Re: How is the ASPNET password managed?

From: Cowboy $Gregory A. Beamer$ [MVP] (NoSpamMgbworld_at_comcast.netNoSpamM)
Date: 08/30/04

Next message: Mythran: "Re: Including a file in code behind?"
Previous message: Cowboy $Gregory A. Beamer$ [MVP]: "Re: server.mappath in a vb class"
In reply to: Ken Varn: "How is the ASPNET password managed?"
Next in thread: Scott Allen: "Re: How is the ASPNET password managed?"
Reply: Scott Allen: "Re: How is the ASPNET password managed?"
Messages sorted by: [ date ] [ thread ]

Date: Mon, 30 Aug 2004 10:29:53 -0500

It is system created and uses a one-way algorythm. You can set the password
yourself, if you wish (machine.config file). There is also an
IUSR_ComputerName account for IIS, which you can control, if you so desire.
In most instances, it is better to let the machine control both. If the
pwd(s) are compromised, the machine is already owned by someone else.

-- 
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA
************************************************
Think Outside the Box!
************************************************
"Ken Varn" <nospam> wrote in message
news:e2eeJspjEHA.3844@TK2MSFTNGP12.phx.gbl...
> I notice that ASP.NET has a user that runs on its behalf (ASPNET user).  I
> an concerned about site security and would like it if someone can explain
> the security of the ASPNET user.  In particular, is the password managed
> automatically in the same way as the IIS password for the anonymous user
> account?  If this is true, how is the password managed?  Is it
re-generated
> every-so-often or only once at installation?
>
> Also, I have read various articles on different ASP.NET windows forms
> authentication methods.  Some code examples use the Win32 LogonUser()
> function for WindowsIdentity account validation.  Some of these code
samples
> indicate that the ASPNET user must be granted "Act as Part of the
Operating
> System" right to do this.  How much risk is there to doing this?
>
> Basically, how secure is the ASPNET user account password?
>
> -- 
> -----------------------------------
> Ken Varn
> Senior Software Engineer
> Diebold Inc.
>
> EmailID = varnk
> Domain = Diebold.com
> -----------------------------------
>
>

Next message: Mythran: "Re: Including a file in code behind?"
Previous message: Cowboy $Gregory A. Beamer$ [MVP]: "Re: server.mappath in a vb class"
In reply to: Ken Varn: "How is the ASPNET password managed?"
Next in thread: Scott Allen: "Re: How is the ASPNET password managed?"
Reply: Scott Allen: "Re: How is the ASPNET password managed?"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: Server Error in /MyWebForm Application
... You know you can buy the Developer Edition of SQL 2000 for under $50. ... I can't find an ASPNET account. ... it will run under the ASPNET user. ... MSDE does NOT come with a GUI. ...
(microsoft.public.dotnet.framework.aspnet)
Re: I get "Access is denied" when I try to instantiate remotely a DCOM component
... to the DCOM application on the other computer. ... means every authenticated user, which of course, the foreign ASPNET account ... Then I created a new Windows account ... rights from Local Policies -> User Rights Assignment like ASPNET user. ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: 1.1 sp1
... > does not work with FAT32 which my Computer is still using. ... Somebody else mentioned that SP1 hid their ASPNET user from the User ... non-hidden/system account on the machine. ...
(microsoft.public.dotnet.framework.aspnet)
Re: Server Error in /MyWebForm Application
... > SQL account and not Integrated Security. ... The ASPNET user is a local account on the webserver. ... server in same domain. ...
(microsoft.public.dotnet.framework.aspnet)
How is the ASPNET password managed?
... I notice that ASP.NET has a user that runs on its behalf (ASPNET user). ... an concerned about site security and would like it if someone can explain ... function for WindowsIdentity account validation. ... Some of these code samples ...
(microsoft.public.dotnet.framework.aspnet)