What's Wrong With This Code? (#7)

Tuesday, October 10, 2006

This time, Joe Developer is building a web application for the company intranet. Most of the site is available to anonymous users, but one directory - the adminPages directory, should only be accessible to users in the machine's local administrators group. Joe added the following to the bottom of his web.config, and is feeling pretty secure.

<configuration>
  <location path="adminPages">
    <system.web>
      <authorization>
        <allow roles=
"BUILTIN\Administrators" />
        <deny users=
"?" />
      </authorization>
    </system.web>
  </location>  
</configuration>

Should Joe be worried?


Comments
Stephen Nelson Tuesday, October 10, 2006
It should be <deny users="*" /> the ? just denies anoymous users.
Tyrone Tuesday, October 10, 2006
Based on the snippet, I would probably say the BUILTIN\Administrators seems to be the culprit. The user would have to be an admin on the box the web application is hosted on in order to gain access to the secure directory.
Todd Tuesday, October 10, 2006
This will essentially allow everyone EXCEPT anonymous users... so if some other user from another group authenticates, it will allow them to see the path.

It should be deny users="*"
Shaka Tuesday, October 10, 2006
yes he should,
any one that is authenticate will get access to adminPages he should change to:
<allow roles="BUILTIN\Administrators" />
<deny users="*" />
Russian Geek Tuesday, October 10, 2006
Maybe <deny users="*" /> ?
Tom Pester Tuesday, October 10, 2006
Everyone who is authorized will have access to the adminPages. Only the anonymous users will get blocked.

Every rule gets evaluated in order and only if there is a match the rule will get applied and no further rules will get evaluated.

Since only BUILYIN\Administrators and ? are address, a random authorized user will fall thorug the rules and default to getting access.

To achieve what was set the second rule should be deny users="*"

Russian Geek Tuesday, October 10, 2006
Authorized users have an access.
Replace "?" with "*".
Wayne Howarth Tuesday, October 10, 2006
Although this configuration denies anonymous users, he needs to remember that other users who have successfully been authenticated will still be given access.

The following needs to be added underneath the <deny...> element:

<deny users="*" />
Jeff Lynch Tuesday, October 10, 2006
Yep, he should be worried!

I'd try using the following in the web.config that resides in the "adminPages" directory.

<configuration>
<system.web>
<authorization>
<allow roles="BUILTIN\Administrators" />
<deny users="*" />
</authorization>
</system.web>
</configuration>

scott Tuesday, October 10, 2006
As many pointed out, the config file will need to add:

<deny users="*" />

to prevent other authenticated users.

@Tyrone: Since this is an intranet app, presumably someone can login on another machine with domain credentials that give them admin access on this box.
Tyrone Tuesday, October 10, 2006
Scott,

Looks like I misread the question. I can't see how I missed the "should only be accessible to users in the machine's local administrators group" in the second sentence. Anyways, waiting for #8.
Comments are now closed.
by K. Scott Allen K.Scott Allen
My Pluralsight Courses
The Podcast!