Re: A few file upload questions

Tech-Archive recommends: Fix windows errors by optimizing your registry

For an Intranet site, you can set the application to impersonate the browsing user's account. This is not the usual way of running, and wouldn't work for an Internet site. Since you added the machine account to the folder permissions and it's working now, your site must be running under the machine account. So you're all set.

Someone with more experience will hopefully suggest security learning resources. I have a (large) book recommended by others titled "ASP.Net 3.5 Unleashed" which I've found helpful in general, not specifically for security.

"Keith G Hicks" <krh@xxxxxxxxxxx> wrote in message news:eyvpPC4gIHA.6092@xxxxxxxxxxxxxxxxxxxxxxx
I found an "ASP.net machine account" in my Windows security (I'm guessing
that IIS added that when I installed IIS either that or one of the .net
frameworks did it - I'm far from a security expert so I really dont' know).
I added that to the permissions for the 2 folders in question and gave them
write permission inWindows. That did the trick so far.

So it sounds like I should move my 3 image upload folders under the App_Data
folder. I do recall seeing something about not recompiling if things are
under that folder but that was a while ago before I got into this side of
things.

I'm unclear about this line from what you wrote below:

"Unless your website is impersonating the browsing user, the user who does
the writing and therefore needs permissions on the folder where you're
putting the files is the user account that's running your website."

I don't know what you mean by a website impersonating the browser user. Are
you talking about this:
http://msdn2.microsoft.com/en-us/library/aa292118(VS.71).aspx? I need to
find a good place to get a clear general understanding of asp.net security.
I know how to set up users/roles/rules, etc but beyond that I'm very much a
novice. Any suggestions on where to get a good basic overview (not looking
for a 1000 page book!!!) would be great.

Thanks,

Keith

"Paul Shapiro" <paul@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:#6fT1iygIHA.4536@xxxxxxxxxxxxxxxxxxxxxxx
I'm also new at asp.net, but I've been working on similar issues. Unless
your website is impersonating the browsing user, the user who does the
writing and therefore needs permissions on the folder where you're putting
the files is the user account that's running your website. The account
depends on which version of IIS you're running, and for some IIS versions
it
also depends on the IIS process isolation level you set for the website.
On
older IIS versions, for example, it used to be IUSR_MachineName or
IWAM_MachineName. It's sometimes identified as the Anonymous user. You can
perhaps find it by checking the documentation in your version of IIS
Manager, or searching on google.

I saw a suggested location for file uploads as a folder under the App_Data
built-in folder. Two main reasons: A) ASP.Net will not let a browser
access
files under App_Data- it's a protected folder. So the only way anyone gets
to those files is if you either move the files to an accessible folder or
write a bit of code to stream the file to the user's browser. It leaves
you
in good control of the files. B) If you deploy your site pre-compiled,
uploading a file to any folder NOT under App_Data will cause the site to
recompile. ASP.Net is watching the file system for any site changes, and
it
doesn't know that your uploaded files don't count. But it doesn't watch
anything under App_data.
Paul Shapiro

"Keith G Hicks" <krh@xxxxxxxxxxx> wrote in message
news:OdT6gyvgIHA.4076@xxxxxxxxxxxxxxxxxxxxxxx
> OK. As far as the first question goes (I still would like help on the
2nd
> one) - I changed the permissions on the folder security in Windows (not
> IIS)
> to all "Everyone" write access and now it works. I even changed the
> permission on the same folder in IIS back to where Write is unchecked.
The
> upload still works. So I guess I'm not clear on what the "write"
checkbox
> in
> IIS is doing. I'm also not sure WHO actually needs permission on that
> folder
> from within Windows. Obviously setting it to "everyone" is overkill but
> that
> was the easiest way for me to test it. How do I set it so that the user
> that's logged into the web app can do an upload? Do I need to set up a
> user
> in Windows that synchs up with whoever is logged into my asp.net app?
I'm
> using Forms authentication, not Windows (in the asp.net app). One thing
I
> don't understand is tha I'm the administrator on this development
machine.
> In Windows, I have full access to the folder in question. So how does
that
> line up with what's going on in IIS? I'm not really sure if I'm even
> asking
> the right quesitons here so please be kind.
>
> Thanks,
> Keith




.

Relevant Pages

  • RE: no OWA
    ... have the correct permissions was the "inetpub" folder. ... Correct the settings in IIS: ... click to check the "Hide All Microsoft Services" ...
    (microsoft.public.windows.server.sbs)
  • Re: Minimum NTFS Permissions - Theres such a thing???
    ... ?2001 Microsoft Corporation. ... HOW TO: Set Minimum NTFS Permissions Required for IIS 5.0 to Work WGID:198 ... " List Folder Contents" ...
    (microsoft.public.inetserver.iis.security)
  • Re: Manually Created Web Site Does Not Work - What am I Missing?
    ... between my VS project - and therefore assembly names - and the IIS Web site. ... have the same name or folder structure as my VS project. ... The ASP.NET Dev Server runs as the Administrator account in VS 2008. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Digest Authentication
    ... It sounds like IIS is having problems impersonating the IUSR account, ... In IIS, you do not need Script Source or Write permissions unless you ... But the Digest authentication for windows domain is ...
    (microsoft.public.inetserver.iis)
  • Re: VS.NET 2005 and the "allowDefinition=MachineToApplication" error
    ... Your description of impersonation is great. ... If you want to use the default configured account, eliminate that entry, or configure it as: ... The easiest way to assign correct permissions to all required directories is to run: ... I re-started IIS and tried to access my ASPX page again -- same ...
    (microsoft.public.dotnet.framework.aspnet)