Home > Configuration, Windows Server > Configuring a secure domain account for ASP.NET on Windows 2000

Configuring a secure domain account for ASP.NET on Windows 2000

January 26, 2006 Leave a comment Go to comments

I recently had to enable the ASP.NET account on a Windows 2000 machine to use a domain account so we could use NT Authentication to the SQL backend and the implementation of the domain account had to be secure. The hardest bit was securing the account, I wanted to give the account as few privileges as possible and make sure the account details could not be easily compromised.

It took me a little while to gather the information I needed so I’ve pulled it together below so as to help anyone else faced with this task. The end result is that the asp.net domain account has minimal privileges on the IIS server and SQL server and the account details are encrypted and stored in the registry.

The encryption of the account details is handled by aspnet_setrep.exe and the tool is described here. Its worth mentioning that the utility can be used for encrypting data in other configuration sections.

The steps to a secure world are:

IIS

Enable anonymous access and integrated windows authentication.

Config Files

 

Machine.config

Amend the processModel section to read:

userName=”registry:HKLM\Software\AspNetProcess\ASPNET_SETREG,userName”
password=”registry:HKLM\Software\AspNetProcess\ASPNET_SETREG,password”

Web.config

Turn off impersonation and add trusted connection.

Utilities

Copy aspnet_setrep.exe to the .net framework directory and then run the utility with the settings below.

aspnet_setreg.exe -k:\Software\AspNetProcess -u:<DOMAIN\ACCOUNT> -p:<PASSWORD>

Security

1) Give the domain account permission to read the registry keys created.
2) Give the domain account the following file permissions

C:\%WINDIR%\Microsoft.NET\Framework\<VERSION>Vxxxxx\Temporary ASP.NET Files\ Full Control
C:\%WINDIR%\temp\ – Read/Write/Delete
Application folder – Read
%installroot% hierarchy(C:\WINNT\Microsoft.Net\Framework\v1.0.3705) – Read
C:\inetpub\wwwroot (or the path that thedefault Web site points to) – Read
C:\%WINDIR%\system32 – Read
C:\%WINDIR%\assembly – Read  This is the global assembly cache. You cannot directly use Windows Explorer to edit ACLs for this folder. Instead, use a command Windows and run the following command:cacls %windir%\assembly /e /t /p domain\useraccount:

3) Grant the domain account access to the appropriate databases on the SQL server.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: