Giving aspnet_wp full access to server a bad idea?

[Ryan Ritten]

Hey all,

At the company I work for our team of ASP.NET developers have
requested that the aspnet_wp account (the account that IIS runs under)
needs to have full read access to the entire server for thier
application to work. This server is not behind a firewall, so is open
to the world.

I've told them that this is a security issue. If that box gets
compromised, all the data on it will be able to be seen (which is a
bad thing).

They are trying to convince me that I am wrong and they full access to
the box is required.

Am I wrong to deny them?

Thanks,
Ryan Ritten

 

[George]

1. Everything is security issue. Having a box on internet is a chance of
that box being compromised.
2. Read access is just a read access and not write access. So it's not that
bad.

But that does not mean you can do anything you want on the box.
I do not see any reason for ASP.NET application too have read access to the
entire server. They (Developers) must specify specific actions/read
operations they need access for.
Then look into move their operations into some folder/subfolder and give
read access to it. Also might be wise to make sure that folder not in
c:\Inetpub folder so the whole internet did not have access to it...

George.