What's Wrong With This Code? (#7)

This time, Joe Developer is building a web application for the company intranet. Most of the site is available to anonymous users, but one directory - the adminPages directory, should only be accessible to users in the machine's local administrators group. Joe added the following to the bottom of his web.config, and is feeling pretty secure.

<configuration>
  <location path="adminPages">
    <system.web>
      <authorization>
        <allow roles="BUILTIN\Administrators" />
        <deny users="?" />
      </authorization>
    </system.web>
  </location>  
</configuration>

Should Joe be worried?

posted on Monday, October 09, 2006 10:03 PM by scott

Comments

Monday, October 09, 2006 7:30 PM by Stephen Nelson

# re: What's Wrong With This Code? (#7)

It should be <deny users="*" /> the ? just denies anoymous users.
Monday, October 09, 2006 8:45 PM by Tyrone

# re: What's Wrong With This Code? (#7)

Based on the snippet, I would probably say the BUILTIN\Administrators seems to be the culprit. The user would have to be an admin on the box the web application is hosted on in order to gain access to the secure directory.
Monday, October 09, 2006 10:02 PM by Todd

# re: What's Wrong With This Code? (#7)

This will essentially allow everyone EXCEPT anonymous users... so if some other user from another group authenticates, it will allow them to see the path.

It should be deny users="*"
Monday, October 09, 2006 11:45 PM by Shaka

# re: What's Wrong With This Code? (#7)

yes he should,
any one that is authenticate will get access to adminPages he should change to:
<allow roles="BUILTIN\Administrators" />
<deny users="*" />
Tuesday, October 10, 2006 12:06 AM by Russian Geek

# re: What's Wrong With This Code? (#7)

Maybe <deny users="*" /> ?
Tuesday, October 10, 2006 1:40 AM by Tom Pester

# re: What's Wrong With This Code? (#7)

Everyone who is authorized will have access to the adminPages. Only the anonymous users will get blocked.

Every rule gets evaluated in order and only if there is a match the rule will get applied and no further rules will get evaluated.

Since only BUILYIN\Administrators and ? are address, a random authorized user will fall thorug the rules and default to getting access.

To achieve what was set the second rule should be deny users="*"

Tuesday, October 10, 2006 2:05 AM by Russian Geek

# re: What's Wrong With This Code? (#7)

Authorized users have an access.
Replace "?" with "*".
Tuesday, October 10, 2006 2:31 AM by Wayne Howarth

# re: What's Wrong With This Code? (#7)

Although this configuration denies anonymous users, he needs to remember that other users who have successfully been authenticated will still be given access.

The following needs to be added underneath the <deny...> element:

<deny users="*" />
Tuesday, October 10, 2006 5:22 AM by Jeff Lynch

# re: What's Wrong With This Code? (#7)

Yep, he should be worried!

I'd try using the following in the web.config that resides in the "adminPages" directory.

<configuration>
<system.web>
<authorization>
<allow roles="BUILTIN\Administrators" />
<deny users="*" />
</authorization>
</system.web>
</configuration>

Tuesday, October 10, 2006 5:44 AM by scott

# re: What's Wrong With This Code? (#7)

As many pointed out, the config file will need to add:

<deny users="*" />

to prevent other authenticated users.

@Tyrone: Since this is an intranet app, presumably someone can login on another machine with domain credentials that give them admin access on this box.
Tuesday, October 10, 2006 8:23 AM by Tyrone

# re: What's Wrong With This Code? (#7)

Scott,

Looks like I misread the question. I can't see how I missed the "should only be accessible to users in the machine's local administrators group" in the second sentence. Anyways, waiting for #8.
Tuesday, October 10, 2006 8:40 PM by Christopher Steen

# Link Listing - October 10, 2006

My Favorite Little Function - FixUrl [Via: Stephen Wright ] Generate Google Earth KML using ASP.net...