What's Wrong With This Code? (#7)

Tuesday, October 10, 2006

This time, Joe Developer is building a web application for the company intranet. Most of the site is available to anonymous users, but one directory - the adminPages directory, should only be accessible to users in the machine's local administrators group. Joe added the following to the bottom of his web.config, and is feeling pretty secure.

<configuration>
  <location path="adminPages">
    <system.web>
      <authorization>
        <allow roles="BUILTIN\Administrators" />
        <deny users="?" />
      </authorization>
    </system.web>
  </location>  
</configuration> 

Should Joe be worried?

Comments

Stephen Nelson Tuesday, October 10, 2006

It should be <deny users="*" /> the ? just denies anoymous users.

Tyrone Tuesday, October 10, 2006

Based on the snippet, I would probably say the BUILTIN\Administrators seems to be the culprit. The user would have to be an admin on the box the web application is hosted on in order to gain access to the secure directory.

Todd Tuesday, October 10, 2006

This will essentially allow everyone EXCEPT anonymous users... so if some other user from another group authenticates, it will allow them to see the path.

It should be deny users="*"

Shaka Tuesday, October 10, 2006

yes he should,
any one that is authenticate will get access to adminPages he should change to:
<allow roles="BUILTIN\Administrators" />
<deny users="*" />

Russian Geek Tuesday, October 10, 2006

Maybe <deny users="*" /> ?

Tom Pester Tuesday, October 10, 2006

Everyone who is authorized will have access to the adminPages. Only the anonymous users will get blocked.

Every rule gets evaluated in order and only if there is a match the rule will get applied and no further rules will get evaluated.

Since only BUILYIN\Administrators and ? are address, a random authorized user will fall thorug the rules and default to getting access.

To achieve what was set the second rule should be deny users="*"

Russian Geek Tuesday, October 10, 2006

Authorized users have an access.
Replace "?" with "*".

Wayne Howarth Tuesday, October 10, 2006

Although this configuration denies anonymous users, he needs to remember that other users who have successfully been authenticated will still be given access.

The following needs to be added underneath the <deny...> element:

<deny users="*" />

Jeff Lynch Tuesday, October 10, 2006

Yep, he should be worried!

I'd try using the following in the web.config that resides in the "adminPages" directory.

<configuration>
<system.web>
<authorization>
<allow roles="BUILTIN\Administrators" />
<deny users="*" />
</authorization>
</system.web>
</configuration>

scott Tuesday, October 10, 2006

As many pointed out, the config file will need to add:

<deny users="*" />

to prevent other authenticated users.

@Tyrone: Since this is an intranet app, presumably someone can login on another machine with domain credentials that give them admin access on this box.

Tyrone Tuesday, October 10, 2006

Scott,

Looks like I misread the question. I can't see how I missed the "should only be accessible to users in the machine's local administrators group" in the second sentence. Anyways, waiting for #8.

Comments are closed.

My Pluralsight Courses

OdeToCode by K. Scott Allen

Twitter

About

Tweets by OdeToCode

The Podcast!