Deny users access to assembly DLLs

[Chris Johnson]

Hi all,

I have a brief (hopefully quick) question regarding (ASP).NET security...

We have an ASP.NET application (running in W2k3, IIS6) that calls a couple
of other assembly DLLs that contain helper and data-access classes. For
security, we'd like to be able to lock down these DLLs so that the only
thing that is able to access them is the ASP.NET application.

Essentially what we want to do is deny access to them for unauthorised
users/groups who may log in to the server where the ASP.NET app so they
cannot be misused.

Any ideas?

Cheers,

Chris

 

[GroupReader]

Give access to the aspnet worker process (probably "Network Service")
and take away access from everyone else. (Using Windows File
Manager). Be sure to leave access for Administrators. This should
work, right?

Also, in IIS 6, I don't use it much, but I believe you can set the
identity of the "worker process" for each "application pool". Put
your app in its own "app pool". Create a new user to be the identity
for that app pool. Then lock everything down for just that user.
This is a little more secure since no other apps will be running under
that identity.

 

[Chris Johnson]

Give access to the aspnet worker process (probably "Network Service")
and take away access from everyone else. (Using Windows File
Manager). Be sure to leave access for Administrators. This should
work, right?

Also, in IIS 6, I don't use it much, but I believe you can set the
identity of the "worker process" for each "application pool". Put
your app in its own "app pool". Create a new user to be the identity
for that app pool. Then lock everything down for just that user.
This is a little more secure since no other apps will be running under
that identity.

Yep -- that's what I ended up doing; I think I was wondering if there was
any security property that could be provided in web.config or
machine.config, but it's obviously been a case of why bother if the FS
supports lockdown.

Cheers,

Chris...