Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Does user write permissions to the Temporary ASP.NET Files folder pose any security problems?

Tags:

security

asp.net

I am experiencing assembly binding failures due to insufficient permissions to the Temporary ASP.NET Files folder.

The application uses (web.config) Forms authentication with Impersonate = True and IIS Windows Integrated Authentication.

According to ASP.NET Identity Matrix, this means that the WindowsIdentity resolves to Domain\UserName and according to ASP.NET Required Access Control Lists (ACLs), the WindowsIdentity requires read/write permissions to the Temporary ASP.NET Files folder.

Using the Fusion log viewer, I can confirm that the assembly binding failure is due to Domain\UserName (belonging to the "Users" group in security) only having read permissions to this folder, but not write permissions.

The questions are:

Are there any security implications of assigning write permissions to the Temporary ASP.Net Files folder?

Is such a server configuration change commonly used? If not, why would WindowsIdentity resolve to Domain\UserName for this combination of web.config settings - or should this combination not be used in this context?

Note: The problem only occurs if a non-admin user is the first to hit the page. If the assembly has already been compiled and stored in Temporary ASP.NET Files due to an admin user hitting the page, there are no problems for subsequent users. I do NOT wish to place the assemblies in the GAC.

like image 447
Joergen Bech Avatar asked Nov 15 '22 15:11

Joergen Bech

1 Answers

ASP.NET requires write permission to the Temporary ASP.NET files folder, it shouldn't be a security risk providing you only grant permission to that folder and not any higher as it sits within the c:\windows folder.

This MSDN article about securing ASP.NET applications recommends granting full control to the temporary compilation directory to the ASP.NET process identity. I've quoted the relevant section:

By default, temporary files are created and compiled in the following directory:

%winnt%\Microsoft.NET\Framework{version}\Temporary ASP.NET Files

You can specify the location on a per application basis using the tempDirectory attribute, although this provides no security benefit.

Note The ASP.NET process identity specified on the element requires Full Control access rights on the temporary compilation directory.

like image 163
Steve Temple Avatar answered Dec 10 '22 18:12

Steve Temple
Sign in to Comment

Related questions

Disable automatic redirect to https iis
RaisePostBackEvent not firing
Out of Memory - Infinite Loop - ASP.NET AJAX Framework
Any issues running a daemon via XSP2?
best way to consume a webservice in an asp.net code behind
.net http handler redirect to rtmp and flex
Call function in User Control from code behind of the page
How to implement PodPress in .NET (just like StackOverflow Blog)
Storing word documents
Page to obtain browser and connection information
ASP.NET AJAX Progress Bar: Update from Code Behind?
how do you refresh references in ASP.NET applications without visual studio?
Embed Web Widget(?) in Web Page
Can OWIN middleware use the http session?
How can I setup a friendly email name in the MailSetting section of web.config?
Could not load file or assembly System.Web.Http, Version=5.2.2.0

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!