Questions? Start a Support Ticket
User Registration
Customer Login

Knowledgebase

Portal Home > Knowledgebase > Articles Database > ASP Trust level = HIGH, web.config


ASP Trust level = HIGH, web.config




Posted by robertboyl, 04-20-2013, 11:19 AM
Hi, everyone Recently found one of our web servers had ASP NET trust level set to HIGH (seems its a default). That makes it vulnerable to ASP shell scripts that use cmd.exe and can list all files on the web server. I set the default for trust level to be medium in the global asp net web.config file, but some sites or apps require trust level=high, so some hacker could, if he obtained access to web.config, change the trust level... Is there anything else I can do besides audit changed web.config files? Thanks.
Posted by jackpx, 04-20-2013, 10:08 PM
Use appliaction pools, urlscan
Posted by robertboyl, 04-21-2013, 08:05 AM
Hmmm can you detail more? what does app pools have to do with this or urlscan? How can I use URLScan to protect from this? Thanks
Posted by Crothers, 04-21-2013, 09:19 AM
They don't. That's a fairly stupid response. Whip up a Powershell script to run on a scheduled task every minute or so. Pop open the IIS sites and read in all their configs and then search for that string. I JUST picked up a Powershell book to do these exact types of scripts lol. WMI can access the IIS stuff then the powershell scriptlets can take over from there.
Posted by jackpx, 04-21-2013, 09:51 AM
stupid ???? I have many servers with IIS, websites with full trusted permissions and none can run cmd.exe or some. exe http://www.iis.net/learn/manage/conf...-for-web-sites http://www.iis.net/learn/extensions/...scan-scenarios
Posted by robertboyl, 04-22-2013, 08:11 AM
Hi, Steven I found some examples on powershell to monitor files: http://gallery.technet.microsoft.com...atche-dfd7084b Also found a program that can watch if a file is changed. http://www.watchdirectory.net/ But this is only way? BTW the shell scripts I meant were in asp.net. What about these few sites I have in TRUST = FULL, no way really to not let such level use cmd.exe (shell script)? Thanks
Posted by robertboyl, 04-23-2013, 08:40 AM
Jackpx, Stupid is too harsh, Im sure Crothers didnt have bad intention, after all youre trying to help. But I really think its not related. If you want I can send you an ASP.Net shell script for you to test. as long as TRUSH is FULL level, I believe you will see it can access all your drives/directories... Thanks
Posted by robertboyl, 04-25-2013, 01:06 PM
Please, can somegone give me some final feedback on this? Thanks xxx I found some examples on powershell to monitor files: http://gallery.technet.microsoft.com...atche-dfd7084b Also found a program that can watch if a file is changed. http://www.watchdirectory.net/ But this is only way? BTW the shell scripts I meant were in asp.net. What about these few sites I have in TRUST = FULL, no way really to not let such level use cmd.exe (shell script)?
Posted by robertboyl, 05-07-2013, 08:10 PM
more good reading here: http://forums.iis.net/p/1197427/2048...vel+web+config


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Looking to replace server (Views: 696)
Surprised at CROCWEB (Views: 725)
Accepting American express (Views: 918)
I need a little help problem resellerzoom.com (Views: 715)
resellerscene down (Views: 763)


Language:

Our Services

Client Menu

Legal

Terms of Service | Privacy Policy | Refund Policy | Affiliates
Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.