How do you handle folder write permissions at the individual user account level?

Question

User-1851576699 posted

I know every web request is executed on a remote client's behalf though IIS with an application pool identity. So that the application pool identity needs write permission to a top level folder in which all of your websites users might upload files. But that seems like a "blanket" type of security. How would I grant each new website account individual write access to their very own folders in a secure, more granular way? Aside from the initial publish of my website I want to handle giving these individual folder permissions through C# code on the fly. Which raises another issue. How do I give the application pool enough power just long enough to grant these "write" permissions for the new users and their associated private folder? Is it possible to elevate the grant priviledges of the application pool identity and then demote the virtual account after its work is done?

I know that each web request has an identity in common and a unique identity. So, I'm hoping folder write permissions can be granted using the latter of the two. 

Hope my post is clear enough to know what I am asking. Thanks for reading. 

Answer 1

User-782232518 posted

<deleted>

Answer 2

User-986267747 posted

Hi TheNutCracker,

TheNutCracker

How would I grant each new website account individual write access to their very own folders in a secure, more granular way?

According to your description, when the user upload files, these files should be stored in the related folder belong to the current user. In my experience, you could check if the related folder exist when the current user upload files, if the folder does not exist, you could create it, and you could use the user id as the folder name, then you could save these files into the folder.  if the folder exist, you could save it directly.

Besides, you could refer to the following link to get more information.

http://forums.asp.net/t/2001964.aspx

I hope it's helpful to you.

Best Regards,

Klein zhang

Answer 3

User-1851576699 posted

Thank you for your response. I've done extensive monitoring of the processes that are triggered and under which account name the process is executing using Windows Task Manager. I've not seen anything but DefaultAppPool on my machine when testing my /inetpub/wwwroot folders. IIS Express always runs under my current user identity.

I think you are suggesting using IIS for an intranet website, under which case, each user account might be created by a single system administrator. 

As far as I can see all incoming requests on my IIS web server begin and end with DefaultAppPool. 

I would be interested in learning your way by having each request be run under the identity of the actual user. I do know that ASP.Net identifies each user by session cookies and then gives a pseudo identity so to speak. But at the end of the day, it seems like, it's just a layered identity on top of DefaultAppPool,, and not a true separate one.

I am always looking to understand things better, especially the security aspects. Can you recommend any good books that are currently still relevant? Everything changes so fast.

Answer 4

User-782232518 posted

<deleted>

Answer 5

User-1851576699 posted

lextm

Windows Task Manager can only show you the process account (pool identity). To see into threads, you can only use a tool such as Process Monitor.

Are you suggesting that threads in a single process would be executing under different user account identities? That sounds absurd to me. IIRC, each request that IIS 10.0 handles triggers an individual process anyway. Multiple requests are not handled by a single process. They are handled by an individual w3wp.exe process. I'm just completely lost as to why you bring up the concept of threads as though they were owned by individual users. Maybe that's possible but I don't think it works that way.

And talking about AD accounts to be used for a public national website? I don't think so. Maybe I wasn't clear in my original post. I wanted to know how to give individual private folder permissions to "new signups" that sign up on their own through my website which would be public and national or even global.