aspnet_isapi.dll security limit access to all but 1 file

I am trying to limit access to folders in the web per user. I have tried two
different approaches, neither of which I can get to work correctly. I have a
windows 2003 r2 server, asp.net 2.0, front page extensions installed.
My setup looks like this:
/webvirtualdirectory/users/tom/..
/webvirtualdirectory/users/bob/..
etc.. where the webvirtualdirectory is an application.

I am using forms authentication, using sql 2005. I want tom to be able to
access files such as html, pdf, jpg, etc that he dynamically creates or
upload to his folder, but not be able to access anything in bobs folder,
including html files. Likewise for bob. The users are created dynamically,
so I do not who they are ahead of time, nor could I manage them
individually.

Attempt 1:
I have tried adding an additional application extension mapping in the web
site configuration, mapping .pdf to aspnet_isapi.dll (.net 2.0). Then in the
users folder (i.e. users/bob), a web.config is dynamically created when the
user is created that gives the user rights to everything in that folder.
This does not work, no pdf's (or other files such as html) are served by the
server. I receive a
a.. Error Code 64: Host not available
a.. Background: The connection to the Web server was lost.

Attempt 2:
I have tried the web configuration tool, supplied with visual studio, to
limit access to the folder for the user, such as bob. This appears to have
no impact on limiting access to files that are not mapped to the
aspnet_isapi.dll. So basically no security on files or folders.

Now I also have some static content at the root level that I do want to
allow anonymous access to, such as 1 pdf file and 1 html file. I believe the
site wide security is set properly for the remainder of the pages because if
I try to go an aspx page that is not explicitly allowed in the web.config,
the anonymous user is automatically redirected to a login page, and the page
is not shown.

Not sure what I am missing here, any help is greatly appreciated, or if you
think I should post to a different group.

Thanks,
Jeff

Re: aspnet_isapi.dll security limit access to all but 1 file

What you want to do is technically impossible given your requirements.
What is not clear is an understanding of how the IIS 6.0 and ASP.Net
2.0 request pipelines intermingle, so you will want to read and
understand the following blog entries. I still have an unwritten blog
entry to explain what is actually failing with your Attempt #1.

http://blogs.msdn.com/david.wang/archive/2005/10/14/HOWTO_II S_6_Request_Processing_Basics_Part_1.aspx
http://blogs.msdn.com/david.wang/archive/2005/10/15/Why-Wild card-application-mapping-can-disable-Default-Document-resolu tion.aspx
http://blogs.msdn.com/david.wang/archive/2005/10/16/Why-Wild card-application-mapping-is-not-catching-404s.aspx
http://blogs.msdn.com/david.wang/archive/2005/06/29/IIS_User _Identity_to_Run_Code_Part_2.aspx
http://blogs.msdn.com/david.wang/archive/2006/04/28/HOWTO-Ru n-Console-Applications-from-IIS6-on-Windows-Server-2003-Part -2.aspx

The closest hack to get what you want is to configure aspnet_Isapi.dll
as a Wildcard application mapping.

The underlying issue is this - your custom authentication/authorization
protocol only applies wherever aspnet_isapi.dll applies, and
aspnet_isapi.dll only applies at the IIS level, not File/Directory
level. Thus, you must make sure that all resource access go through IIS
(and aspnet_isapi.dll) and not through NTFS File/Directory or anything
else on IIS.

The insecurity of the custom AuthN/AuthZ protocol is permanent because
its trusted computing base (TCB) is the process identity, which is
shared between tom and bob. Thus, if tom has access to that process
identity (such as by calling RevertToSelf() ), he can bypass your
AuthN/AuthZ protocol to access bob's resources. And this bypass is
by-design since the TCB is supposed to be able to access both tom and
bob's resources; it is the additional AuthN/AuthZ protocol on top of
the TCB that determines whether a tom can actually read bob's
resources.

The only way to have truly secured resources on a shared, multi-user
system is to have real user logins (i.e. real Windows users) for each
user. Because then your resources are locked to your own NT user token
and not shared user token (TCB), so there is no way to bypass security
protocol.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



Scanner2001 wrote:
> I am trying to limit access to folders in the web per user. I have tried two
> different approaches, neither of which I can get to work correctly. I have a
> windows 2003 r2 server, asp.net 2.0, front page extensions installed.
> My setup looks like this:
> /webvirtualdirectory/users/tom/..
> /webvirtualdirectory/users/bob/..
> etc.. where the webvirtualdirectory is an application.
>
> I am using forms authentication, using sql 2005. I want tom to be able to
> access files such as html, pdf, jpg, etc that he dynamically creates or
> upload to his folder, but not be able to access anything in bobs folder,
> including html files. Likewise for bob. The users are created dynamically,
> so I do not who they are ahead of time, nor could I manage them
> individually.
>
> Attempt 1:
> I have tried adding an additional application extension mapping in the web
> site configuration, mapping .pdf to aspnet_isapi.dll (.net 2.0). Then in the
> users folder (i.e. users/bob), a web.config is dynamically created when the
> user is created that gives the user rights to everything in that folder.
> This does not work, no pdf's (or other files such as html) are served by the
> server. I receive a
> a.. Error Code 64: Host not available
> a.. Background: The connection to the Web server was lost.
>
> Attempt 2:
> I have tried the web configuration tool, supplied with visual studio, to
> limit access to the folder for the user, such as bob. This appears to have
> no impact on limiting access to files that are not mapped to the
> aspnet_isapi.dll. So basically no security on files or folders.
>
> Now I also have some static content at the root level that I do want to
> allow anonymous access to, such as 1 pdf file and 1 html file. I believe the
> site wide security is set properly for the remainder of the pages because if
> I try to go an aspx page that is not explicitly allowed in the web.config,
> the anonymous user is automatically redirected to a login page, and the page
> is not shown.
>
> Not sure what I am missing here, any help is greatly appreciated, or if you
> think I should post to a different group.
>
> Thanks,
> Jeff

Re: aspnet_isapi.dll security limit access to all but 1 file

Alright, I understand what you are saying, for the most part (I may have to
re-read all of it again). What is confusing to me is the microsoft help
documentation comes right out and says that I can limit access to a folder
by user, using forms authentication. They even give an example of how to do
it. Which is what I thought I did in example 2 below. I just re-read that
and I can post it as well.
I am having a hard time believing that I am the only one out in the world
that has read this and has tried it.
Thanks for the input.

Jeff

"David Wang" wrote in message
news:1163288209.819284.189190@h48g2000cwc.googlegroups.com.. .
> What you want to do is technically impossible given your requirements.
> What is not clear is an understanding of how the IIS 6.0 and ASP.Net
> 2.0 request pipelines intermingle, so you will want to read and
> understand the following blog entries. I still have an unwritten blog
> entry to explain what is actually failing with your Attempt #1.
>
> http://blogs.msdn.com/david.wang/archive/2005/10/14/HOWTO_II S_6_Request_Processing_Basics_Part_1.aspx
> http://blogs.msdn.com/david.wang/archive/2005/10/15/Why-Wild card-application-mapping-can-disable-Default-Document-resolu tion.aspx
> http://blogs.msdn.com/david.wang/archive/2005/10/16/Why-Wild card-application-mapping-is-not-catching-404s.aspx
> http://blogs.msdn.com/david.wang/archive/2005/06/29/IIS_User _Identity_to_Run_Code_Part_2.aspx
> http://blogs.msdn.com/david.wang/archive/2006/04/28/HOWTO-Ru n-Console-Applications-from-IIS6-on-Windows-Server-2003-Part -2.aspx
>
> The closest hack to get what you want is to configure aspnet_Isapi.dll
> as a Wildcard application mapping.
>
> The underlying issue is this - your custom authentication/authorization
> protocol only applies wherever aspnet_isapi.dll applies, and
> aspnet_isapi.dll only applies at the IIS level, not File/Directory
> level. Thus, you must make sure that all resource access go through IIS
> (and aspnet_isapi.dll) and not through NTFS File/Directory or anything
> else on IIS.
>
> The insecurity of the custom AuthN/AuthZ protocol is permanent because
> its trusted computing base (TCB) is the process identity, which is
> shared between tom and bob. Thus, if tom has access to that process
> identity (such as by calling RevertToSelf() ), he can bypass your
> AuthN/AuthZ protocol to access bob's resources. And this bypass is
> by-design since the TCB is supposed to be able to access both tom and
> bob's resources; it is the additional AuthN/AuthZ protocol on top of
> the TCB that determines whether a tom can actually read bob's
> resources.
>
> The only way to have truly secured resources on a shared, multi-user
> system is to have real user logins (i.e. real Windows users) for each
> user. Because then your resources are locked to your own NT user token
> and not shared user token (TCB), so there is no way to bypass security
> protocol.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
> Scanner2001 wrote:
>> I am trying to limit access to folders in the web per user. I have tried
>> two
>> different approaches, neither of which I can get to work correctly. I
>> have a
>> windows 2003 r2 server, asp.net 2.0, front page extensions installed.
>> My setup looks like this:
>> /webvirtualdirectory/users/tom/..
>> /webvirtualdirectory/users/bob/..
>> etc.. where the webvirtualdirectory is an application.
>>
>> I am using forms authentication, using sql 2005. I want tom to be able to
>> access files such as html, pdf, jpg, etc that he dynamically creates or
>> upload to his folder, but not be able to access anything in bobs folder,
>> including html files. Likewise for bob. The users are created
>> dynamically,
>> so I do not who they are ahead of time, nor could I manage them
>> individually.
>>
>> Attempt 1:
>> I have tried adding an additional application extension mapping in the
>> web
>> site configuration, mapping .pdf to aspnet_isapi.dll (.net 2.0). Then in
>> the
>> users folder (i.e. users/bob), a web.config is dynamically created when
>> the
>> user is created that gives the user rights to everything in that folder.
>> This does not work, no pdf's (or other files such as html) are served by
>> the
>> server. I receive a
>> a.. Error Code 64: Host not available
>> a.. Background: The connection to the Web server was lost.
>>
>> Attempt 2:
>> I have tried the web configuration tool, supplied with visual studio, to
>> limit access to the folder for the user, such as bob. This appears to
>> have
>> no impact on limiting access to files that are not mapped to the
>> aspnet_isapi.dll. So basically no security on files or folders.
>>
>> Now I also have some static content at the root level that I do want to
>> allow anonymous access to, such as 1 pdf file and 1 html file. I believe
>> the
>> site wide security is set properly for the remainder of the pages because
>> if
>> I try to go an aspx page that is not explicitly allowed in the
>> web.config,
>> the anonymous user is automatically redirected to a login page, and the
>> page
>> is not shown.
>>
>> Not sure what I am missing here, any help is greatly appreciated, or if
>> you
>> think I should post to a different group.
>>
>> Thanks,
>> Jeff
>

Re: aspnet_isapi.dll security limit access to all but 1 file

Go ahead and post a link to that documentation.

The correctness of the statement depends on the scope. On an absolute
scale, the statement cannot be true. With proper restrictions, one can
give the impression of such behavior. You just need to understand that
on an absolute scale, no system can give secured access to
files/folders without system user principles. Not Linux/Apache/PHP, not
Windows/IIS/ASP.Net. The exact same TCB logic applies.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//


Scanner2001 wrote:
> Alright, I understand what you are saying, for the most part (I may have to
> re-read all of it again). What is confusing to me is the microsoft help
> documentation comes right out and says that I can limit access to a folder
> by user, using forms authentication. They even give an example of how to do
> it. Which is what I thought I did in example 2 below. I just re-read that
> and I can post it as well.
> I am having a hard time believing that I am the only one out in the world
> that has read this and has tried it.
> Thanks for the input.
>
> Jeff
>
> "David Wang" wrote in message
> news:1163288209.819284.189190@h48g2000cwc.googlegroups.com.. .
> > What you want to do is technically impossible given your requirements.
> > What is not clear is an understanding of how the IIS 6.0 and ASP.Net
> > 2.0 request pipelines intermingle, so you will want to read and
> > understand the following blog entries. I still have an unwritten blog
> > entry to explain what is actually failing with your Attempt #1.
> >
> > http://blogs.msdn.com/david.wang/archive/2005/10/14/HOWTO_II S_6_Request_Processing_Basics_Part_1.aspx
> > http://blogs.msdn.com/david.wang/archive/2005/10/15/Why-Wild card-application-mapping-can-disable-Default-Document-resolu tion.aspx
> > http://blogs.msdn.com/david.wang/archive/2005/10/16/Why-Wild card-application-mapping-is-not-catching-404s.aspx
> > http://blogs.msdn.com/david.wang/archive/2005/06/29/IIS_User _Identity_to_Run_Code_Part_2.aspx
> > http://blogs.msdn.com/david.wang/archive/2006/04/28/HOWTO-Ru n-Console-Applications-from-IIS6-on-Windows-Server-2003-Part -2.aspx
> >
> > The closest hack to get what you want is to configure aspnet_Isapi.dll
> > as a Wildcard application mapping.
> >
> > The underlying issue is this - your custom authentication/authorization
> > protocol only applies wherever aspnet_isapi.dll applies, and
> > aspnet_isapi.dll only applies at the IIS level, not File/Directory
> > level. Thus, you must make sure that all resource access go through IIS
> > (and aspnet_isapi.dll) and not through NTFS File/Directory or anything
> > else on IIS.
> >
> > The insecurity of the custom AuthN/AuthZ protocol is permanent because
> > its trusted computing base (TCB) is the process identity, which is
> > shared between tom and bob. Thus, if tom has access to that process
> > identity (such as by calling RevertToSelf() ), he can bypass your
> > AuthN/AuthZ protocol to access bob's resources. And this bypass is
> > by-design since the TCB is supposed to be able to access both tom and
> > bob's resources; it is the additional AuthN/AuthZ protocol on top of
> > the TCB that determines whether a tom can actually read bob's
> > resources.
> >
> > The only way to have truly secured resources on a shared, multi-user
> > system is to have real user logins (i.e. real Windows users) for each
> > user. Because then your resources are locked to your own NT user token
> > and not shared user token (TCB), so there is no way to bypass security
> > protocol.
> >
> >
> > //David
> > http://w3-4u.blogspot.com
> > http://blogs.msdn.com/David.Wang
> > //
> >
> >
> >
> > Scanner2001 wrote:
> >> I am trying to limit access to folders in the web per user. I have tried
> >> two
> >> different approaches, neither of which I can get to work correctly. I
> >> have a
> >> windows 2003 r2 server, asp.net 2.0, front page extensions installed.
> >> My setup looks like this:
> >> /webvirtualdirectory/users/tom/..
> >> /webvirtualdirectory/users/bob/..
> >> etc.. where the webvirtualdirectory is an application.
> >>
> >> I am using forms authentication, using sql 2005. I want tom to be able to
> >> access files such as html, pdf, jpg, etc that he dynamically creates or
> >> upload to his folder, but not be able to access anything in bobs folder,
> >> including html files. Likewise for bob. The users are created
> >> dynamically,
> >> so I do not who they are ahead of time, nor could I manage them
> >> individually.
> >>
> >> Attempt 1:
> >> I have tried adding an additional application extension mapping in the
> >> web
> >> site configuration, mapping .pdf to aspnet_isapi.dll (.net 2.0). Then in
> >> the
> >> users folder (i.e. users/bob), a web.config is dynamically created when
> >> the
> >> user is created that gives the user rights to everything in that folder.
> >> This does not work, no pdf's (or other files such as html) are served by
> >> the
> >> server. I receive a
> >> a.. Error Code 64: Host not available
> >> a.. Background: The connection to the Web server was lost.
> >>
> >> Attempt 2:
> >> I have tried the web configuration tool, supplied with visual studio, to
> >> limit access to the folder for the user, such as bob. This appears to
> >> have
> >> no impact on limiting access to files that are not mapped to the
> >> aspnet_isapi.dll. So basically no security on files or folders.
> >>
> >> Now I also have some static content at the root level that I do want to
> >> allow anonymous access to, such as 1 pdf file and 1 html file. I believe
> >> the
> >> site wide security is set properly for the remainder of the pages because
> >> if
> >> I try to go an aspx page that is not explicitly allowed in the
> >> web.config,
> >> the anonymous user is automatically redirected to a login page, and the
> >> page
> >> is not shown.
> >>
> >> Not sure what I am missing here, any help is greatly appreciated, or if
> >> you
> >> think I should post to a different group.
> >>
> >> Thanks,
> >> Jeff
> >