Contact

admin

About Me · Send mail to the author(s) E-mail · Twitter

At GROSSWEBER we practice what we preach. We offer trainings for modern software technologies like Behavior Driven Development, Clean Code and Git. Our staff is fluent in a variety of languages, including English.

Feed Icon

Tags

Open Source Projects

Archives

Blogs of friends

Now playing [?]

  1. Nolan feat. Amber Jolene – Everyday & Everynight (KANT Remix)
  2. Todd Terje – Inspector Norse
  3. Kyodai Feat. Stee Downes – Music Rises Up (Claptone Remix)
  4. Miami Horror – Ultraviolet
  5. Miami Horror – Illuminated
Audioscrobbler/Last.fm

ClustrMap

How To Secure Your dasBlog Installation

Posted in dasBlog | Security at Friday, June 08, 2007 9:44 AM W. Europe Daylight Time

dasBlog LogodasBlog has a pretty large user base, and while browsing some dasBlog sites I occassionally check if they're set up securely. It's not that dasBlog is inherently insecure, but some installations allow for information leakage and most users aren't even aware of this.

Basic setup

There are a couple of locations where you can set up security for any ASP.NET application:

  • NTFS security,
  • IIS virtual directory and folder security,
  • web.config <authentication> element or a HttpForbiddenHandler for certain ASP.NET file extensions.

Note that web.config settings only apply to file extensions mapped to ASP.NET on Windows Server 2003 and before. I am working on IIS 6 here and while I like my security settings in (mostly) one place I usually go with a generic read access configuration in IIS and set the more fine-grained settings using NTFS.

When deploying dasBlog to your web server you will likely enable read access to the dasBlog folder for the IUSR and NETWORK SERVICE accounts on the NTFS Security tab. This gives the IIS and ASP.NET runtimes the rights they need to work. On the /logs, /content and /SiteConfig directories you will also need to enable change access for the NETWORK SERVICE account since this is where dasBlog stores its working data. (dasBlog is represented by the IIS worker process identity, which is NETWORK SERVICE on Windows Server 2003 and ASPNET on Windows 2000 and XP.) If anything is set up incorrectly you'll see the configuration error page when you're trying configure your blog or post a blog entry.

Folder IUSR access NETWORK SERVICE access Notes
/dasBlog root R R  
  /bin RI RI Contents protected by ASP.NET
  /content RI RI, W Blog posts, comments, trackbacks
    /binary RI RI, WI Binary content, i.e. images and enclosures
    /profiles RI RI, WI User profiles
  /DatePicker RI RI  
  /ftb RI RI  
  /images RI RI  
  /logs RI RI, W Log files
  /SiteConfig RI RI, W Config and error pages
  /smilies RI RI  
  /themes RI RI  
Legend: R=Read, RI=Read (inherited), W=Write, WI=Write (inherited)

The /logs folder

Sometimes when I visit a random dasBlog site I try to download one of dasBlog's log files which are located in the /logs folder. Since IUSR's read access is most likely inherited (RI) in this folder, anonymous users can download log files. The log file name format is publicy available so, for example, the /logs/2007-06-08-referrer.log.zip file contains the referrers for today. This information leakage could be easily mitigated by denying IUSR read access to the /logs folder. However, I've found at least three high-traffic blogs where this was not the case (I e-mailed the owners, things are fixed now).

Themes

Another problem that came up recently on the developer mailing list was how to keep blog templates private. Since we already incorporate the HttpForbiddenHandler for *.blogtemplate files and IIS doesn't serve files when there's no MIME type available this is really a non-issue. The template's manifest file, however, will be served but that should not bother you since there's no valuable information in it.

Special Case: The /content folder

One rather interesting place is the /content folder. Your posts, comments and blogged binary content like images are stored there. The /content/binary subfolder holds images and enclosures, i.e. basically everything you attach to a certain post. The /content/profiles folder serves as a container for user profiles stored in <Username>.format.html files. Please note that *.format.html files are always templated and served through FormatPage.aspx, that is, are never accessed by IUSR directly.

With the basic setup above, read access for anonymous users is enabled in the /content folder and its subfolders. Thus, anonymous users are able to get the raw post data by requesting the *.dayentry.xml and *.dayfeedback.xml files for a certain date, i.e. /content/2007-06-08.dayentry.xml. Again, the file name pattern is no secret.

This last piece of public information should only be served through certain channels like the templated font page or RSS. Because of dasBlog's folder structure securing the /content folder it is kind of tricky:

  • First, deny read access to the /content folder for the IUSR account.
  • In the next step, open the security tab of the /content/binary folder and break NTFS inheritance there copying all existing ACLs.
  • Delete the Deny ACL for IUSR.

Secure Configuration

In the end the NTFS security settings that work best for me look like this: (Changes red)

Folder IUSR access NETWORK SERVICE access Notes
/dasBlog root R R  
  /bin RI RI Contents protected by ASP.NET
  /content RI, RD RI, W Blog posts, comments, trackbacks
    /binary R R, W Binary content, i.e. images and enclosures
    /profiles RI, RDI RI, WI User profiles
  /DatePicker RI RI  
  /ftb RI RI  
  /images RI RI  
  /logs RI, RD RI, W Log files
  /SiteConfig RI, RD RI, W Config and error pages
  /smilies RI RI  
  /themes RI RI  
Legend: R=Read, RI=Read (inherited), W=Write, WI=Write (inherited), RD=Deny read, RDI=Deny read (inherited)

Please note that on Windows Deny ACLs have always preference over Allow ACLs.

Discuss

If you're a dasBlog developer or user, please feel free to leave a comment if you (dis)like this solution, have a question or suggestions for a better solution.

Now Playing [?]: Robert Mechs – The OGD Sessions Vol. 2

Thursday, September 18, 2008 3:15:19 PM (W. Europe Daylight Time, UTC+02:00)
Hi Alexander,

I am writing from the UK - I read your article above & I am trying to do a similar thing to what you've written below
Special Case: The /content folder

On our webserver there's a folder full of pdfs - which I want to prevent people from accessing directly ie
www.mywebsite.com/pdfs/mypdf.pdf

these are served up through an asp script so there is never a direct link to them. www.mywebsite.com/downloadpdfs.asp how do you set up the directory permissions so that the asp script can get them but a user cannot browse directly.

Any help would be really great.

Thanks

Marcus
Thursday, September 18, 2008 3:35:06 PM (W. Europe Daylight Time, UTC+02:00)
Hi Marcus,

you would have to disallow IUSR reading the contents of the PDF folder, whereas the application pool identity (most likely NETWORK SERVICE) would have to have read rights. IUSR must also be able to read the ASP file that serves the PDFs.

/ -> IUSR: read, NETWORK SERVICE: read
/pdfs/ -> IUSR: disallow read

NETWORK SERVICE can read in /pdfs/ if the rights are inherited from /.

HTH,

Alex
Tuesday, August 11, 2009 11:13:36 PM (W. Europe Daylight Time, UTC+02:00)
Hi,
I was looking for that info nearly 4 days.Can I copy this article on my blog?If so,please mail me,and we can exchange uesful articles in the future.

Regards,
Nick
All comments require the approval of the site owner before being displayed.
(will show your gravatar icon)
 
[Captcha]Enter the code shown (prevents robots):

Live Comment Preview