tags:

views:

1167

answers:

2
Q: 

Understanding IIS6 permissions, ACL, and identity--how can I restrict access?

When an ASP.NET application is running under IIS6.0 in Windows 2003 Server with impersonation, what user account is relevant for deciding file read/write/execute access privileges? I have two scenarios where I am trying to understand what access to grant/revoke. I thought the most relevant user is probably the identity specified in the Application Pool, but that doesn't seem to be the whole story.

The first issue concerns executing a local batch file via System.Diagnostics.Process.Start()--I can't do so when the AppPool is set to IWAM_WIN2K3WEB user, but it works fine if it is set to the Network Service identity. I of course made sure that the IWAM user has execute rights on the file.

The second involves writing to a file on the local hard drive--I'd like to be able to prevent doing so via the access control list via folder properties, but even when I set up all users in the folder as "read" (no users/groups with "write" at all), our ASP.NET still writes out the file no problem. How can it if it doesn't have write access?

Google search turns up bits and pieces but never the whole story.

+1  A: 

what user account is relevant for [..] file read/write/execute access

As a rule: Always the user account the application/page runs under.

The IWAM account is pretty limited. I don't think it has permissions to start an external process. File access rights are irrelevant at this point.

If a user account (Network Service in your case) owns a file (i.e. has created it), it can do anything to this file, even if not explicitly allowed. Check who owns your file.

Process Monitor from Microsoft is a great tool to track down subtleties like this one.

Tomalak  2008-09-30 20:34:46
Where is the IWAM account limited? How can I see/adjust these limitations?
Patrick Szalapski  2008-09-30 21:07:11
>"Check who owns your file." If I'm writing a new file, this would be 'who owns the folder', right?
Patrick Szalapski  2008-09-30 21:11:06
No. Owner of the file is the account who created it. Ownership is not inherited, this would defy the purpose.
Tomalak  2008-10-07 09:46:24
The problem was with creating files, so I was focusing on the ACL of the folder to which I was writing. I always presumed that the account of the W3WP would be the owner of the files, and indeed it is. As stated below, I went with NETWORK SERVICE which seems to obey the ACL.
Patrick Szalapski  2008-12-08 19:47:17
A: 

A bit more searching reveals that the IWAM user isn't that well documented and we should stick with NETWORK SERVICE or a manually-supplied identity if we want to specify permissions for that user.

Patrick Szalapski  2008-10-02 15:27:35

related questions

Apache and IIS side by side (both listening to port 80) on windows2003
Web Access to Virtual Machine
Winsock - 10038 Error - Win2K3 Server - baffling behaviour
How to hide complete volume?
Using both 1.1 and 2.0 frameworks on Windows 2003 x64
Windows Server 2003 - Share current Desktop via RDP like in Windows XP?
How can I kill a process, using VBScript, started by a particular user.
Can you have more than one ASP.NET State Server Service in a cluster?
Do I need a Windows CAL for each client when they will only access an Oracle database on the server?
Switching state server to another machine in cluster
How do you tell IIS 6 to set the .NET version to 2.0 (not 1.1) When New sites are created?
How do I stop network flooding using Windows 2003 Network Load balancing?
MS Server 2003 vs MS Server 2008
Does Windows Server 2003 SP2 tell the truth about Free System Page Table Entries?
How to Prevent the "Please tell Microsoft about this problem" Dialog Boxes
Delayed Write Failed on Windows 2003 Clustered Fileshare
How do I cluster an upload folder with ASP.Net?
How do I secure a folder used to let users upload files?
I'm looking for a Windows hosting provider that supports custom os images (like AMZN EC2)
Error installing iKernel.exe
how to allow files starting with period and no extension in windows 2003 server?
How can I prevent a server from becoming locked after a Remote Desktop session
Default Internet connection on Dual LAN Workstation
Printers not available unless shared.
Client collation and SQL Server 2005