Authentication, authorization and security communication
For the starting and full overview of the ASP.NET application to build a secure, see the login page.
to sum up
Typically, use a built-in ASPNET account to run the ASP.NET web application. However, it can occasionally use a custom account. This "How to Do" shows how to create a local account with minimal permissions to run the ASP.NET web application.
How to do: Create a custom account to run the ASP.NET
This "How to Do" shows how to create a local account with minimal permissions to run an ASP.NET_WP.exe or analog identifier in the virtual directory. Although the process in this "How to do" is used to create a local account, the concepts are also applicable to domain accounts.
ASP.NET assist process logo
The default account created for running ASP.NET is the local account with minimal permissions and is specified in Machine.config (as shown below):
This account is identified as an ASPNET in Local User and Group, and enhances password protection in the local system mechanism (LSA).
When you need to use the ASP.NET process ID to access network resources (such as databases), you can do one of the following:
● Use domain accounts.
● Use the "mirror" local account (ie, an account with the same username and password on both computers). This method is required in the following situations: The computer is located in a separate domain, and there is no trust relationship between the domain; or the computer is separated by the firewall, and you cannot open the port required for NTLM or Kerberos authentication.
The easiest way is to change the password of the ASPNET account to a known value on the web server, and then create an account called ASPNET and have the same password on the target computer. On a web server, you must first change the ASPNET account password in Local User and Group, and then replace "AutoGenerate" with the new password in Machine.Config.
Password = "yourstrongpassword" /> You can use the steps described in this "How to Do" to create a local account with minimal permissions. Analog fixed logo The fixed ID can be set to a specific virtual directory by using the following settings in Web.config. Password = "yourstrongpassword" /> This method is often used in the following cases: there are multiple web sites on the same web server and need to be run in different identities; for example, in the application hosting scheme. This "How to Do" shows how to create a local account with minimal permissions. If you primarily care about management issues, you can use a restriction domain account with minimal privileges and enhanced passwords. Note Keep in mind the following items when considering an account running an ASP.NET: ● By default, ASP.NET does not simulate. Therefore, any resource access to the web application uses the ASP.NET process identity. In this case, Windows resources must have an Access Control List (ACL) that grants access to the ASP.NET processes account. ● If analog is enabled, the application uses the original caller's security context to access the resource; if IIS configuration is configured for anonymity authentication, the application can also use an anonymous Internet user account (default to IUSR_MACHINE) to access resources. In this case, the resource must have an ACL based on the original caller ID (or IUSR_MACHINE). ● Always insist on the principle of allocating minimum permissions when creating a custom account, that is, allocated a minimum permission. ● Avoid running ASP.NET using the System account. ● Avoid granting the account "as part of the operating system" permissions. to sum up "How to do" includes the following procedure: 1. Create a new local account 2. Allocate minimal permissions 3. Assign NTFS permissions 4. Configure the ASP.NET to run using the new account. 1. Create a new local account This process creates a new local account. By default, it is added to the local USERS group. u Create a new local account 1. Create a new local account (for example, "CustomASPNET"). Make sure the enhanced password is used for the account. The enhanced password should contain at least 7 characters and mix the uppercase letters, lowercase letters, numbers, and other characters, such as *,? Or $. 2. Clear the "You must change your password when you log in next time" option. 3. Select the "Password Never Expired" option. 2. Allocate minimal permissions This process assigns a set of minimum permissions required to run ASP.NET. u Allocate minimal permissions 1. From the Administrative Tools program group, launch the Local Security Policy tool. 2. Expand "Local Policy" and select "User Rights Assign". A list of permissions will appear in the right pane. 3. Assign the following permissions to the new account: ● Access this computer from the network ● Reject local login ● Log in in batches ● Log in with service Note: To assign permissions to an account, double-click this permission, and then click Add to select the required account. 4. Close the tool. 3. Assign NTFS permissions This process grants NTFS privileges required in the local file system to customize ASP.NET accounts. Note: The steps in this process apply to file systems on the web server, but not for file systems on remote computers (can replicate accounts in it for network authentication). u Assign NTFS permissions 1. Start the Windows Explorer and assign appropriate permissions to the folder specified in Table 1. The fixed analog account listed in Table 1 refers to an account that can be configured using the Password = "yourstrongpassword" /> Table 1: NTFS permissions required folder Required permissions account Comment C: /Winnt/Microsoft.NET/ Framework / Temporary ASP.NET FILES fully control Process account and fixed analog account This is the dynamic compilation location of ASP.NET. Application code can be generated in each application in this folder in a separate directory. This default location can be changed using the temporary directory properties of the Read / write / delete process The web service is used to generate a serialization agent. Note: "Delete" permissions are set by using the Advanced button on the Security page of the Windows Explorer "Folder Properties dialog). Application folder Read process The location of the web application file (that is, the virtual root directory of the application: for example, c: / inetpub / wwwroot / webApp1). By default, the user group has an appropriate access. % installroot% hierarchy (C: /Winnt/Microsoft.Net/framework/v1.0.3705) Read Process account and fixed analog account ASP.NET must be able to access the .NET Framework assembly. By default, the user group has an appropriate access. C: / Winnt / Assembly Read Process account and fixed analog account This is a global assembly cache. The Windows Explorer cannot be used directly to edit the ACL of this folder. And use the command window and run the following command: CaCls% windir% / askEMBLY / E / T / P DOMAIN / USERACCOUNT: R Alternatively, use the Windows Explorer before using the following command to undo the registration SHFusion.dll: Regsvr32 -u shfusion.dll After using the Windows Explorer Set the permissions, use the following command to re-register SHFusion.dll: Regsvr32 shfusion.dll Web site root directory: C: / inetpub / Wwwroot or The path pointed to the default web site Read process ASP.NET reads configuration files and monitors file changes in this folder. C: / WinNT / System32 Read process System DLL for frame-loaded. The parent directory of the context List folder / read process Used for file change notifications and C # compilers. 4. Configure the ASP.NET to run using the new account. This process edits Machine.config to configure the ASP.NET to run using a new account. u Configure the ASP.NET to run using new accounts. 1. Use Visual Studio.net or notepad to open Machine.config. Machine.config is located in the following folder: C: /Winnt/Microsoft.Net/framework/v1.0.3705/config 2. Find the Default: Becomes: 3. Save changes to Machine.config. Note: For the current .NET framework version, you cannot avoid storing your password in a clear text. Although it is not recommended to store clear document credentials, it is still considered to be more secure because it is located outside of Web space. Unnecessary access to Machine.config should be prevented by using the correct configured ACL. In Windows .NET Server, credentials are encrypted to provide greater protection.
