My blog has moved and can now be found at

No action is needed on your part if you are already subscribed to this blog via e-mail or its syndication feed.

Sunday, February 1, 2004
« DevDays 2004 - March | Main | New Windows Server 2003 and Windows XP S... »

Describes the proper way to configure a server to securely run the ASP.NET worker process runs as the system account
[Code Project Latest Article Briefs]

There is NOTHING Secure about running the ASP.NET worker process as "SYSTEM".

Keith Brown has the best quote on this in his online book - "SYSTEM is like root on Unix. It's all powerful, and is considered to be part of the trusted computing base (TCB). You should configure as little code (preferably none) to run under this logon, as compromise of this logon immediately compromises the entire machine (when you're part of the TCB, you're trusted to enforce security policy, as opposed to being subject to it!)"

As those of us who have been around, we actually had ASP.NET doing this in the Beta 1 stage. The ASP.NET Team recognized the vulnerability and created the low privilege ASPNET account specifically for this purpose..

What the author is proposing can easily be circumvented by using the "RevertToSelf" function which terminates the impersonation of a client application, which in this case leaves the code running as SYSTEM!

Doing this defeats the principle of least privilege and increases the damage that can be done by an attacker who is able to execute code using the Web application's process security context!

This is explicitly stated as a NO-NO in "Improving Web Application Security".

The correct solution in this case is for this person to have a discussion with the administrators of his AD domain about properly configuring the relevant Group Policies.

NOTE: This article also showed up on the ASPAlliance site, but the Editor added a note regarding the caveats. Not as strongly worded as I would like, but I'll take it.

[Now Playing: Mujhko Huyi Na Kabar (Le Gayi) - Dil To Pagal Hai]

Tags:: Security
2/1/2004 11:53 PM Eastern Standard Time  |  Comments [1]  |  Disclaimer  |  Permalink   
Sunday, May 8, 2005 12:06:53 AM (Eastern Daylight Time, UTC-04:00)
I am the author of this article. We did talk with our AD administrators, and even tried running ASPNET in a less restricted group, and nothing (but this) worked. As the article states, it is a workaround to a problem, and not a recommended solution.
<br>I spoke with someone @ Microsoft about this dilemma, and he stated that, in our situation, there was nothing more that can be done to solve the issue.
David Coe
Comments are closed.