<< Celebrities in MSDN Documentation | Home | Web Client Software Factory - Drop 04 >>

What's Wrong With This Code? (#7)

This time, Joe Developer is building a web application for the company intranet. Most of the site is available to anonymous users, but one directory - the adminPages directory, should only be accessible to users in the machine's local administrators group. Joe added the following to the bottom of his web.config, and is feeling pretty secure.

<configuration>
  <location path="adminPages">
    <system.web>
      <authorization>
        <allow roles="BUILTIN\Administrators" />
        <deny users="?" />
      </authorization>
    </system.web>
  </location>  
</configuration>

Should Joe be worried?

Print | posted @ Tuesday, October 10, 2006 2:03 AM

Comments on this entry:

Gravatar # re: What's Wrong With This Code? (#7)
by Stephen Nelson at 10/10/2006 2:30 AM
It should be <deny users="*" /> the ? just denies anoymous users.
  
Gravatar # re: What's Wrong With This Code? (#7)
by Tyrone at 10/10/2006 3:45 AM
Based on the snippet, I would probably say the BUILTIN\Administrators seems to be the culprit. The user would have to be an admin on the box the web application is hosted on in order to gain access to the secure directory.
  
Gravatar # re: What's Wrong With This Code? (#7)
by Todd at 10/10/2006 5:02 AM
This will essentially allow everyone EXCEPT anonymous users... so if some other user from another group authenticates, it will allow them to see the path.

It should be deny users="*"
  
Gravatar # re: What's Wrong With This Code? (#7)
by Shaka at 10/10/2006 6:45 AM
yes he should,
any one that is authenticate will get access to adminPages he should change to:
<allow roles="BUILTIN\Administrators" />
<deny users="*" />
  
Gravatar # re: What's Wrong With This Code? (#7)
by Russian Geek at 10/10/2006 7:06 AM
Maybe <deny users="*" /> ?
  
Gravatar # re: What's Wrong With This Code? (#7)
by Tom Pester at 10/10/2006 8:40 AM
Everyone who is authorized will have access to the adminPages. Only the anonymous users will get blocked.

Every rule gets evaluated in order and only if there is a match the rule will get applied and no further rules will get evaluated.

Since only BUILYIN\Administrators and ? are address, a random authorized user will fall thorug the rules and default to getting access.

To achieve what was set the second rule should be deny users="*"

  
Gravatar # re: What's Wrong With This Code? (#7)
by Russian Geek at 10/10/2006 9:05 AM
Authorized users have an access.
Replace "?" with "*".
  
Gravatar # re: What's Wrong With This Code? (#7)
by Wayne Howarth at 10/10/2006 9:31 AM
Although this configuration denies anonymous users, he needs to remember that other users who have successfully been authenticated will still be given access.

The following needs to be added underneath the <deny...> element:

<deny users="*" />
  
Gravatar # re: What's Wrong With This Code? (#7)
by Jeff Lynch at 10/10/2006 12:22 PM
Yep, he should be worried!

I'd try using the following in the web.config that resides in the "adminPages" directory.

<configuration>
<system.web>
<authorization>
<allow roles="BUILTIN\Administrators" />
<deny users="*" />
</authorization>
</system.web>
</configuration>

  
Gravatar # re: What's Wrong With This Code? (#7)
by scott at 10/10/2006 12:44 PM
As many pointed out, the config file will need to add:

<deny users="*" />

to prevent other authenticated users.

@Tyrone: Since this is an intranet app, presumably someone can login on another machine with domain credentials that give them admin access on this box.
  
Gravatar # re: What's Wrong With This Code? (#7)
by Tyrone at 10/10/2006 3:23 PM
Scott,

Looks like I misread the question. I can't see how I missed the "should only be accessible to users in the machine's local administrators group" in the second sentence. Anyways, waiting for #8.
  
Comments have been closed on this topic.
Scott Allen
Posts - 869
Comments - 4493
Stories - 14