on a Newsgroup somewhere that this is addressed in 1.1.
>
>Thanks to my asp.net peeps!
>
>-B
>
>>Okay, I just spoke to the guy who is installing the app and I was mistaken, the KB article solution does not work and neither does the impersonate in the Web.Config. Hmmmm... So what else could be causing this "Server Application Unavailable" error?
>>
>>TIA,
>>-B
>>
>>>Hi-ya Cathi!!!!
>>>
>>>Ya, that's what I'm hoping. We'll see tomorrow when I get in touch with the guy who's supposed to be installing it. Also I was thinking for an internal website (intranet only), would it be *really* bad to grant access to the SYSTEM account? I say yes, but....
>>>
>>>Ya see, no one ever wants to reboot a server and you shouldn't ever have to - e.x. what if there are other jobs running all the time? Or the server needs to be up 24/7? Okay, not really an issue for this small client, but sometimes I work for big companies too ;-) I guess we are all just so used to rebooting Windows servers every five munutes...lol.
>>>
>>>FWIW, this is probably fixed in .NET server... whoop-pi-de-do. Too bad everyone'll be on Win2k server for the next 5 years <s>...
>>>
>>>So you better watch out now Cathi, now that I'm actually a .NET consultant, I may have some REALLY hard questions for ya! <vbg>
>>>
>>>Take Care,
>>>-B
>>>
>>>
>>>>Hi Beth!
>>>>
>>>>Based on the error that is occuring and the work-around suggested, It appears that using impersonation "should" work without needing to reboot.
>>>>
>>>>>Hello asp.net people,
>>>>>
>>>>>I have a question regarding the solution presented in a KB article on asp.net web application errors related to configuring security for the asp.net worker process on a domain controller. The KB article is http://support.microsoft.com/default.aspx?scid=kb;en-us;315158
>>>>>
>>>>>The error is:
>>>>>-----
>>>>>Server Application Unavailable
>>>>>
>>>>>The web application you are attempting to access on this web server is currently unavailable.
>>>>>
>>>>>Please hit the "Refresh" button in your web browser to retry your request.
>>>>>-----
>>>>>
>>>>>Now the solution presented in the article works, however it requires a reboot of the server which is unacceptable for my client as it is a small business that only has one server, so the entire network is down in the process of configuring the security. I am wondering if using the impersonation section of the Web.config would resove this, but it does not mention that as a solution in this particular KB article.
>>>>>
>>>>>Thoughts?
>>>>>
>>>>>Thanks,
>>>>>-B
Previous
Next
Reply
Map
View

Click here to load this message in the networking platform