ASP.NET Partial Trust does not guarantee application isolation

ASP.NET lets administrators host applications in partial trust modes such as medium trust. It also allows for the configuration of custom partial trust levels through custom policy files. For more information about how to use medium trust in ASP.NET 2.0, go to the following Microsoft Developer Network (MSDN) webpage: We previously described ASP.NET partial trust as a mechanism for enforcing application isolation in a shared hosting environment in which multiple applications that have different trust levels are hosted on the same web server. We are updating our guidance about this to reflect that running an ASP.NET page framework application in partial trust does not guarantee complete isolation from other applications that are running in the same process or on the same computer. 

Configuring ASP.NET page framework applications to run in separate low-privileged processes (by using individual application pools) is the recommended procedure to make sure of isolation from other ASP.NET page framework applications on the same web server. The following section provides details about how to configure applications for isolation. We are updating our other documentation to reflect the change in policy that is outlined in this article. 

Server administrators should apply the guidelines in this article to make sure that applications are isolated in shared hosting environments. These guidelines apply to hosting ASP.NET on Windows Server 2003 SP2 and later versions. The guidelines cover Internet Information Services (IIS) 6.0 to 7.5.

Many of the tasks that are outlined here can be automated by using the AppCmd.exe IIS command line tool in IIS 7 and 7.5 and by using IIS administration scripts in IIS 6.0.

How to put applications in separate IIS sites

In a shared hosting environment, applications should be put in separate IIS sites. Configuration is better isolated between applications when they are hosted in separate sites. In addition, the .NET Framework CLR host will be separate. This provides additional isolation at that level.

To put each application in a separate site, follow these steps:

Internet Information Services 6.0 (Windows Server 2003 SP2)

1. Open the Internet Information Services (IIS) Manager.
2. In the left-side pane, expand the node for the current server.
3. Right-click the Web Sites node, click New, and then click Web Site.
4. Click Next.
5. Enter a unique name for the new website, and then click Next.
6. Configure the site bindings for the hosting environment.
7. Enter the physical path of the folder in which the application files are stored.
8. Click to select the Run scripts (such as ASP) check box, and then click Next.
9. Click Finish. The new site appears under the Web Sites node.

Internet Information Services 7 (Windows Vista SP2 and Windows Server 2008 SP1) and Internet Information Services 7.5 (Windows 7 and Windows Server 2008 R2)

1. Open the Internet Information Services (IIS) Manager.
2. In the Connections pane, expand the node for the current server.
3. Select the Sites node, and then click the Add Web Site link in the Actions pane.
4. In the Add Web Site dialog box, enter a unique name for the new website, and then enter the physical path of the folder in which the application files are stored. By default, a new application pool is created that has the same name as the site, and the site is configured to use this application pool. (This is the recommended configuration.)
5. Configure the site bindings for the hosting environment.
6. Click to clear the Start Web site immediately check box to make sure that the site is not available until the isolation guidelines that are outlined here are completed.
7. Click OK. The configured site appears under the Sites node in the Connections pane.

How to put sites in separate application pools

In a shared hosting environment, applications should be put in separate application pools. This allows for applications to be isolated into separate operating system processes with unique identities. This provides a level of isolation from one site to another. (The following section describes how to configure application pool identities for isolation.)

Internet Information Services 6.0 (Windows Server 2003 SP2)

1. Open the Internet Information Services (IIS) Manager.
2. In the left-side pane, expand the node for the current server.
3. Right-click Application Pools, click New, and then click Application Pool.
4. Enter a unique name for the new application pool, and then click OK.
5. Expand the Web Sites node.
6. Right-click the target website, and then click Properties.
7. Click the Home Directory tab.
8. In the Application pool field at the bottom of the dialog box, select the new application pool.
9. Click OK.

Internet Information Services 7 (Windows Vista SP2 and Windows Server 2008 SP1) and Internet Information Services 7.5 (Windows 7 and Windows Server 2008 R2)

After you follow the steps in the "How to put applications in separate IIS sites," section, the new site is automatically put in a new, separate application pool. However, if you have to configure an existing site to use a new, separate application pool, follow these steps: 

1. Open the Internet Information Services (IIS) Manager.
2. In the Connections pane, expand the node for the current server.
3. Select the Application Pools node.
4. In the Actions pane, click the Add Application Pool link.
5. Enter a unique name for the new application pool, and then select a target .NET Framework version and pipeline mode.
6. Click OK. The new application pool is displayed in the list.
7. In the Connections pane, expand the Sites node.
8. Select the site that you want to move to the application pool that you created earlier in this procedure.
9. In the Actions pane, click the Basic Settings link.
10. In the Edit Site dialog box, click Select.
11. In the Application pool list, select the application pool that you created earlier.
12. Click OK.

In the Edit Site dialog box, click OK.

How to configure application pools for isolation (process identity)

Application pools host applications and sites in a Windows process (or processes). The identity under which the process runs is configurable. In a shared hosting environment, there should be a separate identity for each application. This makes sure that each application is running in the context of a unique account. This allows for correct isolation by using file-system discretionary access control lists (DACL) and the built-in process isolation features of the underlying operating system. To create a user account and then assign an application pool to use that account, follow these steps.

Internet Information Services 6.0 (Windows Server 2003 SP2)

Create a local user account to use as the application pool identity

1. Open the Internet Information Services (IIS) Manager.
2. In the left-side pane, expand Local Users and Groups.
3. Right-click the Users node, and then click New User.
4. Enter a unique name and a strong password for the new user account.
5. Click to clear the User must change password at next logon check box.
6. Click to select the User cannot change password check box.
7. Click Create, and then click Close.
8. In the left-side pane, select the Users node. The new account appears in the list.

Configure the application pool to use the new local user account

1. Open the Internet Information Services (IIS) Manager.
2. In the left-side pane, expand the node for the current server.
3. Expand the Application Pools node.
4. Right-click the target application pool, and then click Properties.
5. Click the Identity tab.
6. Select the Configurable option button.
7. Enter the user name and password of the new account.
8. Click OK.
9. Re-enter the password in the Confirm Password dialog box, and then click OK.

Internet Information Services 7 and 7.5 (Windows Vista SP2, Windows Server 2008 SP1, Windows 7 and Windows Server 2008 R2)

1. Open the Internet Information Services (IIS) Manager.
2. In the Connections pane, expand the node for the current server.
3. Select the Application Pools node.
4. Select the target application pool.
5. In the Actions pane, click the Advanced Settings link.
6. In the Process Model section, set the Identity property to ApplicationPoolIdentity. This setting creates a unique identity for this application pool automatically. In the following sections, you can use this unique identity to set discretionary access control lists (DACLs) on the file locations to which the application needs access.
7. Click OK.

How to configure DACLs on application content locations

The discretionary access control list (DACL) is a list of permissions that are associated with an object and that can be used to control access to the object. Using DACLs to restrict access to application content helps strengthen the isolation between sites that are hosted on the same web server. For more information about ACLs and IIS identities, see Secure Content in IIS Through File System ACLs

All versions of IIS

1. Open the root folder for the site content at a command prompt or in Windows Explorer.
2. Use either of the following methods to remove entries for any non-administrator access to this location. (This includes the Users group.)
   • In Windows Explorer, right-click the folder, select Properties, click the Security tab, and then change the access control list.
   • At a command prompt, use the icacls.exe
     (http://technet.microsoft.com/en-us/library/cc753525(WS.10).aspx)
     utility (or cacls.exe on older versions of the Windows operating system) to change the access control list.
3. Add a new entry for the process identity that you selected for the site.
4. Give the new identity Read and Execute access to the folder.

If there are particular folders that require write permissions by the application (for example, an "Uploads" folder), follow these steps:

Internet Information Services 6.0 (Windows Server 2003 SP2)

1. In Windows Explorer, right-click the folder, select Properties, click the Security tab, and add Modify access for the process identity.
2. For folders that will contain static content (pictures, text files, and so on), follow these steps:
   1. Open the Internet Information Services (IIS) Manager.
   2. In the left-side pane, right-click the appropriate folder name, and then click Properties.
   3. Click the Directory tab.
   4. In the Execute Permissions list, select None.

Internet Information Services 7 and 7.5 (Windows Vista SP2, Windows Server 2008 SP1, Windows 7 and Windows Server 2008 R2)

1. In Windows Explorer, right-click the folder, select Properties, click the Security tab, and add Modify access for the process identity.
2. For folders that will contain static content (pictures, text files, and so on), add a "web.config" file entry for the location that disallows Script permission in the accessPolicy setting:

   <system.webServer>
   <handlers accessPolicy="Read,Write" />
   </system.webServer>
   

How to configure a Temporary ASP.NET Files folder location and how to set DACLs per site

ASP.NET requires a location on the server to store temporary data such as compiled files. This is usually the Temporary ASP.NET Files folder. By default, this folder is under the folder where the .NET Framework is installed. Allocating a different temporary location for each site and securing the folder individually appropriately helps strengthen the isolation between sites that are hosted on the same web server. For more information about the Temporary ASP.NET Files folder, see Understanding ASP.NET Dynamic Compilation.

How to configure a different Temporary ASP.NET Files folder location for each site

1. Create a new folder for each site to store temporary ASP.NET files for that site. It is better to use a nonsystem drive to store the temporary files.
2. In the server's root web.config or applicationHost.config file, include a setting to point to the location of the new folder for that particular site by using a <location> element, such as this:

   <configuration>
   <location path="path">
   <system.web>
   <compilation tempDirectory="temp-files-path" />
   </system.web>
   </location>
   <!-- and so on -->
   </configuration>
   

How to set appropriate DACLs on the Temporary ASP.NET Files folder location

1. Use a command prompt or Windows Explorer to remove permissions for any non-administrator access to this location. (This includes the Users group.)
2. Add a new entry for the process identity that you selected for this site earlier, and then give this identity Modify access for the folder.

How to remove sensitive configuration data from root configuration files

Application web.config files are located in the content folder for the application that is being served. Even though ASP.NET will not serve the application web.config file, when it is practical, it is better to put security-sensitive information such as machine-key settings and connection strings in a configuration file that is outside the application location. This adds a defense against information disclosure.

Internet Information Services 6.0 (Windows Server 2003 SP2)

Storing security-sensitive configuration information in the root web.config file is not a good option for isolating data between different sites, because all sites have read access to this file. Therefore, on IIS 6 you should store sensitive configuration in your application web.config file. This lets sites isolate sensitive configuration from one another. In that case, your application will be relying on ASP.NET defenses to prevent the application web.config file from being served and to make sure that sensitive information is not disclosed.

Internet Information Services 7 and 7.5 (Windows Vista SP2, Windows Server 2008 SP1, Windows 7 and Windows Server 2008 R2)

For IIS 7 and later versions, move the sensitive configuration that is in the IIS applicationHost.config file into a <location> element that scopes the configuration to the site to which it applies. For more information, see How to Use Locking in IIS 7.0 Configuration. Microsoft thanks the following people for working with us to help protect customers:

• Jeroen Frijters
  (http://weblog.ikvm.net/)