What are the dangers of giving the Network Service account read/write permissions to your ASP.NET Web application?

Question

What are the dangers of giving the Network Service account read/write permissions to your ASP.NET Web application? I have to do this for any directory that my app needs to write to like App_Data for my VistaDb database and some random directories to uplaod images and make changes to text files, etc. What is the danger in doing this? And is it acceptable to just grant read/write perms to the entire Web application for Network Service?

Answer 1

The biggest security risk of giving the Network Service Account write permissions to folders is experienced in Shared Hosting or when you run multiple websites on the same server.

Basically, if you grant modify permissions then every other ASP.NET application that server configured to run as Network Service (all by default) will also have write permissions to that folder, which could be exploited.

Answer 2

The danger of doing this is that Network Service is a shared account and any application or service running under this account would have access to that directory.

Depending on what version of IIS you are using, you can place the web application in a separate application pool and have it run under a different user account. Then, you can grant access specifically to that user and not Network Service. This is only available in IIS 6 or later.

Answer 3

well the immediate danger is the network service can read/write to those folders of course, but per microsoft - This account is a least privileged machine account with limited permissions. If you are on a domain a better approach may be to use a domain account - detailed information about both can be found at http://msdn.microsoft.com/en-us/library/ms998320.aspx

Answer 4

Ok, so if I can figure out how to get your application to write a file to the filesystem, because you granted read/write to the entire application's virtual directory, I can now write an aspx file you your website, invoke it and run arbitrary code, including cool things like WMI calls and COM interop.

Do you have the time and resources to conclusively prove I can't use your application (which includes parts you didn't write, such as the framework itself) to write a file to you website? Why not just preclude the possibility when it is so cheap (timewise) to set ntfs permissions?

Now if you grant right just to App_Data, even if I did write an aspx file to that folder, I wouldn't be able to invoke it because the App_data folder is treated as special by the runtime and will not serve any files from there (lest that someone just call http://yourserver.com/app_data/data.mdb and hack your db by simply downloading the file). Obviously these file in App_Data can be reached by using ADO and the like, but that isn't a security issue.