Getting some Security issues with IIS

Question

My Code behind

using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using System.IO;

public partial class _Default : System.Web.UI.Page

{

protected void Page_Load(object sender, EventArgs e)
{
    DirectoryInfo theFolder = new DirectoryInfo(@"C:\temp\Server_Attachments\6");
    string Attachment = "";
    foreach (FileInfo nextFile in theFolder.GetFiles())
    {
        Attachment += "<a href=\"C:\\temp\\Server_Attachments\\6\\blabla.xls\">" + nextFile.ToString() + "</a><br />";
        div1.InnerHtml = Attachment;
    }
}

protected void Attach_File(object sender, EventArgs e)
{
    FileUpload1.SaveAs(@"C:\Server_Attachments\6");
}
} 

and my HTML page is like this

<div id="div1" runat="server"></div>

<asp:Label ID="Label1" runat="server" Text=" Attach a file : "></asp:Label><br />

<asp:FileUpload ID="FileUpload1" runat="server" Font-Names="Tahoma" Font-Size="Small" />
<br />

<asp:Button ID="Button2" runat="server" Text=" Attach " Font-Names="Tahoma" Font-  Size="Small" OnClick="Attach_File" />

Neither the hyperlinks, neither the upload is working :(

• when I am clicking on the hyperlinks nothing is happening (although "Save target as" is working).

• when I am trying to upload, I have got the error "Access to the path 'C:\\Server_Attachments\\6' is denied."

It is obviously a security issue. I have checked which account was running the program and it is NETWORK SERVICE.

How do I fix this ? Can I give full access to NETWORK SERVICE? Is it secure?

Answer 1

You should consider the permissions for the whole application and the resouces it can access.

Good practice would be to create a new user on the server, remove this from the users group and add it as a member of the IIS_IUSER group.

The folders the application accesses can now be given access t this user, it also good to create a database login for this user and map the applications database.

This way your application is isolated from other applications by permissions.

Answer 2

If you want to allow file upload then that's what you have to do. Yes, that's potentially a security issue - you need to make sure everything else is locked down.

Give "Write" access to "Network Service" for the upload folder. Give "Read" access to "Network Service" for the download folder.

no need to grant full control to Network Service.

Answer 3

为该文件夹的IIS_IUSER提供写访问权限并尝试。