Re: A few file upload questions

Tech-Archive recommends: Fix windows errors by optimizing your registry

I found an "ASP.net machine account" in my Windows security (I'm guessing
that IIS added that when I installed IIS either that or one of the .net
frameworks did it - I'm far from a security expert so I really dont' know).
I added that to the permissions for the 2 folders in question and gave them
write permission inWindows. That did the trick so far.

So it sounds like I should move my 3 image upload folders under the App_Data
folder. I do recall seeing something about not recompiling if things are
under that folder but that was a while ago before I got into this side of
things.

I'm unclear about this line from what you wrote below:

"Unless your website is impersonating the browsing user, the user who does
the writing and therefore needs permissions on the folder where you're
putting the files is the user account that's running your website."

I don't know what you mean by a website impersonating the browser user. Are
you talking about this:
http://msdn2.microsoft.com/en-us/library/aa292118(VS.71).aspx? I need to
find a good place to get a clear general understanding of asp.net security.
I know how to set up users/roles/rules, etc but beyond that I'm very much a
novice. Any suggestions on where to get a good basic overview (not looking
for a 1000 page book!!!) would be great.

Thanks,

Keith

"Paul Shapiro" <paul@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:#6fT1iygIHA.4536@xxxxxxxxxxxxxxxxxxxxxxx
I'm also new at asp.net, but I've been working on similar issues. Unless
your website is impersonating the browsing user, the user who does the
writing and therefore needs permissions on the folder where you're putting
the files is the user account that's running your website. The account
depends on which version of IIS you're running, and for some IIS versions
it
also depends on the IIS process isolation level you set for the website.
On
older IIS versions, for example, it used to be IUSR_MachineName or
IWAM_MachineName. It's sometimes identified as the Anonymous user. You can
perhaps find it by checking the documentation in your version of IIS
Manager, or searching on google.

I saw a suggested location for file uploads as a folder under the App_Data
built-in folder. Two main reasons: A) ASP.Net will not let a browser
access
files under App_Data- it's a protected folder. So the only way anyone gets
to those files is if you either move the files to an accessible folder or
write a bit of code to stream the file to the user's browser. It leaves
you
in good control of the files. B) If you deploy your site pre-compiled,
uploading a file to any folder NOT under App_Data will cause the site to
recompile. ASP.Net is watching the file system for any site changes, and
it
doesn't know that your uploaded files don't count. But it doesn't watch
anything under App_data.
Paul Shapiro

"Keith G Hicks" <krh@xxxxxxxxxxx> wrote in message
news:OdT6gyvgIHA.4076@xxxxxxxxxxxxxxxxxxxxxxx
OK. As far as the first question goes (I still would like help on the
2nd
one) - I changed the permissions on the folder security in Windows (not
IIS)
to all "Everyone" write access and now it works. I even changed the
permission on the same folder in IIS back to where Write is unchecked.
The
upload still works. So I guess I'm not clear on what the "write"
checkbox
in
IIS is doing. I'm also not sure WHO actually needs permission on that
folder
from within Windows. Obviously setting it to "everyone" is overkill but
that
was the easiest way for me to test it. How do I set it so that the user
that's logged into the web app can do an upload? Do I need to set up a
user
in Windows that synchs up with whoever is logged into my asp.net app?
I'm
using Forms authentication, not Windows (in the asp.net app). One thing
I
don't understand is tha I'm the administrator on this development
machine.
In Windows, I have full access to the folder in question. So how does
that
line up with what's going on in IIS? I'm not really sure if I'm even
asking
the right quesitons here so please be kind.

Thanks,
Keith



.

Relevant Pages

  • Re: Manually Created Web Site Does Not Work - What am I Missing?
    ... between my VS project - and therefore assembly names - and the IIS Web site. ... have the same name or folder structure as my VS project. ... The ASP.NET Dev Server runs as the Administrator account in VS 2008. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: OWA distorted
    ... list for the Exchsvr folder. ... The user can only access OWA when they have Domain Admin rights on ... if you hadn't changed the account used for Anonymous Access. ... synchronize it with the value in IIS Manager. ...
    (microsoft.public.exchange.admin)
  • Re: Anyone Familiar With Samba?
    ... If the application isolation settings on the folder containing the web ... IUSR_computername account. ... and also a copy of the password is cached in the IIS metabase [and both ... > use a Samba share from my Linux server as its web root. ...
    (microsoft.public.inetserver.iis.security)
  • Re: A few file upload questions
    ... Since you added the machine account to the folder permissions and it's working now, your site must be running under the machine account. ... that IIS added that when I installed IIS either that or one of the .net ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Help with configuration
    ... to redirect their My Documents folder to a share on the fileserver. ... GPo, if it is already redirecting by default? ... account profile is blank, also). ... Your GPO settings do not apply to your Terminal Server. ...
    (microsoft.public.windows.terminal_services)