FileSystem Permissions

[Guest]

I am using .Net 2.0, writing a directory on a network share using
My.Computer.FileSystem.CreateDirectory. This works fine as long a USERS have
full share permissions on that directory. My administrator has been unable
to figure out which account to grant permissions to so that we can lock down
the security and not allow everyone access. Can you please tell me which
account .net uses for My.Computer.FileSystem Create Directory and writing
files?

Thanks.

 

[Jeffrey Tan[MSFT]]

Hi,

The share folder's permission is managed by Windows LAN manager instead of
.Net, so the access check is performed by Windows kernel instead of .Net.
The account used to access the share folder with
My.Computer.FileSystem.CreateDirectory is the Windows account the current
application runs under. So you should grant the write permission to the
group of Windows accounts that your logic wanted to grant access.

Furthermore, there are 2 type of permissions setting during share: share
permission and local NTFS permission. Only a remote Windows account has
passed these 2 checks, can he access the share directory successfully.
However, .Net did not expose classes to set the share permission
programmatically, we have to p/invoke Win32 NetShare* APIs to configure it:
"How to create a file share using .NET framework"
http://www.codeproject.com/dotnet/pinvokeaddshare.asp

.Net did expose classes to configure the NTFS DACL permission, the
"DirectorySecurity Class" below contains the sample code regarding how to
setup the DirectorySecurity object:
http://msdn2.microsoft.com/en-us/library/system.security.accesscontrol.direc
torysecurity.aspx
http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/HowToProgramACLs.ht
ml

Additionally, although the remote Windows account may not have permission
to pass the permissions setting, Windows LAN manager still provided another
way of passing the permissions setting with another
credentials(username/password). Please refer to my original reply below for
details/sample code of this approach:
http://groups.google.com/group/microsoft.public.platformsdk.security/msg/063
d7b08b29e5642?hl=zh-CN&

Hope this helps.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Thank you.

This is very helpful.

I do have a question though, according to Task Manager, the .net application
is running under the user "Network Services". My administrator has given
that user share permissions and full NTFS permissions, yet we still get an
access denied error. Can you shed any light on that?

Thanks.

Bob

Hi,

The share folder's permission is managed by Windows LAN manager instead of
.Net, so the access check is performed by Windows kernel instead of .Net.
The account used to access the share folder with
My.Computer.FileSystem.CreateDirectory is the Windows account the current
application runs under. So you should grant the write permission to the
group of Windows accounts that your logic wanted to grant access.

Furthermore, there are 2 type of permissions setting during share: share
permission and local NTFS permission. Only a remote Windows account has
passed these 2 checks, can he access the share directory successfully.
However, .Net did not expose classes to set the share permission
programmatically, we have to p/invoke Win32 NetShare* APIs to configure it:
"How to create a file share using .NET framework"
http://www.codeproject.com/dotnet/pinvokeaddshare.asp

.Net did expose classes to configure the NTFS DACL permission, the
"DirectorySecurity Class" below contains the sample code regarding how to
setup the DirectorySecurity object:
http://msdn2.microsoft.com/en-us/library/system.security.accesscontrol.direc
torysecurity.aspx
http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/HowToProgramACLs.ht
ml

Additionally, although the remote Windows account may not have permission
to pass the permissions setting, Windows LAN manager still provided another
way of passing the permissions setting with another
credentials(username/password). Please refer to my original reply below for
details/sample code of this approach:
http://groups.google.com/group/microsoft.public.platformsdk.security/msg/063
d7b08b29e5642?hl=zh-CN&

Hope this helps.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jeffrey Tan[MSFT]]

Hi Bob,

Thanks for your feedback.

Can you tell me why your .Net application runs under the "Network Service"
account instead of the interactive logon user account? I assume your .Net
application is Asp.net application, yes? Then, is your share folder on
remote machine with your Asp.net application, or are they in the same
machine? I suspect they are not in the same machine.

"Network Service" is a predefined account on the local machine, so every
machine has its own "Network Service" account. When one machine's "Network
Service" is trying to access remote resource(such as files), it can not be
identified as the "Network Service" account on remote machine. It is
identified as the "machine account" of its own machine. So if this is your
scenario, you should grant the Asp.net application machine account write
permission in both the share permission and NTFS DACL permission.

To select the machine account in the ACL editor dialog, you should first
click "Object Types..." button to open the dialog, then you should check
"Computers" checkbox in the dialog. After clicking "Ok" button, you may
input "[machine name]$" in the "Enter the object names to select" textbox
and click "Check Name" button. For example, my machine name is "msjeff2", I
may input "msjeff2$" as my machine account name. Then, you may grant any
permission to your machine account now.

Hope this helps.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Thanks for the feedback.

I was just looking at the Task Manger, and it looked like the app was
running under Network Service account, but I may be wrong on that (certainly
this is not my area of expertise).

What is the recommended way to handle this scenario? I do need to be able
to write to a shared drive on the network, create directories, delete files
and so forth, and don't want to give every possible user account access
rights to do that.

Thanks for your patience.

Hi Bob,

Thanks for your feedback.

Can you tell me why your .Net application runs under the "Network Service"
account instead of the interactive logon user account? I assume your .Net
application is Asp.net application, yes? Then, is your share folder on
remote machine with your Asp.net application, or are they in the same
machine? I suspect they are not in the same machine.

"Network Service" is a predefined account on the local machine, so every
machine has its own "Network Service" account. When one machine's "Network
Service" is trying to access remote resource(such as files), it can not be
identified as the "Network Service" account on remote machine. It is
identified as the "machine account" of its own machine. So if this is your
scenario, you should grant the Asp.net application machine account write
permission in both the share permission and NTFS DACL permission.

To select the machine account in the ACL editor dialog, you should first
click "Object Types..." button to open the dialog, then you should check
"Computers" checkbox in the dialog. After clicking "Ok" button, you may
input "[machine name]$" in the "Enter the object names to select" textbox
and click "Check Name" button. For example, my machine name is "msjeff2", I
may input "msjeff2$" as my machine account name. Then, you may grant any
permission to your machine account now.

Hope this helps.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jeffrey Tan[MSFT]]

Hi Bob,

Thanks for your feedback.

Sorry, can you first help me to confirm if your .Net application is Asp.net
application? No matter you application is Asp.net or not, since your
application runs under Network Service account and wanted to access remote
share folder, it will be identified as your machine account as I original
pointed out.

Have you tried my last reply suggestion of adding your machine account with
write permission in both share permission dialog and NTFS permission
dialog? Does it work for you?

Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Andrew Morton]

I was just looking at the Task Manger, and it looked like the app was
running under Network Service account, but I may be wrong on that
(certainly this is not my area of expertise).

What is the recommended way to handle this scenario? I do need to be
able to write to a shared drive on the network, create directories,
delete files and so forth, and don't want to give every possible user
account access rights to do that.

You can create a new application pool which runs under a different account,
and have a separate web site which uses that application pool.

Andrew

 

[Guest]

Thanks.

I am running asp.net version 2.0, to answer Jeffery's question.

Is there an article that explains how to create an application pool that
runs under a different account?

Thanks.

 

[Andrew Morton]

I am running asp.net version 2.0, to answer Jeffery's question.

Is there an article that explains how to create an application pool
that runs under a different account?

Probably, but it's quite easy:

Open IIS Manager
Navigate to the Application Pools section in the left pane.
Right-click to get to New Application Pool.
When it's created, right-click on it and choose Properties.
Under the Identity tab you can set the security account.

Still in IIS Manager, right-click on a web site and choose Properties.
In the Home Directory tab, you can choose the Application pool at the bottom
of the window.

Alternatively, you can create a virtual directory instead of a separate web
site and assign a thread pool to that.

You are going to test it on a development machine first, aren't you ;-)

Andrew

 

[Guest]

Thanks!

I'll give this a try.

Have a happy day!

 

[Jeffrey Tan[MSFT]]

Hi Bob,

Oh, by reading Andrew's reply to you, it seems that you do not want your
Asp.net application to run under Network Service, but a dedicated domain
account so that you can only grant write permission to this dedicate domain
account instead of your machine account, yes?

To get this done, Andrew has provided you the way of changing the running
account of Asp.net process. Additionally, if there is only one thread in
your Asp.net process to access the remote share, you may not need to change
the entire process running account. You may just impersonate the a dedicate
domain account in that one thread. Impersonating in Asp.net is very simple,
you may first p/invoke LogonUser API to obtain a token for the domain
account and then create a WindowsIdentity with this token. Finally, you can
invoke its Impersonate method in that thread. By doing this, you can leave
the entire process under a low priviledge Network Service account and only
granting this impersonated account write permission on the share and NTFS
on remote machine.

If you have anything unclear, please feel free to feedback, thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Thanks.

Is there a code sample that shows how to do this?

 

[Jeffrey Tan[MSFT]]

Hi Bob,

The articles below contain the sample code snippet:
"User Impersonation in .Net"
http://www.codeproject.com/useritems/User_Impersonation_in_Ne.asp

Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.