Dotnetpanel Forums

It appears that new websites are being created with the App Pool and the website's anonymous user being the same.

My understanding was that the App Pool identity would be the identity the ASPNET app would run in (instead of ASPNET or NETWORK SERVICE).

If this is the case, then isn't this a problem when, for example, and ASPNET application needs write access to a subdirectory (which, of course, you would not want to grant to anonymous web users)?? 

When I used Plesk (yuck) it created separate identities.  I assume DNP needs to do the same, but I have not seen a configuration option for that, and the few I've set up so far it seems to be using same identity for app pool and anon web.

Thanks.

Anyone at all?? any help here?

thanks!

Web site anonymous account should be different for each web site.

However, if you like to place each web site into its separate application pool you should enable "Dedicated Pool" option.

Yes, it is using a separate identity for each web site.

And it does create a separate app pool when "dedicated pool" is used.

So all okay there.

Problem (?) is ...

it appears to be using the same identity for the app pool that it uses for website.

My understanding is that ASPNET WP runs in the app pool identity.  The WP identity needs permissions on folders sometimes that should not be granted to anonymous web user - for example, WP needs write access to a folder, which would never be permissible for a web user.

I hope this makes sense.  If my understanding of the WP identity is incorrect, please tell me which identity is being used, but everything I have seen says that WP is from the app pool.

How do we configure DNP to create one identity for the website anonymous user and one separate identity for the app pool / WP?

Thanks!

help??

At the moment you can't make it to have two separate identities.

But actually it's not a problem. Actually, web site anonymous account doesn't have any sense when applied to ASP.NET, but it starts playing when you run PHP or Perl.

In IIS 7 you have one identity, i.e. pool identity.

My understanding - tell me if this is wrong - is that ASPNET application will be running in the identity of the app pool, yes?

So permissions applied to that identity will apply to the ASPNET application.

So for example, if I have a folder  /wwwroot/config/  that I wish for ASPNET application to have WRITE permissions to, I need to grant WRITE permissions on that folder to the identity that ASPNET will be running in.

But I absolutely do not want the anonymous user for IIS to have WRITE permissions on that folder, of course.

Does that make sense?

How do I work in this scenario?

Yep, that's correct. All ASP.NET related requests authenticate under pool identity and all static requests for .htm and graphics are under anonymous one.

However, it seems to me having two separate identities for web site and pool in dedicated pool scenario leads to administrative overhead. More identities - more chances to make an error No?

I agree about overhead and maintenance issues, but consider the example I showed, where ASPNET needs write access to a folder but anonymous users must not have such access ... how are we to assign higher privileges to ASPNET than to anonymous if they are running in the same identity??

The only other control panel I have used is Plesk, which assigns separate users to app pool / anonymous user.  It requires more work to keep track, but I cannot think of a method to properly secure the application otherwise.

Please advise.

Yep, it can't be done within DNP at the moment.

Look, if there is a hole in the web site, it doesn't matter where it is: in ASP.NET app or PHP - intruder would gain access to the data in anyway.

The main goal of different anonymous accounts and app pools is to isolate the given web site from its tenants.

Whoa!  That's a glaring problem.  Like, the kind that requires a "surgeon general's warning" on your website before people purchase and invest in this.

Feodor Fitsner:

Look, if there is a hole in the web site, it doesn't matter where it is: in ASP.NET app or PHP - intruder would gain access to the data in anyway.

The particular question quoted deals with neither holes nor intruders nor gaining access to data.

The question is simply this:   How do you propose to accomodate the described scenario?

It is a very common and reasonable scenario, I honestly can't imagine you haven't been asked about this before.

An ASPNET application needs write access to a folder.  Anonymous web user must NOT be allowed write access to that folder.  This is a common situation.  It's also an easily resolved situation ... the worker identity needs to be different from the anonymous identity.

If this is done properly - i.e. with separate identities - then there is no hole, there is no method for intruder to gain access.

The hole is that the same identity is being used for anonymous and ASPNET access.  That is a serious hole.

 This is an urgent situation ... with a serious hole like that, we can't host any real applications (or at least certainly not any that have sensitive information like ecommerce and such).

How can we fix this? 

Thanks

At the moment I don't see any easy way of doing this in DNP, sorry. I think it is a subject for further improvements.

Anyway, I wouldn't be so categoristic to identify this feature as critical...

Feodor,

I do not mean to seem harsh.  However, this seems to be a fairly significant oversight, not just a "would be nice" feature.

I doubt anyone would argue that best practices for ASPNET website security would call for separate identities for the worker process and the anonymous user. 

Just because this flaw in DNP is difficult for your coder to fix does not make it non-critical.

Thought:  Does DNP maintain information about the identities it creates for websites, or does it simply use that information at creation and not need it after that?  If it does not need to maintain the identity information, it should be a very simply patch to insert creation of a second identity to assign to the app pool.  If it must maintain the details of the identities, then I can see how it would require significantly more coding to accomodate storing and retrieving that information.

Now, my original question remains:

*IF* this (separate identities) is not critical, then someone please explain HOW to allow ASPNET to write to a directory without allowing anonymous web users to write to the directory.  If that cannot be done, then it IS indeed a significant problem. 

I'm not making a theoretical argument here.  I have clients who want major, widely known ASPNET applications installed on their websites, and those websites require the ability for ASPNET to write to the directory structure under web root.

For me to have to manually create new identities, reassign the app pool, copy over permissions, etc. seems like a lot to ask when this is, after all, the reason we pay lots of money for a control panel.  Sure, we can do all of these tasks ourselves, but we want it automated and simplified.

Soooooooo .........  where does that leave us?  There's a big potential security hole in ASPNET websites created using DNP.  The steps that DNP's code needs to take to eliminate this problem (second identity) are clear and not difficult.  So what can we do here?

 Thank you

Feodor,

As the DNP expert, can you suggest either:

1. A way to cause DNP to create separate identities for ASPNET / anonymous user, or

2. Another way to secure folders within wwwroot to allow ASPNET to read/write while preventing anonymous web user from doing so.

Either one of those would solve this issue.  Personally, I do not know of any way to secure an ASPNET application that writes files except by use of separate identity.  Your input would be greatly appreciated.

Thanks!

What ASP.NET application does require a write access? Typically, most database-driven applications don't require write access.