RE: VS 2008, IIS and Vista debugging
- From: jetan@xxxxxxxxxxxxxxxxxxxx ("Jeffrey Tan[MSFT]")
- Date: Fri, 25 Jan 2008 03:52:25 GMT
Hi Eric,
Sorry for letting you wait.
I have discussed this issue with VS debugger team and several other
security experts. Actually, there are a lot of scenarios that may need
Admin right:
1. You need to be an admin to debug another users process.(The ACL setting
on the kernel process object will only grant to its creator account)
2. You normally need to be an admin to update IIS config, or to write to
intepub
3. You need to be an admin for certain cross-session operations.(This is
due to the Session 0 isolation feature in Vista)
So, our recommendation: If you want to do non-admin, stick to File-system
webs.
It is possible to edit IIS configuration as a Non-admin but you have to do
some ACL management first:
http://blogs.msdn.com/jaredpar/archive/2005/02/04/367137.aspx
From security perspective, there are ways to do asp.net same-box debuggingas a non-admin pre-Vista(e.g., running the app pool under your own account,
using the user-mode web server, etc.) but we are not recommended that. The
problem with doing work that way is kind of the same situation that leads
to LUA bugs: you're doing dev/test in an environment that is significantly
different from that of production. In this case, you're running a web app
using an interactive user account with its profile loaded, etc.
The way we prefer to work is to have IIS 6.0 on a separate machine
(typically a virtual machine), run Visual Studio as my usual non-admin
account, but connect to the web server using an account that is admin on
the web server. Either add your account to the admins group on that
server, or use "runas /netonly /u:IISBOX\adminaccount devenv.exe" so that
you remain you locally but authenticate as the remote admin when you
connect to the web server.
Hope this makes sense to you.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- References:
- RE: VS 2008, IIS and Vista debugging
- From: "Jeffrey Tan[MSFT]"
- RE: VS 2008, IIS and Vista debugging
- Prev by Date: Re: set command line parameters in debugger for console applicatio
- Next by Date: VS 2003 - " Debub -> Start (F5)" Greyed Out
- Previous by thread: RE: VS 2008, IIS and Vista debugging
- Next by thread: RE: VS 2008, IIS and Vista debugging
- Index(es):
Relevant Pages
|
