Process Identity for ASP.NET


ASP.NET Web applications and Web services run in a shared instance of the ASP.NET worker process (Aspnet_wp.exe). Process-level settings, including the process identity, are configured using the <processModel> element in Machine.config.

<processModel>

The identity for the ASP.NET worker process is configured using the userName and password attributes on the <processModel> element. When you configure process identity:

  • Use the default ASPNET account .

  • Use a least-privileged custom account .

  • Encrypt <processModel> credentials .

  • Do not run ASP.NET as SYSTEM .

Use the Default ASPNET Account

The local ASPNET account is the default least privileged account specifically for running ASP.NET Web applications and Web services. Use this account if you can by using the following default configuration:

 <processModel enable="true" userName="machine" password="AutoGenerate" ... /> 

Use a Least Privileged Custom Account

If you must use an alternate identity to run the ASP.NET worker process, make sure the account that you use is configured as a least privileged account. This limits the damage that can be done by an attacker who manages to execute code using the process security context.

You might decide to use an alternate account because you need to connect to a remote Microsoft SQL Server database or network resource using Windows authentication. Note that you can use the local ASPNET account for this purpose. For more information, see "Data Access" later in this chapter.

For more information about the NTFS permissions that the ASP.NET process account requires, see "NFTS Permission Requirements" later in this chapter.

You should also grant the following user rights to the ASP.NET process accounts:

  • Access this computer from the network.

  • Logon as a batch job.

  • Logon as a service.

  • Deny logon locally.

  • Deny logon through terminal services.

Encrypt <processModel> Credentials

If you need to use a custom account, do not store plaintext credentials in Machine.config. Use the Aspnet_setreg.exe utility to store encrypted credentials in the registry.

 Task   To encrypt credentials for <processModel>

  1. Run the following command from the command prompt:

     aspnet_setreg -k:Software\YourApp\process -u:CustomAccount :p:StrongPassword 

    This stores the encrypted credentials in the specified registry key and secures the registry key with a restricted ACL that grants Full Control to System, Administrators, and Creator Owner.

  2. Reconfigure the <processModel> element and add the following userName and password attributes.

     <processModel userName="registry:HKLM\SOFTWARE\YourApp\process\ASPNET_SETREG,userName" password="registry:HKLM\SOFTWARE\YourApp\process\ASPNET_SETREG,password"/> 

For more information, see Microsoft Knowledge Base article 329290, "How To: Use the ASP.NET Utility to Encrypt Credentials and Session State Connection Strings."

Do Not Run ASP.NET as SYSTEM

Do not use the SYSTEM account to run ASP.NET and do not grant the ASP.NET process account the "Act as part of the operating system" user right. Doing so defeats the principle of least privilege and increases the damage that can be done by an attacker who is able to execute code using the Web application's process security context.




Improving Web Application Security. Threats and Countermeasures
Improving Web Application Security: Threats and Countermeasures
ISBN: 0735618429
EAN: 2147483647
Year: 2003
Pages: 613

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net