|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
.Net Security Hole Problem - clients read each others filesI am trying to preclude web clients from reading each others folders and
files on a pulic web hosting server running W2k server. They can read each others files/folders by using simple .Net script and System.IO FileInfo and DirectoryInfo classes. The best I was able to do was to 1. Create separate ISUSR accounts for anonymous access for each web site 2. Change Impersonate="true" in the machine config file 3. Allow access to each clients folder to that clients specific ISUSR account, system,ASPNET and Administrator The task was accomplished. However if any of the users puts an entry impersonate="false" in their web site's web.config wile it overwrites the setting in the machine.config file and the user can see everybody else because ASPNET account becomes the athenticater and it is set up to have access to each users folder. I can not remove it because the aspx sxripts stop running regardless of any other settings. How do I preclude web users from seing each other's folders? Reduce the trust level for ASP.NET applications as per
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconASPNETCodeAccessSecurity.asp. For example, the default medium trust level will restrict FileIOPermission to a given application's own directory. That said, your clients would still be able to use COM types like FileSystemObject from standard ASP pages, so forcing each client site to map to a different anonymous user with appropriately restricted permissions would still be a very good idea. Show quoteHide quote "IIS.NetNightmare" <IISNetNightm***@discussions.microsoft.com> wrote in message news:471640AB-25BD-4894-BE93-D533D203D7C4@microsoft.com... >I am trying to preclude web clients from reading each others folders and > files on a pulic web hosting server running W2k server. They can read each > others files/folders by using simple .Net script and System.IO FileInfo > and > DirectoryInfo classes. > The best I was able to do was to > 1. Create separate ISUSR accounts for anonymous access for each web site > 2. Change Impersonate="true" in the machine config file > 3. Allow access to each clients folder to that clients specific ISUSR > account, system,ASPNET and Administrator > > The task was accomplished. However if any of the users puts an entry > impersonate="false" in their web site's web.config wile it overwrites the > setting in the machine.config file and the user can see everybody else > because ASPNET account becomes the athenticater and it is set up to have > access to each users folder. I can not remove it because the aspx sxripts > stop running regardless of any other settings. > > How do I preclude web users from seing each other's folders? >  
Other interesting topics
Distributed winforms application security
ASP.NET Uploading Security Issue? system.security.securityexception WindowsIdentity role caching in ASP.NET High-strength crypto problems Check for certian privileges IsInRole groupname with white space. Restricting Upload File Types Impersonation code Pls Help! Passing credential between two web sites on same machin |
|||||||||||||||||||||||
