<< ASP.NET Security : 1- Basics | Yet another BlogEngine.NET feature that I love >>

ASP.NET Security : 2- More Basics

by Amr 3/25/2008 11:32:00 AM

In my previous post I showed that ASP.NET application goes through 3 security context levels and discussed the first one :

IIS Level
ASP.NET worker process level
ASP.NET pipeline level

In this post, I will talk a little on ASP.NET worker process level, before starting I would like to point out the development environment we use, the development machines run windows XP and IIS 5.1, the server runs windows server 2003 on IIS 6 of course, so I need to point out the differences.

2- The Worker Process Context :

IIS 5

After IIS authentication, if the request is for ASP.NET (.aspx, .ashx, ....etc. ) the IIS thread sends the request to aspnet_isapi.dll which starts the aspnet_wp worker process. This worker process runs under the ASPNET account. ASPNET account is a local account created when the .NET Framework is installed. ASPNET has minimum privileges to be able to run an ASP.NET application which you can know in this article :
from http://www.microsoft.com/technet.....mspx
You can change the identity from ASPNET to other one using the section in machine.config
	<processModel userName="xxx" password="XXX"/>
	

IIS 6

In IIS 6, the model is changed where the incoming request in first queued to the application pool that the website is hosted in, then the w3wp.exe worker process servers it.
This time rather than the ASPNET account a new one was introduced named NETWORK SERVICE with the same minimum privileges. To change the this account from the IIS manager, the Application Pool properties > Identity Tab as shown in figure, Read More on Application Pools.

Next in the worker process, one of the pooled threads picks the request. This thread will by default inherit the identity of the worker process itself defined before, this happens when impersonation is disabled, while if it is enabled the thread will take the identity handed by the IIS, shown in the previous post.

To enable impersonation use this section in web.config

<identity impersonate="true"/>

Note: If the impersonation is enabled, the worker process account doesn't change, but impersonation is only used with the code executed in the page, where any database access or file access uses the impersonated account.

Next the last security context level is handled the request and executes, next post I will show preliminary information on the ASP.NET pipeline level.

Be the first to rate this post

Currently 0/5 Stars.
1
2
3
4
5

Tags: web.config, iis, security

Security

ASP.NET Security : 1- BasicsFirst post on my securtiy journey.The ASP.NET Configuration ModelThis post describes the ASP.NET configuration model, shows the all the config files that are used wh...Adding Auto Format for ASP.NET Custom Controls Design TimeThis post shows how to add Auto Format.. link in the Smart Tag of the ASP.NET web controls, to give...

Add comment

Name*
E-mail* (Will show your Gravatar icon)
Website
Country Country flag

Comment* [b][/b] - [i][/i] - [u][/u]- [quote][/quote]

Notify me when new comments are added

Live preview

5/16/2008 3:44:35 PM

Mo	Tu	We	Th	Fr	Sa	Su
28	29	30	1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31	1
2	3	4	5	6	7	8

Amr Elsehemy

Ideas and tips on C#, Custom Controls, ASP.NET, AJAX, GDI+ and more.

ASP.NET Security : 2- More Basics

IIS 5

IIS 6

Related posts

Add comment

Live preview

About the author

Calendar

Pages

Recent posts

Recent comments

Archive

Authors

Tags

Categories

Blogroll

Disclaimer

Sitemeter

Mo	Tu	We	Th	Fr	Sa	Su
28	29	30	1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31	1
2	3	4	5	6	7	8

Mo	Tu	We	Th	Fr	Sa	Su
28	29	30	1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31	1
2	3	4	5	6	7	8

Mo	Tu	We	Th	Fr	Sa	Su
28	29	30	1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31	1
2	3	4	5	6	7	8