CodeProject: Securely Run the ASP.NET Worker Process as the System Account. Free source code and programming help

Announcements

	Windows 7 Comp Win a laptop!
	Monthly Competition

Articles

Desktop Development

Web Development

Enterprise Systems

Content Management Server

Microsoft BizTalk Server

SQL Reporting Services

Platforms, Frameworks & Libraries

Windows Communication Foundation

Windows Presentation Foundation

Windows Workflow Foundation

Cryptography & Security

Threads, Processes & IPC

WinHelp / HTMLHelp

Uncategorised Quick Answers

Graphics / Design

Expression

Usability

Development Lifecycle

Debug Tips

Design and Architecture

Uncategorised Technical Blogs

Services

Code-signing Certificates

Job Board

CodeProject VS2008 Addin

Feature Zones

Product Showcase

Code Signing Resources

WhitePapers / Webcasts

ASP.NET Web Hosting

Advanced Search
Add to IE Search

Discuss

Report

6 votes for this article.

Popularity: 2.28 Rating: 2.93 out of 5

Introduction

There are several articles in existence about safely running the aspnet_wp.exe as the ASPNET user, or any other custom user that is specified in the <processModel> section of the machine.config file. However, when I attempted to run the ASP.NET worker process as "machine", or any other user that had the necessary permissions, I was unable to do so. After countless hours of creating a user, granting permissions, and following the steps set fourth by Microsoft in their patterns and practices document, what I found was that the effective settings in our Active Directory group policy were overriding the local policy that I set on my machine. While I'm sure that their directions were well and good for traditional settings, they covered nothing about being in Active Directory and what happens to the local user permissions once they are set.

However, there is a workaround for this dilemma. In the <processModel> element of the machine.config file, set the user name to "system" and the password to "AutoGenerate". Create a local user on your machine. The user will need permission to access all the necessary resources (GAC, Temporary ASP.NET Files directory, etc.). The list of necessary permissions can be found at MSDN. Additionally, if you store any username/password information in the registry, or if you need to access any legacy COM objects in a separate place on the server, the user will need to have the necessary rights.

Now, in the machine.config file, locate the <identity> element. The default setting for the <identity> element is:

<identity impersonate="false" userName="" password=""/>

If you set the identity impersonation to true, but do not specify a user name and password, then the worker process attempts to access files as the IUSR_machinename account. Now, specify a user name and password in the <identity> element, such as:

<identity impersonate="true" userName="myLocalUser" password="myUserPassword"/>

In this setup, it is true that the ASP.NET worker process still runs as system, but when the worker process tries to access files on the server (either in the virtual directory, or in the Temporary ASP.NET Files directory for just-in-time compilation), it does so as the user specified in the <identity> element, not as the system user.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

About the Author

David Coe

Member

Occupation:	Web Developer
Location:	United States

Other popular Web Security articles:

Role-based Security with Forms Authentication
Provides insight and tips on using role-based (groups) Forms Authentication in ASP.NET, which has only partial support for roles.
Switching Between HTTP and HTTPS Automatically: Version 2
An article on automatically switching between HTTP and HTTPS protocols without hard-coding absolute URLs
Forms authentication and Role based authorization: a quicker, simpler, and correct approach
This article describes a correct and smarter way of implementing Role based authorization with Forms authentication in ASP.NET.
Securing ASP.NET Applications
This article takes a look at two recent attacks on web applications and how they were perpetrated. Then it dives head first into a litany of different potential security holes and more importantly, how to plug them in ASP.Net.
HttpSecureCookie, A Way to Encrypt Cookies with ASP.NET 2.0
Discussing how to encode and tamper-proof text and cookies using the MachineKey, by using reflection.