ASP. NET process identification for ASP. NET applications and Web Services Security

Source: Internet
Author: User
Tags ntfs permissions

ASP. NET Web applications and Web Services run in a shared instance of ASP. NET workflow (Aspnet_wp.exe. Process-level settings (including process identifiers) are configured using the <processModel> element in Machine. config.

<ProcessModel>

The identifier of the ASP. NET workflow is configured using the userName and password attributes on the <processModel> element. When configuring the process ID:

 

 

Use the default ASPNET account.

Use the minimum privilege to customize accounts.

Encrypt <processModel> creden.

Do not run ASP. NET as SYSTEM.

Use the default ASPNET account

The local ASPNET account is the default least privileged account, dedicated to running ASP. NET Web applications and Web Services. If yes, use this account using the following default configuration:

<processModel enable="true" userName="machine" password="AutoGenerate" ...  /> 
Use the minimum privilege to customize accounts

If you must use the slave ID to run the ASP. NET workflow, make sure that the account used is configured as the minimum privileged account. This can limit the damage caused by attackers trying to execute code using the process security context.

You may decide to use a backup account because you need to use Windows authentication to connect to a remote Microsoft SQL Server™Database or network resources. Note that you can use the local ASPNET account to perform the above operations. For more information, see data access after this module.

For more information about NTFS permissions required for ASP. NET process accounts, see ACL and permissions after this module.

The following user permissions should also be granted to the ASP. NET process account:

 

 

Access this computer from the network

Log on as a batch job.

Log on as a service.

Deny local logon.

Refuse to log on through the terminal service.

Encrypt <processModel> creden

If you want to use a custom account, do not store plain text creden。 in Machine. config. Use the Aspnet_setreg.exe utility to store encrypted creden。 in the registry.

 

 

Encrypt <processModel> creden

1.

Run the following command from the command prompt:

aspnet_setreg -k:Software\YourApp\process -u:CustomAccount :p:StrongPassword 

This command stores the encrypted connection string in the specified registry key and ensures the security of the registry key through the restricted ACL, this ACL grants full control permissions to System, Administrators, and Creator Owner.

2.

Reconfigure the <processModel> element and add the following userName and password attributes.

<processModel userName="registry:HKLM\SOFTWARE\YourApp\process\ASPNET_SETREG,userName"  password="registry:HKLM\SOFTWARE\YourApp\process\ASPNET_SETREG,password"/>  

For more information, see Microsoft Knowledge Base Article 329290 How To: Use the ASP. NET Utility to Encrypt Credentials and Session State Connection Strings ).

Do not run ASP. NET as a SYSTEM

Do not use the SYSTEM account to run ASP. NET or grant the "work as part of the operating SYSTEM" user permission to the ASP. NET process account. This operation eliminates the minimum privilege principle, which increases the damage caused by attackers using the process security context of Web applications to execute code.

Back to Top

Simulation

By default, ASP. NET applications do not use simulation. When an application accesses Windows resources, the security context of the ASP. NET workflow account (ASPNET by default) is used.

<Identity>

The <identity> element is used to enable simulation. Simulation:

 

 

Original caller (ID verified by IIS)

Fixed ID

Simulate the original caller

To simulate the original caller, use the following Configuration:

<identity impersonate="true" />

Simulate the access token provided by IIS that represents the verified caller. This can be an anonymous Internet user account (for example, if the application uses form authentication) or a Windows account representing the original caller (if the application uses Windows Authentication ).

If you do want to enable the original caller simulation, pay attention to the following issues:

 

 

Because database connections cannot be effectively pooled, the scalability of applications is reduced.

You need to configure the ACL on the backend resources for a single user, which increases the management workload.

Delegates the Windows 2000 environment that requires Kerberos Authentication and proper configuration.

For more information, see "Microsoft patterns & practices Volume I, Building Secure ASP. NET Web Applications: Authentication, Authorization, and Secure Communication in the "How To" section "How To: Implement Kerberos Delegation for Windows 2000", its URL is: http://msdn.microsoft.com/library/default.asp? Url =/library/en-us/dnnetsec/html/SecNetHT05.asp (English ).

Simulate fixed identity

To simulate a fixed identifier, use the userName and password attributes on the <identity> element to specify the identifier:

<identity impersonate="true" userName="MyServiceAccount"  password="Str0ng!Passw0rd"/> 

Do not store the creden。 in plain text. Use the Aspnet_setreg.exe tool to encrypt creden。 and store them in the registry.

 

 

Encrypted <identity> creden

1.

Run the following command from the command prompt:

aspnet_setreg -k:Software\YourApp\identity -u:CustomAccount :p:StrongPassword 

This command stores the encrypted connection string in the specified registry key and ensures the security of the registry key through the restricted ACL, this ACL grants full control permissions to System, Administrators, and Creator Owner.

2.

Reconfigure the <identity> element and add the following userName and password attributes.

<identity impersonate="true"userName="registry:HKLM\SOFTWARE\YourApp\identity\ASPNET_SETREG,userName"password="registry:HKLM\SOFTWARE\YourApp\identity\ASPNET_SETREG,password"/>

3.

Use Regedt32.exe to create an ACL in the preceding registry and grant the read permission to the ASP. NET process account.

For more information, see Microsoft Knowledge Base Article 329290 How To: Use the ASP. NET Utility to Encrypt Credentials and Session State Connection Strings ).

Work as part of the operating system

When a fixed identifier is simulated by specifying the userName and password attributes, the ASP. NET 1.0 process account must have the "work as part of the operating system" user permission on Windows 2000. Because this effectively promotes ASP. NET Process accounts to the level of privilege that can access local system accounts, it is not recommended to use a simulated fixed identity for ASP. NET 1.0.

Note:If you are running ASP. NET 2000 on Windows 2003 or Windows 1.1 Server, you do not need this user permission.

NTFS permission requirements

The NTFS permission must be properly configured for the simulated identity

From: constanding blog

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.