locked
ASP Trust level, web.config RRS feed

  • Question

  • User1697399222 posted

    Hi, everyone

    Recently found one of our web servers had ASP NET trust level set to FULL (seems its a default). That makes it vulnerable to ASP Net shell scripts that use cmd.exe and can list all files on the web server.

    I set the default for trust level to be medium in the global asp net web.config file, but some sites or apps require trust level=high, so some hacker could, if he obtained access to web.config, change the trust level...

    Is there anything else I can do besides audit changed web.config files?

    Thanks.

    Monday, April 29, 2013 8:11 PM

Answers

  • User-736483138 posted

    The 2 location path statements need to be after the </location> tag. The scenario that you described is what makes allowing a site to run in Full trust dangerous. We do not allow any .Net 4.0 websites to run in Full Trust on our shared servers. There is not a way to allow this and then lock down what the client can do.

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Thursday, May 2, 2013 7:56 PM

All replies

  • User-736483138 posted

    You can modify the root web.config to not allow sites to override the set trust level. Take a look at this document for more information.

    Monday, April 29, 2013 9:43 PM
  • User1697399222 posted

    Thanks a lot for reply. Oh, of course so, I have this

    <location allowOverride="true">
     <system.web>
       <securityPolicy>
         <trustLevel name="Full" policyFile="internal" />
         <trustLevel name="High" policyFile="web_hightrust.config" />
         <trustLevel name="Medium"
                     policyFile="web_mediumtrust.config" />
         <trustLevel name="Low"  
                     policyFile="web_lowtrust.config" />
         <trustLevel name="Minimal"
                     policyFile="web_minimaltrust.config" />  
       </securityPolicy>
       <trust level="Medium" originUrl="" />
     </system.web>
    </location>

    I set overwrite to FALSE. But what about the few sites that need FULL level? Are they ok since their web.configs already have that set or would they be overwritten?

    Thanks

    Tuesday, April 30, 2013 7:27 PM
  • User-736483138 posted

    They would get an error. You can list exceptions manually with in the web.config file as well. You would use the following line to do that:  <location path="website" allowOverride="true">

    This should be placed below the closing location tag that contains the allowOverride=false statement.

    Wednesday, May 1, 2013 2:39 PM
  • User1697399222 posted

    Thanks a lot!

    Like this?

    <location allowOverride="false">
    <location path="d:\websites\customer1" allowOverride="true">
    <location path="d:\websites\customer2" allowOverride="true">
     <system.web>
       <securityPolicy>
         <trustLevel name="Full" policyFile="internal" />
         <trustLevel name="High" policyFile="web_hightrust.config" />
         <trustLevel name="Medium"
                     policyFile="web_mediumtrust.config" />
         <trustLevel name="Low"  
                     policyFile="web_lowtrust.config" />
         <trustLevel name="Minimal"
                     policyFile="web_minimaltrust.config" />  
       </securityPolicy>
       <trust level="Medium" originUrl="" />
     </system.web>
    </location>

    So customer1 and 2 can be HIGH, correct?

    Ok, but still for example, out of hundreds of sites in a shared hosting, I have lets say 4 ASP Net sites that require FULL.

    I found that with an ASP Net shell script that uses cmd.exe (I can show you this script), one can see/delete/create files on my entire drive.

    Is there any way to avoid this? Or the only way would be to simply not host any sites set as FULL or move them to separate VPSs for example?

    One idea I had was set web.config of these sites set to FULL to read only. Maybe it can help.

    Thanks.

    Thursday, May 2, 2013 12:16 PM
  • User-736483138 posted

    The 2 location path statements need to be after the </location> tag. The scenario that you described is what makes allowing a site to run in Full trust dangerous. We do not allow any .Net 4.0 websites to run in Full Trust on our shared servers. There is not a way to allow this and then lock down what the client can do.

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Thursday, May 2, 2013 7:56 PM
  • User1697399222 posted

    Hi,


    So like this, right? :)

    <location allowOverride="false">
     <system.web>
       <securityPolicy>
         <trustLevel name="Full" policyFile="internal" />
         <trustLevel name="High" policyFile="web_hightrust.config" />
         <trustLevel name="Medium"
                     policyFile="web_mediumtrust.config" />
         <trustLevel name="Low"  
                     policyFile="web_lowtrust.config" />
         <trustLevel name="Minimal"
                     policyFile="web_minimaltrust.config" />  
       </securityPolicy>
       <trust level="Medium" originUrl="" />
     </system.web>
    </location>
    <location path="d:\websites\customer1" allowOverride="true">
    <location path="d:\websites\customer2" allowOverride="true">

    There isnt closing /localization tag?


    Wow interesting to know theres no way to avoid calling cmd.exe (aspnet shell scripts) when in FULL trust. I bet many people dont know this... Ill have to decide what to do, maybe migrate these customers to a separate VPS. I guess I dont have much option :( Because if 1 of these guys with FULL (I Have just a few, like 3 or 4) get hacked, hacker can access our entire server...

    What I also found strange is an ASP.Net which uses forms via asp.net (with SMTP auth info in web.config) required LEVEL=FULL. Ideas?

    PS - I see youre at orcsweb and Ive heard about you guys before, certainly will take a look into it for future server needs, etc. You guys also also manage windows servers hosted elsewhere, not with you?

    THANKS AGAIN!! Very nice of you to help.

    Saturday, May 4, 2013 4:14 PM
  • User-736483138 posted

    That is correct. There are no closing tags needed for that location statement. What type of authentication is being used for SMTP?

    In response to the question about Orcs, we only manage servers that are hosted by us.

    Monday, May 6, 2013 12:51 PM
  • User1697399222 posted

    Oh ok, good to know, anyways will keep in mind.

    1) Normal SMTP AUTHentication, where pop/imap login is presented to send mail also.

    web.config has tags such as:

      <smtp>
              <network host="xxx" port="587" userName="xxx" password="xxx" />
            </smtp>

    that requires full?

    2) Also, is there a way for me to set it up in a way that, medium is the default, override is alllowed only to HIGH but never to FULL (except for the ones already set as full)? I guess not...

    3) I tried, I got error location path contains invalid characters and sites wouldnt appear in IIS. Wonder what I did wrong

    <location allowOverride="false">
     <system.web>
       <securityPolicy>
         <trustLevel name="Full" policyFile="internal" />
         <trustLevel name="High" policyFile="web_hightrust.config" />
         <trustLevel name="Medium" policyFile="web_mediumtrust.config" />
         <trustLevel name="Low" policyFile="web_lowtrust.config" />
         <trustLevel name="Minimal" policyFile="web_minimaltrust.config" />  
       </securityPolicy>
       <trust level="Medium" originUrl="" />
     </system.web>
    </location>

    Right after /location I added this

    <location path="C:\test\web" allowOverride="true">
    <location path="C:\test2\web" allowOverride="true">

    And IIS says error on the first location path above, invalid characters...

    One last question...

    I wonder how these ISPs are able to offer high level safely? http://forums.asp.net/t/1452278.aspx/1

    Im checking what to do with few customers that have TRUST LEVEL HIGH, perhaps move them elsewhere, just 2 or 3.

    Thanks

    Monday, May 6, 2013 7:16 PM
  • User-736483138 posted

    I am looking into the SMTP question. For the override, you need to use the Website name not path location. For example, if the website is named example.com, you would use  <location path="example.com" allowOverride="true">

    Saturday, May 18, 2013 9:33 PM
  • User1697399222 posted

    Thanks, Terri. Strangely I still didnt succeed.

    I get this error on any site if I put the code:

    page cannot be displayed, internal error, error 500.19

    Config Error    Configuration file is not well-formed XML
    Config File    \\?\C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config

    IIS wouldnt load sites saying in microsoft.net\framework64\v2.0.50727\config\web.config, line 25, the configuration section location cannot be read because it is missing a section declaration.

    Ideas what Im doing wrong? Tried other variations but no luck.


    This is part of web.config inside framework64\v2.0.50727\config\web.config, the onyl web.config I edited (id edit the 32 bits one also but this one already caused problems)

    <?xml version="1.0" encoding="utf-8"?><!-- the root web configuration file -->
    <configuration>
        <!--
            Using a location directive with a missing path attribute
            scopes the configuration to the entire machine.  If used in
            conjunction with allowOverride="false", it can be used to
            prevent configuration from being altered on the machine

            Administrators that want to restrict permissions granted to
            web applications should change the default Trust level and ensure
            that overrides are not allowed
        -->
        <location allowOverride="false">
            <system.web>
                <securityPolicy>
                    <trustLevel name="Full" policyFile="internal" />
                    <trustLevel name="High" policyFile="web_hightrust.config" />
                    <trustLevel name="Medium" policyFile="web_mediumtrust.config" />
                    <trustLevel name="Low" policyFile="web_lowtrust.config" />
                    <trustLevel name="Minimal" policyFile="web_minimaltrust.config" />
                </securityPolicy>
                <trust level="Medium" originUrl="" />
            </system.web>
        </location>
    <location path="domain1.com" allowOverride="true">

        <system.net>
            <defaultProxy>
            .... continues.
            
    Thanks.

    Monday, May 20, 2013 6:29 PM
  • User-736483138 posted

    What site are you trying to browse when getting that error? Is it one that you have allowed to override? If you are browsing a site that isn't allowed to override the setting, you will get an error.

    Monday, May 20, 2013 9:46 PM
  • User1697399222 posted

    Hi, Terri


    As soon as I add the sites that are allowed override below /location, all sites, both the allowed ones and the not allowed (which are set to medium) show error

    The page cannot be displayed because an internal server error has occurred.

    error 500.19

    Config Error    Configuration file is not well-formed XML
    Config File    \\?\C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config

    Config Source

        2:  -->
        3:

    This file defaultapppool.config has comments on line 2, strange. see part of file below. Not sure if I should try to remove those comments... ideas?

    <?xml version="1.0" encoding="UTF-8"?>
    <!--

        IIS configuration sections.

        For schema documentation, see
        %windir%\system32\inetsrv\config\schema\IIS_schema.xml.
        
        Please make a backup of this file before making any changes to it.

    -->

    <configuration>

        <!--

            The <configSections> section controls the registration of sections.
            Section is the basic unit of deployment, locking, searching and
            containment for configuration settings.
            
            Every section belongs to one section group.
            A section group is a container of logically-related sections.
            
            Sections cannot be nested.
            Section groups may be nested.
            
            <section

    ... continues


    UPDATE: I ended up outsourcing my ASP NET infra structure, so no need to reply. Thanks anyways for all your help and Ill keep orcsweb.com in mind...

    Thanks

    Tuesday, May 21, 2013 7:16 PM