tags:

views:

1707

answers:

3
Q: 

'NT AUTHORITY\NETWORK SERVICE' not inheritting local group permissions?

We are deleting images that have been uploaded to our server using an ASP.NET web page. The site is running under 'NT AUTHORITY\NETWORK SERVICE' in IIS.

On the IIS server we have created a local group 'Full_Access' that we have added the 'NT AUTHORITY\NETWORK SERVICE' to. This group has NTFS Modify permission enabled on the file.

When we delete the file from out app. The file does not get deleted.

If we add 'NT AUTHORITY\NETWORK SERVICE' file instead explicitly to the file and give modify permission instead of relying on it to inherit the permission from the local group it is in then it works just fine.

We have used the effective permissions check on the security tab and either way it supposedly has permission? But in actuality it only works if we directly give the service account permission?

Is there some reason 'NT AUTHORITY\NETWORK SERVICE' does not inherit the permissions of the local group it is in?

A: 

Add the group IIS_WPG to your 'Full_Access' group instead of NETWORK SERVICE.

From http://msdn.microsoft.com/en-us/library/ms998320.aspx :

Note If you need to allow the same level of access to a file resource for all accounts that run ASP.NET applications (Network Service or a custom service account), you can grant access to the IIS_WPG group instead of specifically to the Network Service account. Any account used to run ASP.NET is required to be a member of the IIS_WPG group.

FreddyB  2009-01-14 19:57:25
You cant add a group to a group... Anyways...We originally tried adding 'IIS_WPG' to the file but that did not work. That is why we created the 'Full_Access' group.
ctrlShiftBryan  2009-01-14 20:07:05
You're right. My bad. I misread your question. Any chance you can post cacls c:\path\to\wherever ?
FreddyB  2009-01-14 20:51:50
A: 

Just a guess, but have you tried restarting the server?

The group membership is determined during the login process. The NETWORK SERVICE is actually the computer account. And I don't think that it work in the same way as other accounts. That is, it doesn't login when you start the application. The system account(which control the iis) just start the process under its identity. Which means that there is no login, and no group membership check.

Igal Serban  2009-01-14 21:41:20
+1  A: 

Why don't you create a dedicated application pool and have it running under a regular user with the appropriate rights?

Otávio Décio  2009-01-15 01:41:10

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security