Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What are the dangers of giving the Network Service account read/write permissions to your ASP.NET Web application?

Tags:

networking

permissions

asp.net

service

What are the dangers of giving the Network Service account read/write permissions to your ASP.NET Web application? I have to do this for any directory that my app needs to write to like App_Data for my VistaDb database and some random directories to uplaod images and make changes to text files, etc. What is the danger in doing this? And is it acceptable to just grant read/write perms to the entire Web application for Network Service?

like image 705
RichC Avatar asked Dec 17 '08 18:12

RichC

People also ask

What is a NetworkService account?

The NetworkService account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has minimum privileges on the local computer and acts as the computer on the network.

How do I grant access to ASP NET file?

To grant ASP.NET write access to a file, right-click the file in Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.

How do I give service permissions to a folder?

Right-click the domain object and select Properties. Click the Security tab. Select the desired user account (add the account if it's not listed there already). In the Permissions area, next to Replicating Directory Changes, click Allow.

2 Answers

The biggest security risk of giving the Network Service Account write permissions to folders is experienced in Shared Hosting or when you run multiple websites on the same server.

Basically, if you grant modify permissions then every other ASP.NET application that server configured to run as Network Service (all by default) will also have write permissions to that folder, which could be exploited.

like image 59
splattne Avatar answered Nov 03 '22 00:11

splattne

The danger of doing this is that Network Service is a shared account and any application or service running under this account would have access to that directory.

Depending on what version of IIS you are using, you can place the web application in a separate application pool and have it run under a different user account. Then, you can grant access specifically to that user and not Network Service. This is only available in IIS 6 or later.

like image 28
DCNYAM Avatar answered Nov 02 '22 22:11

DCNYAM
Sign in to Comment

Related questions

Making my hidden radio buttons tabbable/508 Compliant
ASP.NET Core won't run in IIS after upgrade to v1.1
.NET Core Razor C# functions [duplicate]
How to hide specific element on page from _Layout.cshtml page
Cannot find or open the PDB file - PDB not built with DLL
What's the simplest way to fetch the value of the Authorization header of a request?
Where does ASP.Net Core `cookies authentication` store a reference to that cookie?
No NgModule metadata found for 'AppModule' Error in Angular 5 server-side rendering with --env.prod
Convert Gmail Date to your DateTime as displayed in Gmail Account
Azure App Service - write to filesystem - ASP.NET web application
Is it at all possible to migrate ASP.NET ASPX solution to ASP.NET Core 2.0?
ASP.NET Boilerplate token expiration
Capture a value from a dropdownlist where the display dropdownlist is not default
ASP.NET MVC Session gets reset after using RedirectToAction within iframe
Blazor - passing arguments to parent
Export ASPX to HTML
Autogeneration of a DataContext designer file when using SqlMetal and Visual Studio
Can I use a VB variable inside of an Embedded Javascript section?
ASP.NET inject javascript in user control nested in update panel
How do I associate the Enter key with a button on an aspx page?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!