ASP.NET Security : 2- More Basics

In my previous post I showed that ASP.NET application goes through 3 security context levels and discussed the first one :

  1. IIS Level
  2. ASP.NET worker process level
  3. ASP.NET pipeline level

In this post, I will talk a little on ASP.NET worker process level, before starting I would like to point out the development environment we use, the development machines run windows XP and IIS 5.1, the server runs windows server 2003 on IIS 6 of course, so I need to point out the differences. [more]

2- The Worker Process Context :


After IIS authentication, if the request is for ASP.NET (.aspx, .ashx, ….etc. ) the IIS thread sends the request to aspnet_isapi.dll which starts the aspnet_wp worker process. This worker process runs under the ASPNET account. ASPNET account is a local account created when the .NET Framework is installed. ASPNET has minimum privileges to be able to run an ASP.NET application which you can know in this article :
You can change the identity from ASPNET to other one using the section in machine.config

	<processModel userName="xxx" password="XXX"/>

In IIS 6, the model is changed where the incoming request in first queued to the application pool that the website is hosted in, then the w3wp.exe worker process servers it.
This time rather than the ASPNET account a new one was introduced named NETWORK SERVICE with the same minimum privileges. To change the this account from the IIS manager, the Application Pool properties > Identity Tab as shown in figure, Read More on Application Pools.

iis pool identity

Next in the worker process, one of the pooled threads picks the request. This thread will by default inherit the identity of the worker process itself defined before, this happens when impersonation is disabled, while if it is enabled the thread will take the identity handed by the IIS, shown in the previous post.

To enable impersonation use this section in web.config

<identity impersonate="true"/>

read more about it on How to implement impersonation in an ASP.NET application

Note: If the impersonation is enabled, the worker process account doesn't change, but impersonation is only used with the code executed in the page, where any database access or file access uses the impersonated account.

Next the last security context level is handled the request and executes, next post I will show preliminary information on the ASP.NET pipeline level.

Leave a Reply

Your email address will not be published. Required fields are marked *