ASPNET Account autiding alert

[M. Simioni]

Hi, i'm always auditing ASPNET's account accesses on my webserver, a
WIN2K_SP4 + IIS5 + SQLServer2K_SP3a machine.

Nearly all the applications work correctly, but i constantly find a
message in the event viewer under the protection log, that says:

---------------------------------------
Apertura oggetto:
Server oggetto: Security
Tipo oggetto: File
Nome oggetto: C:\WINNT\KOSW047BFJNQUY26
Nuovo ID dell'handle: -
ID dell'operazione: {0,346018}
ID del processo: 2160
Nome utente primario: ASPNET
Dominio primario: WEBSERVER
ID di accesso primario: (0x0,0x3F5DE)
Nome utente client: -
Dominio client: -
ID di accesso client: -
Accessi SYNCHRONIZE
ReadData (o ListDirectory)

Privilegi -
---------------------------------------

(I'm sorry for the Italian text, but i think you can easily understand
the message)

ASPNET is part of the Users group, and the Users group has the READ,
EXECUTION and LIST permissions on C:\WINNT directory.

What this could be?

I followed all the MS KB to grant the rights priviledges to the ASPNET
account, and no application have a problem at the moment.

Only one application seems to go crazy when the number of users grows
up (we are waiting for another 1GB ram, because we think it's a
resource related issue), but we think it's an application issue not
related to this problem. Or at least, i don't think this warning in the
event viewer is related to that problem.

Thnx i.a. for the answers,
Marco

 

[Roger Abell]

Marco,

C:\WINNT\KOSW047BFJNQUY26 appears to be some temporary
directory ?? Is it being created with explicit permissions that will
exclude Users or other grant that includes Dir List for AspNet ?

 

[M. Simioni]

i forgot to say, the name KOSW047BFJNQUY26 changes every time.

i still don't know who try to create that directory/file and when.
i didn't write the applications by myself, i only know that thy use Crystal
Reports, they're written in .NET 2002 and they use a component to draw
charts, dunno if it is that particular component that tryes to write the
directory/file. at least, the programmer said me that he doesn't explicitly
create it.

how can i see if it is being created with explicit permission or other grant
? i can't even find that directory.

thank you,
Marco

 

[Sean M]

This sounds a lot like an attempt to get at the Temporary ASP.NET Pages
cache directory. Are you running the ASP.NET worker process as a different
account that perhaps doesn't have access to the proper directories?

-- Sean M, who admittedly is not fond of changing the identity of the worker
process

 

[M. Simioni]

The ASPNET account has R/W access to
"C:\WINNT\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files" and
"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files" ( no
FULL CONTROL, only Modify+Read+Write, it's ok? ).

The aspnet_wp process is running under the ASPNET account.

The aspnet_wp process i using 195MB of memory, with a peak of 312MB.
With a process viewer i can see it has abount 22 threads (nearly all of them
regarding mscorsvr.dll).

Marco.

 

[Roger Abell]

Well, they should not be able to write to c:\winnt at all !!
When you look at one of these in c:\winnt are the NTFS permissions
on it all inherited or are some or all explicit ? i.e. gray or white boxes?

That dir name makes it sound like this was upgrade to W2k from NT4,
which would leave c:\winnt permissioned loose.
I would be the villan and first notify my web authors that use
crystal that c:\winnt will be altered and there apps will fail
if they do not use the temp environment var to locate their
file usage correctly, and I would set an implementation date
and hold to it. When that date comes you will find out who
is responsible. The alternative, of trying to loosening c:\winnt
permissions, if it is not an explicitly set permissions issue, so
that inherited permissions are sufficient is not an attractive
way to go.

 

[M. Simioni]

I can't see that items.
That directory (or files?) with the random name doesn't even seem to exists,
or at least i'm not able to see them, so i can't see the protection
settings.

The "Users" group has read only access to WINNT directory.

Why is the protection event talks about READ/SYNCRONIZE deny, if the Users
( and then the ASPNET account too) has read grants on the WINNT directory?

I don't think the programmers are creating a file in it, i talked with them
and nobody has written code to create a file/directory in C:\WINNT, or at
least we don't know if Crystal Report tryes to.

thanks for the help,
Marco

 

[Roger Abell]

I can't see that items.
That directory (or files?) with the random name doesn't even seem to exists,
or at least i'm not able to see them, so i can't see the protection
settings.

It could be that the failure message is because of "file not found" ??

The "Users" group has read only access to WINNT directory.

Why is the protection event talks about READ/SYNCRONIZE deny, if the Users
( and then the ASPNET account too) has read grants on the WINNT directory?

That is why I first asked about explicit as compared to inherited grants.
Users Read allows just these. That it is a minimal request being made
and one within the inherited grants, makes it sound like something is
looking for a file in the wrong place (?)

I don't think the programmers are creating a file in it, i talked with them
and nobody has written code to create a file/directory in C:\WINNT, or at
least we don't know if Crystal Report tryes to.

I can't help you there, but it is good you have that info from the devs.