Re: Having ASPNET member of Administrators

From: Jeff Robichaud (jfrobichaud_at_gmail.com)
Date: 01/28/05 

Date: Fri, 28 Jan 2005 16:12:02 -0500

Here's the short story: I'm a consultant, and in my current contract I've
seen a server having ASPNET an Administrator. I felt it was risky but not
knowing exactly why. Investigation led me learn that the reason for this is
that some exception handling mechanism has to write to the Event Log, and
the first time it does, it has to write a key in the registry, thus it has
to have admin rights (well in fact I think the key should be created using a
Installation program or by hand, not the first time the app crashes). So in
our developement environment here we did not bother removing the ASPNET
account from Administrators. But in the final production environment I just
wanted to know what security issues could be involved in being set up this
way. So basically my question was : "In saying that having the ASPNET
account member of Administrators might be risky, can someone define the word
'risky' in this context ? What evil can happen ?"

"Kevin Spencer" <kevin@DIESPAMMERSDIEtakempis.com> wrote in message
news:Ox0bUkXBFHA.2076@TK2MSFTNGP15.phx.gbl...
>> So much for the principle of least privilege...
>
> The principle of least privilege. Where did you find that?
>
> I believe in principles. In general, where security is the issue, the
> principle is, use the security that you need. For example, my company owns
> their own servers and doesn't host. We run ASP.Net under the System
> account. Now, if you have a problem with that, you might want to rethink
> whether almost all of your local machine appplications should run under
> the System account (they do).
>
> Microsoft ships all of their software locked down to prevent support calls
> and complaints from security issues. In other words, if you open it,
> you're responsible for it. That doesn't mean that on every computer every
> security setting should be locked down tight. Nothing would run. It means
> that security should be configured with full knowledge of the issues
> involved.
>
> If it were always a bad idea to run ASP.Net under the System account,
> Microsoft wouldn't have bothered to make that option available. Making the
> ASP.Net account a Network Admin has much the same effect. I agree, he's
> painting with a broad brush, but the objective is to prevent spills, not
> to paint with the smallest brush possible.
>
> --
> HTH,
>
> Kevin Spencer
> Microsoft MVP
> .Net Developer
> Neither a follower nor a lender be.
>
> "Matt Berther" <mberther@hotmail.com> wrote in message
> news:7993693632425144622166429@news.microsoft.com...
>> Hello Kevin,
>>
>> So much for the principle of least privilege...
>>
>> Jeff: What problems are you encountering that you feel that this is
>> necessary?
>>
>> --
>> Matt Berther
>> http://www.mattberther.com
>>
>>> If you own the server, and you're not running anyone else's ASP.Net
>>> apps with it, sure, it won't hurt.
>>>
>>> Kevin Spencer
>>> Microsoft MVP
>>> .Net Developer
>>> Neither a follower nor a lender be.
>>> "Jeff Robichaud" <jfrobichaud@gmail.com> wrote in message
>>> news:OkRtblWBFHA.3120@TK2MSFTNGP12.phx.gbl...
>>>
>>>> Are there any security issues having the ASPNET user account member
>>>> of Administrators ? Is it a good practice ?
>>>>
>>
>>
>>
>
>

Relevant Pages

  • Re: Having ASPNET member of Administrators
    ... I would tend to agree with Kevin, but will also stand by my point of fixing ... granting elevated privileges to the ASPNET account. ... >>> So much for the principle of least privilege... ... In general, where security is the issue, the ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Having ASPNET member of Administrators
    ... > So much for the principle of least privilege... ... use the security that you need. ... We run ASP.Net under the System account. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: MBSA, Office Update, Versions, Failures
    ... I apologize for posting this to three groups (MBSA, Windows Update, ... with Domain User account. ... Microsoft Baseline Security Advisor (? ... Office 2000 Security Patches - Red X's, ...
    (microsoft.public.officeupdate)
  • Re: write with cURL
    ... you can stop making excuses. ... up an account for you, process the billing, etc. ... possible features from a web site to make up for the security issues. ... Nothing you have told me shows me you know how to lock down a server ...
    (alt.php)
  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... On the IIS directory security tab, anonymous access is disabled, digest ... authentication is disabled, integrated authentication is disabled and basic ... account created has full permissions for the folder and the file that's in it. ...
    (microsoft.public.inetserver.iis.security)