Re: Having ASPNET member of Administrators
From: Kevin Spencer (kevin_at_DIESPAMMERSDIEtakempis.com)
Date: 01/28/05
- Next message: mwhalen: "RE: Can't edit dynamically created textbox"
- Previous message: Kevin Spencer: "Re: Code Behind vs not"
- In reply to: Matt Berther: "Re: Having ASPNET member of Administrators"
- Next in thread: Matt Berther: "Re: Having ASPNET member of Administrators"
- Reply: Matt Berther: "Re: Having ASPNET member of Administrators"
- Reply: Jeff Robichaud: "Re: Having ASPNET member of Administrators"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 28 Jan 2005 15:36:42 -0500
> So much for the principle of least privilege...
The principle of least privilege. Where did you find that?
I believe in principles. In general, where security is the issue, the
principle is, use the security that you need. For example, my company owns
their own servers and doesn't host. We run ASP.Net under the System account.
Now, if you have a problem with that, you might want to rethink whether
almost all of your local machine appplications should run under the System
account (they do).
Microsoft ships all of their software locked down to prevent support calls
and complaints from security issues. In other words, if you open it, you're
responsible for it. That doesn't mean that on every computer every security
setting should be locked down tight. Nothing would run. It means that
security should be configured with full knowledge of the issues involved.
If it were always a bad idea to run ASP.Net under the System account,
Microsoft wouldn't have bothered to make that option available. Making the
ASP.Net account a Network Admin has much the same effect. I agree, he's
painting with a broad brush, but the objective is to prevent spills, not to
paint with the smallest brush possible.
-- HTH, Kevin Spencer Microsoft MVP .Net Developer Neither a follower nor a lender be. "Matt Berther" <mberther@hotmail.com> wrote in message news:7993693632425144622166429@news.microsoft.com... > Hello Kevin, > > So much for the principle of least privilege... > > Jeff: What problems are you encountering that you feel that this is > necessary? > > -- > Matt Berther > http://www.mattberther.com > >> If you own the server, and you're not running anyone else's ASP.Net >> apps with it, sure, it won't hurt. >> >> Kevin Spencer >> Microsoft MVP >> .Net Developer >> Neither a follower nor a lender be. >> "Jeff Robichaud" <jfrobichaud@gmail.com> wrote in message >> news:OkRtblWBFHA.3120@TK2MSFTNGP12.phx.gbl... >> >>> Are there any security issues having the ASPNET user account member >>> of Administrators ? Is it a good practice ? >>> > > >
- Next message: mwhalen: "RE: Can't edit dynamically created textbox"
- Previous message: Kevin Spencer: "Re: Code Behind vs not"
- In reply to: Matt Berther: "Re: Having ASPNET member of Administrators"
- Next in thread: Matt Berther: "Re: Having ASPNET member of Administrators"
- Reply: Matt Berther: "Re: Having ASPNET member of Administrators"
- Reply: Jeff Robichaud: "Re: Having ASPNET member of Administrators"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
