ASP. NET Web applications and Web Services run in a shared instance of ASP. NET workflow (Aspnet_wp.exe. Process-level settings (including process identifiers) are configured using the <processModel> element in Machine. config.
<ProcessModel>The identifier of the ASP. NET workflow is configured using the userName and password attributes on the <processModel> element. When configuring the process ID:
| • | Use the default ASPNET account. |
| • | Use the minimum privilege to customize accounts. |
| • | Encrypt <processModel> creden. |
| • | Do not run ASP. NET as SYSTEM. |
The local ASPNET account is the default least privileged account, dedicated to running ASP. NET Web applications and Web Services. If yes, use this account using the following default configuration:
<processModel enable="true" userName="machine" password="AutoGenerate" ... />Use the minimum privilege to customize accounts
If you must use the slave ID to run the ASP. NET workflow, make sure that the account used is configured as the minimum privileged account. This can limit the damage caused by attackers trying to execute code using the process security context.
You may decide to use a backup account because you need to use Windows authentication to connect to a remote Microsoft SQL Server™Database or network resources. Note that you can use the local ASPNET account to perform the above operations. For more information, see data access after this module.
For more information about NTFS permissions required for ASP. NET process accounts, see ACL and permissions after this module.
The following user permissions should also be granted to the ASP. NET process account:
| • | Access this computer from the network |
| • | Log on as a batch job. |
| • | Log on as a service. |
| • | Deny local logon. |
| • | Refuse to log on through the terminal service. |
If you want to use a custom account, do not store plain text creden。 in Machine. config. Use the Aspnet_setreg.exe utility to store encrypted creden。 in the registry.
| • | Encrypt <processModel> creden
|
For more information, see Microsoft Knowledge Base Article 329290 How To: Use the ASP. NET Utility to Encrypt Credentials and Session State Connection Strings ).
Do not run ASP. NET as a SYSTEMDo not use the SYSTEM account to run ASP. NET or grant the "work as part of the operating SYSTEM" user permission to the ASP. NET process account. This operation eliminates the minimum privilege principle, which increases the damage caused by attackers using the process security context of Web applications to execute code.
Back to Top SimulationBy default, ASP. NET applications do not use simulation. When an application accesses Windows resources, the security context of the ASP. NET workflow account (ASPNET by default) is used.
<Identity>The <identity> element is used to enable simulation. Simulation:
| • | Original caller (ID verified by IIS) |
| • | Fixed ID |
To simulate the original caller, use the following Configuration:
<identity impersonate="true" />
Simulate the access token provided by IIS that represents the verified caller. This can be an anonymous Internet user account (for example, if the application uses form authentication) or a Windows account representing the original caller (if the application uses Windows Authentication ).
If you do want to enable the original caller simulation, pay attention to the following issues:
| • | Because database connections cannot be effectively pooled, the scalability of applications is reduced. |
| • | You need to configure the ACL on the backend resources for a single user, which increases the management workload. |
| • | Delegates the Windows 2000 environment that requires Kerberos Authentication and proper configuration. |
For more information, see "Microsoft patterns & practices Volume I, Building Secure ASP. NET Web Applications: Authentication, Authorization, and Secure Communication in the "How To" section "How To: Implement Kerberos Delegation for Windows 2000", its URL is: http://msdn.microsoft.com/library/default.asp? Url =/library/en-us/dnnetsec/html/SecNetHT05.asp (English ).
Simulate fixed identityTo simulate a fixed identifier, use the userName and password attributes on the <identity> element to specify the identifier:
<identity impersonate="true" userName="MyServiceAccount" password="Str0ng!Passw0rd"/>
Do not store the creden。 in plain text. Use the Aspnet_setreg.exe tool to encrypt creden。 and store them in the registry.
| • | Encrypted <identity> creden
|
For more information, see Microsoft Knowledge Base Article 329290 How To: Use the ASP. NET Utility to Encrypt Credentials and Session State Connection Strings ).
Work as part of the operating system
When a fixed identifier is simulated by specifying the userName and password attributes, the ASP. NET 1.0 process account must have the "work as part of the operating system" user permission on Windows 2000. Because this effectively promotes ASP. NET Process accounts to the level of privilege that can access local system accounts, it is not recommended to use a simulated fixed identity for ASP. NET 1.0.
Note:If you are running ASP. NET 2000 on Windows 2003 or Windows 1.1 Server, you do not need this user permission.
NTFS permission requirementsThe NTFS permission must be properly configured for the simulated identity
From: constanding blog
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
