ASP.Net shared hosting & security

[Andrea Pichler]

Hello.

I'm trying to setup a Win2003 server for hosting ASP.Net Applications in a
Shared Hosting enviroment.

With the "old" ASP I created a different anonymous account for each web site
and restricted the NTFS permissions on system and website folders.

With ASP.Net I set the <identity impersonate="true"/> in the machine.config
file and the ASP.Net applications works with the user rights on the file
system.

My questions are:
- Is there a way to set somthing like "nooverride" to avoid single web sites
to change this setting editing the web.config file ?
- Is there something other to set to restrict the single ASP.Net
applications ?
- I read that the Framework v.1.1 has enhancements for hosting and security.
It's true and how can I use this enhancements in my scenario ?
- Is there a way to limit the available namespaces for the single .Net
application (for example, I don't want that users loads applications on my
server that makes port scanning to other hosts, applications that reads
active directory and so on.) ?


Thanks
Andrea

 

[richlm]

IIS 6 has a new "application pool" feature which help
solve this type of problem.

The app pool corresponds to a separate process hosted by
IIS, and you can control which user account the process
runs under.

You could set up multiple accounts, with various levels
of restriction on what the account can do on the machine.