Secure and Automated way of giving permissions for upload folder in ASP.NET C# web application?

Question

Our ASP.NET C# web application uploads various files like jpgs, pngs, docx, txt, etc to a folder called ClientBin. Everything works fine on our Visual Studio 2010 .NET test server that comes along with the Visual Studio 2010 .NET IDE.

However, if we deploy the application to an IIS7 server, we have to give the web user of our application permission to upload file. We basically log on to our Server with IIS7, and then manually modify Security properties of the folder called ClientBin that should ultimately contain the content like jpgs, pngs, docx, txt, etc.

---Manual approach to allow web user to upload successfully work---------------------------

Right-click the projectfolder\\ClientBin folder in Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access. ---Manual approach to make uploading successfully work---------------------------

--Programmatic approach which still gives web user an Exception error when trying to upload------------------

String DirectoryPath = System.IO.Path.Combine(Server.MapPath("~/ClientBin/"));
DirectorySecurity specificDirectorySecurity = Directory.GetAccessControl(DirectoryPath);
specificDirectorySecurity.AddAccessRule(new FileSystemAccessRule("Users", FileSystemRights.Modify, AccessControlType.Allow));
specificDirectorySecurity.AddAccessRule(new FileSystemAccessRule("Administrators", FileSystemRights.Modify, AccessControlType.Allow));
specificDirectorySecurity.AddAccessRule(new FileSystemAccessRule("SYSTEM", FileSystemRights.Modify, AccessControlType.Allow));
Directory.SetAccessControl(DirectoryPath, specificDirectorySecurity);

--Programmatic approach which still gives web user an Exception error when trying to upload------------------

Another online post suggested I solve the issue by entering the following in web.config:

----XML configuration that might solve problem with programmatic approach--------

identity impersonate="true" userName="ComputerName\\Administrator" password="don"

----XML configuration that might solve problem with programmatic approach--------

However, I'm worried about security issue if I make identity impersonate to true.

What is the most secure and most automated ( which might mean a programmatic solution) way of doing this?

Thanks,

newemployee

Answer 1

通常，向应用程序授予目录权限，并且该应用程序管理用户对上载文件夹的访问。

Answer 2

All:

Even though I failed to figure out how C# can modify permissions for upload folder.

It seems that Microsoft Windows PowerShell can programmatically modifies permissions for upload folder.

Here is a snippet of the code that programmatically modifies permissions for upload folder:

$computerHostName = [System.Net.Dns]::GetHostName()

#These constants are used to set permissions
$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"

$propagation = [system.security.accesscontrol.PropagationFlags]::None

$colRights = [System.Security.AccessControl.FileSystemRights]"Modify"

$objType =[System.Security.AccessControl.AccessControlType]::Allow

#(MSDN Docs) The IIS_IUSRS Group has access to all the necessary file and system     resources
# so that an account, when added to this group, can seamlessly act as an application     pool identity.
#  IIS_IUSRS group by default includes the web users that log on to the Perls    Applications. 
#If a web user needs to upload resources to the folder within the Perls Web     Application that
# contains uploaded resource files then we need to ensure that the members of the
# IIS_IUSRS Group have permissions to add resource files to that particular Perls Web      Application upload folder.

#This determines which user is the guest user for IIS.  Windows Vista and 08 use the      IIS_USRS group, Previous version use
#IUSR_[MachineName]



  if ([environment]::osversion.Version.Major -eq 6) {
  $webUser="IIS_IUSRS"


  } else {

     $webUser="IUSR_" + $computerHostName

 }


$clientBinDirectoryPath = "D:\DeployedApplications\" + $umbrellaComponentName + "\" +     $siteWebComponentName + "\" + "ClientBin"

$perlsPivotErrorDirectoryPath = "D:\DeployedApplications\" + $umbrellaComponentName +      "\" + $siteWebComponentName + "\" + "PerlsPivotErrorDirectory"

$aclForClientBinDirectoryPath = Get-Acl $clientBinDirectoryPath


$accessRuleForClientBinDirectoryPath = New-Object     System.Security.AccessControl.FileSystemAccessRule($webUser, $colRights, $inherit,     $propagation, $objType)

$aclForClientBinDirectoryPath.AddAccessRule($accessRuleForClientBinDirectoryPath)

Set-Acl -aclobject $aclForClientBinDirectoryPath $clientBinDirectoryPath

$aclForPerlsPivotErrorDirectoryPath = Get-Acl $perlsPivotErrorDirectoryPath

$accessRuleForPerlsPivotErrorDirectoryPath  = New-Object     System.Security.AccessControl.FileSystemAccessRule($webUser, $colRights, $inherit,     $propagation, $objType)

$aclForPerlsPivotErrorDirectoryPath.AddAccessRule($accessRuleForPerlsPivotErrorDirectoryPath)

Set-Acl -aclobject $aclForPerlsPivotErrorDirectoryPath $perlsPivotErrorDirectoryPath