简体繁体中英

How do I deal with web role .aspx page running under a restricted user?

原文 2011-06-06 06:19:17 0 1 windows/ iis/ deployment/ azure/ cloud

Turns out the web role.aspx page and web role code run in two separate processes with the default "Full IIS" mode. The problem for the application I'm to port is that.aspx handler needs access to the local filesystem and since it now runs under MachineName\\NETWORK SERVICE account it has no such access.

AFAIK I could do one of the following.

First, I could grant access to necessary subfolders to user MachineName\\NETWORK SERVICE while in an startup task. That will work, but looks insecure - anything running under MachineName\\NETWORK SERVICE will get the same access and this can introdude a vulnerability.

Second, I could somehow force IIS to run the role website in a dedicated pool running under a dedicated user and grant access to that user. That sounds good, but I'm not sure I can do that (specifically force IIS to create a dedicated pool running under a specific user) automatically - either within a role configuration file or within a startup task.

Third, I could move all dealing with the filesystem onto the code that belongs to the role and is running inside WaIISHost.exe . That will require some redesign.

Which option of the above is most convenient and follows best practices most closely? What other options are there? How do I address the situation?

1 answers

Second, I could somehow force IIS to run the role website in a dedicated pool running under a dedicated user and grant access to that user. That sounds good, but I'm not sure I can do that (specifically force IIS to create a dedicated pool running under a specific user) automatically - either within a role configuration file or within a startup task.

Wade Wenger's blog is brilliant for this type of question

Here's how to setup the web role under a specific user:

http://www.wadewegner.com/2011/01/programmatically-changing-the-apppool-identity-in-a-windows-azure-web-role/

IIS restriction error for .aspx page, but .aspx is not restricted

how do i convert restricted user token to unrestricted one?

How does it happen Azure web role entry point and .aspx page handler are run in different processes?

How to have Azure web role application pool start under right user from the beginning?

How do I know if I need Full IIS in my Azure web role?

In a windows batch file how do I find out what credentials I am running under?

How do I get the home directory of an *arbitrary* (i.e. not the current) user in PHP under Windows?

How do I launch the default browser with a web page?

How to kill specific process running under specific user account

Apache Virtual Host in Windows - how do I deal with Symbolic links?

暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question IIS restriction error for .aspx page, but .aspx is not restricted how do i convert restricted user token to unrestricted one? How does it happen Azure web role entry point and .aspx page handler are run in different processes? How to have Azure web role application pool start under right user from the beginning? How do I know if I need Full IIS in my Azure web role? In a windows batch file how do I find out what credentials I am running under? How do I get the home directory of an *arbitrary* (i.e. not the current) user in PHP under Windows? How do I launch the default browser with a web page? How to kill specific process running under specific user account Apache Virtual Host in Windows - how do I deal with Symbolic links?

Related Tags

How do I deal with web role .aspx page running under a restricted user?

Question

1 answers

solution1 1 ACCPTED 2011-06-06 18:31:38

solution1
1 ACCPTED 2011-06-06 18:31:38