How to create a custom account to run ASP. NET

Source: Internet
Author: User
Tags strong password least privilege ntfs permissions
Document directory
  • ASP. NET auxiliary process ID
  • Simulate fixed identity
  • To create a new local account, perform the following operations:
How to create a custom account to run ASP. NET Release Date: 10/28/2004 | update date: 10/28/2004

Browse all "Security Guide" topics

Microsoft Corporation

Target

This module is used:

Create a minimum privileged account with sufficient permissions to correctly run ASP. NET applications.

Configure ASP. NET so that it runs with the custom minimum permission account.

Applicable:

This module applies to the following products and technologies:

Microsoft _ WINDOWS _ XP, Windows 2000 Server (with Service Pack 3), and later Operating Systems

Microsoft. NET Framework Version 1.0 (with Service Pack 2) and later

Internet Information Service (IIS) 5.0 or 6.0 (only when IIS 5.0 isolation mode is used)

Usage of this module

To maximize the use of this module:

You must have experience developing ASP. NET web applications and be familiar with the usage and structure of the machine. config file.

You must have experience using Windows management tools to create and manage independent or domain-based Windows user accounts.

Read the "ASP. NET Security" module ". This module provides you with the following details: Asp. net Security, Asp. net auxiliary process identifies the impact on the permissions of an application being executed, and how to use simulation to easily grant the appropriate permission levels to Web application users.

Content on this page
Summary
Prerequisites
Create a new local account
Assign minimum privilege
Assign NTFS permissions
Configure ASP. NET to run with a new account

Summary

By default, each ASP. NET auxiliary process runs in the context of the smallest privileged account named ASPnet. If ASP. the. NET application is deployed on a domain-based server or needs to access resources on a remote server, you can configure ASP.. Net to simplify management in the context of different accounts.

This module describes how to configure ASP. NET to run in the context of a custom local account or domain account, and describes how to assign permissions to this account to make it work properly.

Back to Top

Prerequisites

Before using this module, you should understand the following:

ASP. NET auxiliary process ID

The default account used to run ASP. NET (created during installation) is a local account with minimal privileges and is specified in machine. config as follows:

<processModel enable="true" userName="machine" password="AutoGenerate" />

This account is identified as ASPnet under local users and groups and has a strong password that is secure in the Local System Authority (LSA.

When you need to access network resources (such as databases) using ASP. NET process identifiers, you can perform any of the following operations:

Use a domain account.

Use the "image" Local Account (that is, the account with the matched username and password on the two computers ). This method is required when the computer is located in different domains without a trust relationship, or the computer is separated by a firewall and cannot open the ports required for NTLM or Kerberos authentication.

The easiest way is to change the password of the ASPNET account to a known value on the Web server, and then create an account named ASPnet with the same password on the target computer. On the web server, you must first change the ASPNET account password of the local user and the group, and then replace <Processmodel> Creden on the element. Instead of storing plain text passwords in machine. config, use aspnet_setreg.exe to store the encrypted passwords in the registry. For more information, see "ASP. NET Security" in module 8 ".

<processModel enable="true"       userName="registry:HKLM\SOFTWARE\YourSecureApp\processModel\                ASPNET_SETREG,userName"       password="registry:HKLM\SOFTWARE\YourSecureApp\processModel\                ASPNET_SETREG,password" . . ./>

You can use the steps provided in this module to create a local account with the minimum privilege.

Simulate fixed identity

By using the following settings in Web. config, you can set a fixed identifier for a specific virtual directory. Use aspnet_setreg.exe to store the encrypted creden in the registry.

<identity impersonate="true"          userName="registry:HKLM\SOFTWARE\YourSecureApp\                    identity\ASPNET_SETREG,userName"          password="registry:HKLM\SOFTWARE\YourSecureApp\                    identity\ASPNET_SETREG,password" />

If there are multiple web sites on the same web server and these web sites need to run as different identities, this method is usually used; for example, this method is required in the application HOST solution.

This module describes how to create a local account with the minimum privilege. If you are mainly engaged in management, you can use a domain account with the minimum privilege of a strong password.

When you consider an account used to run ASP. NET, remember the following points:

By default, ASP. NET is not simulated. Therefore, any resource access performed by a Web application uses the ASP. NET Process Identity. In this case, Windows resources must have an access control list (ACL) that grants access to the ASP. NET process account ).

If simulation is enabled, the application uses the security context of the original caller to access resources, or if IIS is configured for anonymous authentication, use an anonymous Internet User Account (iusr_machine by default ). In this case, the resource must have an ACL based on the identity of the original caller (or iusr_machine.

When creating a custom account, you should always follow the principle of least privilege-only provide the minimum required privileges and permissions.

Avoid using the system account to run ASP. NET.

Avoid granting this account the "as part of the operating system" privilege.

Back to Top

Create a new local account

This process creates a new local account. By default, this new account will be added to the local device.UsersGroup.

To create a new local account, perform the following operations:

1.

Create a local account (for example, customaspnet ").

Make sure that you use a strong password for this account. A strong password must contain at least seven characters and contain uppercase and lowercase letters, numbers, and other characters (such *,? Or $.

2.

ClearUser must change password at next Logon.

3.

SelectPassword Never Expires.

Back to Top

Assign minimum privilege

This process assigns a minimum set of privileges required to run ASP. NET.

To assign the minimum privilege, perform the following operations:

1.

SlaveAdministrative ToolsIn the program group, startLocal Security PolicyTool.

2.

ExpandLocal PoliciesAnd then selectUser Rights Assignment.

A list of privileges is displayed in the right pane.

3.

Assign the following privileges to the new account:

Access this computer from the network

Log on as a batch job

Log on as a service

Deny local Logon

Refuse to log on through the terminal service

Note:To assign a privilege to an account, double-click the privilege and clickAddTo select the account.

4.

Disable this tool.

Back to Top

Assign NTFS permissions

This process grants the required NTFS permissions to the custom ASP. NET account in the local file system.

Note:The steps in this process apply to the file system on the Web server (instead of the file system on the remote computer, you can copy this account on a remote computer for Network Authentication ).

To allocateFollow these steps to grant NTFS permissions:

Start Windows Resource Manager and assign appropriate permissions to the folder specified in Table 1.

The fixed simulated account mentioned in Table 1 means that you can use the <Identity> The elements are selectively configured as follows.

<identity impersonate="true"          userName="registry:HKLM\SOFTWARE\YourSecureApp\                    identity\ASPNET_SETREG,userName"          password="registry:HKLM\SOFTWARE\YourSecureApp\                    identity\ASPNET_SETREG,password" />

In this example, aspnet_setreg.exe has been used to store custom account creden。 in the Registry in encrypted format.

Table 1: NTFS permissions required
Location Required Permissions Account Remarks

Temporary ASP. NET file:
C: \ winnt \ Microsoft. NET \ framework \ <version> \
Temporary ASP. NET File

Full Control

Process and fixed simulated account

This is the dynamic compilation location of ASP. NET. In this folder, the application code is generated for each application in a discrete directory.
The tempdir attribute in the <compilation> element can be used to change the default position.

Temporary Folder:
C: \ winnt \ Temp

Read/write/delete

Process

The location where the Web Service is used to generate the serialization proxy.
Note,DeletePermission to use Windows Resource Manager folder Properties dialog boxSecurityPageAdvancedButton settings.

Application virtual directory:
C: \ Inetpub \ wwwroot \ webapp1

Read

Process

The location of the Web application file (that is, the virtual root directory of the application ).
By default, a user group has proper access permissions.

Installation (% installroot) hierarchy:
(C: \ winnt \ Microsoft. NET \ framework \ v1.0.3705)

Read

Process and fixed simulated account

ASP. NET must be able to access. NET Framework Assembly.
By default, a user group has proper access permissions.

Global Assembly Cache:
C: \ winnt \ assembly

Read

Process and fixed simulated account

This is the Global Assembly cache. You cannot directly use Windows Resource Manager to edit the ACL of this folder. Use a command window instead and run the following command:
Cacls % WinDir % \ assembly/e/T/P domain \ useraccount: R
Before using Windows Resource Manager, run the following command to cancel registration of shfusion. dll:
Regsvr32-u shfusion. dll.
After setting permissions in Windows Resource Manager, run the following command to re-register shfusion. dll:
Regsvr32 shfusion. dll

Web site root directory:
C: \ Inetpub \ wwwroot or the default path pointed to by the web site

Read

Process

ASP. NET reads the configuration file and monitors file changes in this folder.

System root directory:
C: \ winnt \ System32

Read

Process

Applicable to the system DLL loaded by the framework.

Application folder hierarchy
C :\
C: \ Inetpub \
C: \ Inetpub \ wwwroot \
C: \ Inetpub \ wwwroot \ mywebapp1

List Folder/read

Process

For file change notifications and C # compilers (to normalize files), The procss account requires the list folder of the application folder hierarchy and the permission to read data. This is all the parent folders returned to the root directory.

Back to Top

Configure ASP. NET to run with a new account

In this process, you can edit machine. config to configure ASP. NET to run with a new account.

ToASP. NET is configured to run with a new account. perform the following steps:

1.

Run aspnet_setreg.exe at the command prompt to add the encrypted version of the user name and password of the User-Defined account to the Registry. For more information about this utility and its download, see Microsoft Knowledge Base Article 329290 "HOWTO: Use the ASP. NET utility to encrypt credentials and session State connection strings", at: http://support.microsoft.com/default.aspx? SCID = 329290.

aspnet_setreg–k:SOFTWARE\YourSecureApp\processModel –u:"CustomASPNET"–p:"YourStrongPassword"

2.

Use Visual Studio. NET or notepad to open machine. config.

Machine. config is located in the following folders:

C:\WINNT\Microsoft.NET\Framework\v1.0.3705\CONFIG

3.

Go to <Processmodel> Element andUsernameAndPasswordProperty is set to contain the following string pointing to the detailed information of the encrypted creden.

Default: <processModel userName="machine" password="AutoGenerate" . . ./>Becomes: <processModel   userName="registry:HKLM\SOFTWARE\YourSecureApp\processModel\            ASPNET_SETREG,userName"   password="registry:HKLM\SOFTWARE\YourSecureApp\processmodel\            ASPNET_SETREG,password" . . . />

4.

Save the changes to machine. config.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.