Basic security question

  • Thread starter Thread starter LP
  • Start date Start date
L

LP

Hi there,

I'm going to be using (anonymous) impersonation on my web site so everything
will run under IUSR. I'm a little confused about what end-users will be able
to do versus my app itself however. For instance, if I create a read-only
folder, my app (running under IUSR) can read it without issue. However, I
don't want end-users to be able to see it. Therefore, even if directory
browsing is turned off, is there any way for end-users to be able to read
what's in the folder since IUSR still has read permissions (or worse yet,
write to the folder if write permissions is also on). Thanks in advance.
 
Hi there,

I'm going to be using (anonymous) impersonation on my web site so everything
will run under IUSR. I'm a little confused about what end-users will be able
to do versus my app itself however. For instance, if I create a read-only
folder, my app (running under IUSR) can read it without issue. However, I
don't want end-users to be able to see it. Therefore, even if directory
browsing is turned off, is there any way for end-users to be able to read
what's in the folder since IUSR still has read permissions (or worse yet,
write to the folder if write permissions is also on). Thanks in advance.
Click to expand...


Since your app will be accessible to the end user and under their
control, anything your app can access can potentially be accessed by
the end-user. It doesn't matter how you authentication or impersonate.

Your only defense is to not write a security vulnerability in your
application code to allow your security nightmare to happen.

For example, you can turn directory browsing off, but if your
application allows users to access CreateFile-like behavior, depending
on its implementation, may be vulnerable to be used as directory
browsing. Same thing with write permissions.

Since Web servers are designed to serve resources under its websites
after passing Authentication, if you want to prevent the end-user from
using the Web Server itself (not just your application) to read files
you want to hide, then do NOT put those files in directories that are
part of any website.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
 
Since your app will be accessible to the end user and under their
control, anything your app can access can potentially be accessed by
the end-user. It doesn't matter how you authentication or impersonate.
Click to expand...
Your only defense is to not write a security vulnerability in your
application code to allow your security nightmare to happen.
Click to expand...
For example, you can turn directory browsing off, but if your
application allows users to access CreateFile-like behavior, depending
on its implementation, may be vulnerable to be used as directory
browsing. Same thing with write permissions.
Click to expand...
Since Web servers are designed to serve resources under its websites
after passing Authentication, if you want to prevent the end-user from
using the Web Server itself (not just your application) to read files
you want to hide, then do NOT put those files in directories that are
part of any website.
Click to expand...

Thanks for the info but I still need clarification. I don't completely
understand how to secure my site from anonymous users if read-only means
that not only can my app read the data (while running under IUSR), but so
can anonymous users on the Internet. The "App_Data" folder is a good
example. Can someone simply read this from their browser for instance (just
by guessing a file's name) or even write to it somehow. If so then to
protect against it, my first instinct would be to deny access to IUSR but
then my app would have to explicitly impersonate some other valid user in
order to access the folder. On a 3rd-party web-hosting site you would likely
have to use your personal account for that which means securing my password
on the server and then going through the trouble of impersonating. Moreover,
if I understand things correctly, the ASPNET account itself ("Network
Service" on Win2003 Server) still requires read/write to this folder (for
various housekeeping tasks) regardless of who my app is impersontating (IUSR
or otherwise). This all seems very complicated and therefore unlikely, i.e.,
I assume most web sites don't lock down "App_Data" this way meaning that
anonymous users can read its contents, is this not correct? If so then it's
a security problem so can you elaborate on this situation? Thanks.
 
asp_net "locks" down app_data, so no browser requests for a file in the dir
is allowed. it will be safe unless your code has a security bug that allows
reading/writing from this folder,

-- bruce (sqlwork.com)
 
asp_net "locks" down app_data, so no browser requests for a file in the
dir
is allowed. it will be safe unless your code has a security bug that
allows
reading/writing from this folder,
Click to expand...

Thanks for setting me straight on that. What about other standard folders
like "bin" however. For non-standard folders, I assume I would have to
explicitly deny access to IUSR and impersonate another account to access it
(in my own code which is also running as IUSR).
 
Back
Top