Network service default permissions

Hi folks,

I was digging around the default permission for "network service" user
and got myself quite confused. In the servers I've checked the default ACL
permission on any new folder for this user is "Read & Execute","List folder
contents" and "Read". However when I check the NTFS permissions trought the
"Advanced" button I also saw that this user has "Create Files/Write Data"
and "Create Folders/Append Data", which acording to Microsfts KBs belongs to
"Modify" and "Full Control". Is this correct?
As far as I kow the network service account should be used to run with
"minor privileges" and thus is recomended to be used for web sites, but with
this set of permissions the network service has a "Write" and "Execute"
permission. Is this safe to be used?

Cheers,

Eric.

Re: Network service default permissions

Default configuration does not allow Network Service write/create access to
the filesystem, so what you describe is configuration that you or someone
else has customized and hence responsible for.

"Is this safe to be used" cannot be answered without knowing your security
requirements. Security is never absolute black/white and always relative
shades of grey, so it "depends" on knowing more information.

File ACLs/Permissions and Privileges are two separate but interacting
concepts.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"Eric Chaves" wrote in message
news:%23cEboXLsGHA.1876@TK2MSFTNGP06.phx.gbl...
> Hi folks,
>
> I was digging around the default permission for "network service" user
> and got myself quite confused. In the servers I've checked the default ACL
> permission on any new folder for this user is "Read & Execute","List
> folder contents" and "Read". However when I check the NTFS permissions
> trought the "Advanced" button I also saw that this user has "Create
> Files/Write Data" and "Create Folders/Append Data", which acording to
> Microsfts KBs belongs to "Modify" and "Full Control". Is this correct?
> As far as I kow the network service account should be used to run with
> "minor privileges" and thus is recomended to be used for web sites, but
> with this set of permissions the network service has a "Write" and
> "Execute" permission. Is this safe to be used?
>
> Cheers,
>
> Eric.
>
>
>
>

Re: Network service default permissions

Hi David,

Thanks for the answer, but if you don't mind I'd like to digg this
subject a little further. Maybe this isn't the best forum to ask those
questions, since the questions aren't strict iis related. I start asking
here only because "network service" is an account usually "associated" to
web services. If this post belong to somewhere else, just let me know. Also,
I'm not bringing the subject to point "flaws" or "security risks", my goal
is just get a deeper understanding of what is going on here.

> Default configuration does not allow Network Service write/create access
> to the filesystem, so what you describe is configuration that you or
> someone else has customized and hence responsible for.

What I described was found in several different Windows 2003 Server
installations and as far as I know none of those received any custom
configuration regarding ACLs, however I'll not discard this possibility. I
belive it was a "next-next-finish" job, followed by the server's inclusion
into AD domain. I'll make a fresh install anyway in my development server
this week to check against what I state.

In the meantime, please correct me if I'm wrong since I'm not a
security specialist. In general ACL permissions are inhirited by parent
folders. With that in mind I perform the following steps:
1-I went to a non system partition (ie D:), and check the ACL
permissions on that folder. Network service was not listed there; checking
the "effective permission" for the D: drive however shows that "network
service" does have "Create Folder/Append Data" permission.
2- I then created a new folder, named "New Folder" with all
permissins inherited. again "Network service" is not listed in NTFS
permissions but checking the "effective permissions" reveals that now,
"network service" has a set of permissions equivalent to "modify".
3- Execute a simple ASPX page which creates a text file "D:\New
Folder\SomeFile.txt"; The site running the ASPX page is configured to allow
only anonymous request and the AppPoll identity was setted to "network
service".
4- The page was sucefully created being owned by network service (the
creator owner), which grants full controll over it. (I usually restrict
creator owner permissions in my "web application folders" to prevent that).

I checked on (c:\windows\repair) secsetup.inf and secD.inf of the
servers in question but didn't found anything there related this. I don't
discard however that I may be missing something here.
This brings me to the question: where default ACLs does came from (at
least for well know SIDs)? I mean, if the permission is not explicit
assigned into the driver/folder, how does windows calculate the effective
permission for the "network service"?

> "Is this safe to be used" cannot be answered without knowing your security
> requirements. Security is never absolute black/white and always relative
> shades of grey, so it "depends" on knowing more information.

In this context I'm meaning as a general rule of thumb since the general
rule of thumb is to run web applications under network service account. I
totally agree that security is a grayed area. In this scenario, an web
application that perform file upload may lead to some insecure scenarios if
the admin does not explicity change the creator owner permission of the
folders in questions, which you have to agree with me, is not a common
recomendation found on KBs and articles.

> File ACLs/Permissions and Privileges are two separate but interacting
> concepts.

I'm refering only to ACL permissions. Sorry for the wrong terms used.

Cheers,

Eric.

ps.: i'm a fan of your blog!! thanks for the good information you bring to
us.

Re: Network service default permissions

Hello All,
An small update on my previous post. I made a few tests in order to identify
from where the "network service" may be receiving the "write" permissions
stated early.
It seems that the permission is being inherited from the "Users" group. If I
deny write access to the users group, the effective permission for "network
service" no more contains the write permissions.
Now the question is how does "network service" get the User group's
permission? It doesn't seems to belong to the group neither is being
assigned to it by security policies like the "restricted group". Any hints?

cheer,

Eric.

Re: Network service default permissions (Final Considerations)

Hi Folks,

Altought it seems that nobody is reading this post any longer, I'll
update it anyway.
I just finished the tests with a total fresh and clean Windows Server
2003 installation and comproved that "network service" does have write
permission on folders, despite of what was said before. It appears that
Network Service belongs to "Authenticated Users" group and by consequence to
the "Users" group, allowing it to create files and folder by default. Once
created the resource it has fullcontrol over it as creator owner, which
means that it can execute files created by itself. The effective permissions
was checked with AccessCheck utility from sysinternals and the "Advanced
Security" form of Windows Explorer, and tests suceffuly made with a very
simple ASP.NET page under default installation comproved that.
In resume, by default, "Network Service" user can create folders in any
partition (C: D: etc) and, in a lot of other folders including C:\INETPUB,
it can create files and folders. It cannot create files under wwwroot since
this folder preventes inheritence from parent folder permission, and
overrides the defaults to "Read & Execute" only.
Again, I'm not implying that IIS is insecure "out-of-the-box" or
anything else, but it does mean that IIS doesn't run as "low privileged" as
said. Also, in my opinion, some explicit advices could be made with the
Microsoft's recomendations regarding IIS configurations. For example, it is
recomended to use a diferent partition to store content and log files
without any hints regarding default permissions having the "Users" group. In
most scenarios, I guess, Users group could be safely removed from those
partitions, and explicit permissions be assigned to the IIS_WPG group or
similar.

Cheers,

Eric.