tags:

views:

109

answers:

3
+1  Q: 

Implications of Machine\ASPNET user as administrator role?

Hi,

We are receiving an application from a third party that will eventually be installed in our production environment.

As part of the setup, they want us to make Machine\ASPNET an Administrator account.

This seems to me like bad practice, but I need specific reasons if I am going to push back on this.

What are the implications of running Machine\ASPNET as an administrator?

Additional details:

  • This will be deployed under IIS6 on Windows Server 2003
  • This is a three tier application. I believe they want the Machine\ASPNET user as administrator on the middle tier, where the WCF services will be deployed.
A: 

I would agree this is a very bad idea, if for some reason there was a security breach on the site an attacker could pretty much do what they want with the server.

You need to find out why the user needs to be an admin, get an exactly list of actions that the user needs to perform and just give permission for these tasks. If they can't give you a proper list then just reject it, it shows that they don't know their application very well and that should enough of a worry.

Michael Edwards  2009-10-05 17:01:12
+2  A: 

As you've guessed, making the ASPNET account a member of the Administrators group is a really, really bad idea.

This is because a successful exploit against your third party app (or against any other web app running as ASPNET) would gain administrative access to the machine. This is the principal reason why web app accounts are generally low-privileged.

Instead of granting ASPNET admin rights, you could request from your third party what specific rights they require. You could then grant ASPNET just those rights. This would limit what a succesful exploit could accomplish.

For example, if the app needs read/write access to the registry under HKLM, you could grant ASPNET access to it. Thus an exploit could clobber the registry, but not the file system.

Paul Lalonde  2009-10-05 17:02:18
+1  A: 

If a vendor is giving this advice you’ll normally find they’ve put doing the job properly in the “too hard basket”. Most likely they’re struck permissions issues and just recommended granting the broadest possible access rights to solve the problem rather than applying the proper due diligence and investigating the route cause.

As others have said, go back and pressure them for more details. There’s a very good reason the ASPNET account operates with limited rights; the onus is on the vendor to properly explain why good security practice should be compromised to run their product.

Troy Hunt  2009-10-06 10:10:03

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps