Is it safe to give the Asp.Net user account modify permissions to the root of the website?

If I give the Asp.Net user account (Network 开发者_JAVA百科Service for Win 2003) modify rights to the root folder of my public website can a user send a request to the server to somehow modify the .aspx files of my website? What are the risks of doing this?

Short answer: Don't do it

Long answer: Still don't, but here is one scenario followed through that might make you think twice (there are prob many many more):

1. If you have an file-upload control anywhere on your site, say for image uploads, and an attacker manages to compromise your security (don't forget this does not necessarily mean breaking your site - they might just hijack someone's session or manage to guess/steal password) they can upload a malicious script (.aspx page). The site has "modify" permissions so it can write the file to disk.

2. I see you tagged the question with .net, so imagine they upload an .aspx page with some <script runat="server">...</script> that reads the contents of the web.config file and displays them.

3. Did you put any database connection strings with passwords in clear text in your web.config file? Cos' if you did, imagine their next step is to upload a new .aspx file that connects to those databases... they can then read your databases, delete data, change data... They probably don't really need the username/password because they can just use your named connection strings, but that information could be useful for another attack that I haven't thought of here.

I think you see where this scenario goes...

Is it safe to give the Asp.Net user account modify permissions to the root of the website?

100% definitely NOT.

can a user send a request to the server to somehow modify the .aspx files of my website?

Only if you build a page that does this in response to the request. Otherwise, no, not in one request.

What they can do is things like submit forms with way more characters in each field than your page was built to handle and attempt to create a buffer overflow they can exploit. But that happens over multiple requests. Or they can create an interactive http session and look for vulnerabilities to hijack your process that way.

Don't do it, it's dangerous. If you do, and if a malicious user finds a security hole (either in your code or in IIS), they will be able to modify files executed on the server and therefore execute malicious code.

If you need to write/modify files on the web server, you better give the aspnet user permissions to modify a separate folder, which will not have "execute" permissions under IIS (and perhaps even invisible to IIS altogether).

More info (regarding minimal required permissions, and therefore recommended maximal permissions): http://support.microsoft.com/kb/815153