K
Ken Varn
I notice that ASP.NET has a user that runs on its behalf (ASPNET user). I
an concerned about site security and would like it if someone can explain
the security of the ASPNET user. In particular, is the password managed
automatically in the same way as the IIS password for the anonymous user
account? If this is true, how is the password managed? Is it re-generated
every-so-often or only once at installation?
Also, I have read various articles on different ASP.NET windows forms
authentication methods. Some code examples use the Win32 LogonUser()
function for WindowsIdentity account validation. Some of these code samples
indicate that the ASPNET user must be granted "Act as Part of the Operating
System" right to do this. How much risk is there to doing this?
Basically, how secure is the ASPNET user account password?
--
-----------------------------------
Ken Varn
Senior Software Engineer
Diebold Inc.
EmailID = varnk
Domain = Diebold.com
-----------------------------------
an concerned about site security and would like it if someone can explain
the security of the ASPNET user. In particular, is the password managed
automatically in the same way as the IIS password for the anonymous user
account? If this is true, how is the password managed? Is it re-generated
every-so-often or only once at installation?
Also, I have read various articles on different ASP.NET windows forms
authentication methods. Some code examples use the Win32 LogonUser()
function for WindowsIdentity account validation. Some of these code samples
indicate that the ASPNET user must be granted "Act as Part of the Operating
System" right to do this. How much risk is there to doing this?
Basically, how secure is the ASPNET user account password?
--
-----------------------------------
Ken Varn
Senior Software Engineer
Diebold Inc.
EmailID = varnk
Domain = Diebold.com
-----------------------------------