Article ID: 815153
Article Last Modified on 7/8/2005
APPLIES TO
- Microsoft ASP.NET 1.1
- Microsoft ASP.NET 1.0
SUMMARY
This step-by-step article describes how to configure NTFS file permissions for the security of an ASP.NET application.
One common method to lower the risk that is associated with hosting a publicly accessible ASP.NET application is to restrict NTFS permissions on the application’s files. Only those accounts that must have access to a specific file in an ASP.NET application are listed in the file’s access control list (ACL). Additionally, accounts that appear in the ACL must have the minimum authorization that is required for the application to run correctly. For example, when the user must have Read permission to run an application, do not grant Write permission.
This article describes the minimum permissions that users must have for an unauthenticated ASP.NET application to run for common file types. As you change settings, restart the ASP.NET application periodically, and then test it to verify that the application runs as expected. Permission changes that you have made to files, and that have already been successfully requested, may not work until you restart the application.
back to the top
Minimum Permissions That Are Required for ASP.NET Applications
The following table lists the minimum permissions that an Internet Information Services (IIS) IUSR_ComputerName Internet Guest Account and an ASP.NET ASPNET user account (or NetworkService user account, for applications that run on IIS 6.0) must have. These permissions are valid only for applications where the source code is compiled in a DLL file before the application runs, such as applications that were created by using Microsoft Visual Studio .NET. Individual users or groups must have additional permissions to update the files. Permissions are shown for individual file types. For all file types, if the IUSR_ComputerName account and the ASPNET account (or NetworkService accounts, for applications that run on IIS 6.0) have these permissions, you can remove the Everyone account and the Authenticated Users account from the file’s ACL.
| File type | Internet Guest Account Permissions | ASPNET account (or NetworkService account, for applications that run on IIS 6.0) Permissions |
| Folders | Read (Required for access to default document) | Read |
| .ASAX | No Access | Read |
| .ASCX | No Access | Read |
| .ASHX | No Access | Read |
| .ASMX | Read | Read |
| .ASPX | No Access | Read |
| .CONFIG | No Access | Read |
| .CS | No Access | No Access |
| .CSPROJ | No Access | No Access |
| .DLL | No Access | Read |
| .LICX | No Access | No Access |
| .PDB | No Access | No Access |
| .REM | No Access | Read |
| .RESOURCES | No Access | No Access |
| .RESX | No Access | No Access |
| .SOAP | No Access | Read |
| .VB | No Access | No Access |
| .VBPROJ | No Access | No Access |
| .VBDISCO | No Access | No Access |
| .WEBINFO | No Access | No Access |
| .XSD | No Access | No Access |
| .XSX | No Access | No Access |
REFERENCES
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
315736 HOW TO: Secure an ASP.NET Application by Using Windows Security
315588 HOW TO: Secure an ASP.NET Application Using Client-Side Certificates
818014 HOW TO: Secure Applications That Are Built on the .NET Framework
Keywords: kbhowtomaster kbwebserver kbsecurity kbauthentication kbacl KB815153
