In our enviroment we have set the .Net trust level to 'Medium' and set override=False.
Now we want to allow some specific sites to run at full trust without every site owner being able to override the default medium level. How can I do this? Would assume it involve some additional entries in the machine web.config file.
I believe you can do this in IIS. Create a new application pool in IIS run it under local System. Warning: this is the highest level of permission you can give a website. Then you can go to your website from IIS and change the application pool to the one
you just created. Hope this help you.
thanks for the response. We run each site/app in their own application pool using individual user accounts and don't want to run them with a high level account.
I believe that we can do what we want by adding entries to the machine web.config, I just don't know the entries.
Actually, even running the app pool as Local System won't get around CAS. This is an ASP.NET code level check that isn't controlled by the process identity.
To change it, you must change it in the root web.config file. But there are 2 considerations to be mindful of:
<div mce_keep="true">Giving some people full trust violates the trust of the whole server, unless you and everyone else on the server trust them. For example, you can set to full trust for your own admin site, but if you do it just because someone's site
doesn't work in partial trust, that person now has access to get around the CAS security check which defeats the purpose of CAS. So, for CAS to work properly, it needs to apply to everyone, not just some people.</div>
<div mce_keep="true">Every time you 'touch' web.config, an AppDomain recycle will occur on the entire server, so all InProc session state and caching will be lost and you'll have many slow first-page-loads. So, the change has a large impact on the server.</div>
But, that said, if you decide to do it, here is how:
In your root web.config, under the <configuration> level, add something like this:
Yes, you're correct. That is just the website name in IIS. In theory it could be confused since IIS6 doesn't enforce site name uniqueness, (in fact, the metabase property is called ServerComment which doesn't even sound like a name of a site) but most
people don't have duplicate site names for their own sake.
You can set it up subfolder too if you want, for example path="Site.com/subfolder".
WEBPC
Participant
1585 Points
320 Posts
Allowing Full Trust for a specific IIS web site
Jan 04, 2008 04:52 PM|LINK
In our enviroment we have set the .Net trust level to 'Medium' and set override=False.
Now we want to allow some specific sites to run at full trust without every site owner being able to override the default medium level. How can I do this? Would assume it involve some additional entries in the machine web.config file.
TIA
Antony
iis 60 Medium Trust. IIS6.0 IIS 6.0 IIS Security
Tareq
Member
678 Points
271 Posts
Re: Allowing Full Trust for a specific IIS web site
Jan 04, 2008 05:02 PM|LINK
I believe you can do this in IIS. Create a new application pool in IIS run it under local System. Warning: this is the highest level of permission you can give a website. Then you can go to your website from IIS and change the application pool to the one you just created. Hope this help you.
Good Luck
Tareq
WEBPC
Participant
1585 Points
320 Posts
Re: Allowing Full Trust for a specific IIS web site
Jan 04, 2008 05:13 PM|LINK
Tareq,
thanks for the response. We run each site/app in their own application pool using individual user accounts and don't want to run them with a high level account.
I believe that we can do what we want by adding entries to the machine web.config, I just don't know the entries.
Antony
OWScott
Participant
1937 Points
359 Posts
ASPInsiders
MVP
Re: Allowing Full Trust for a specific IIS web site
Jan 04, 2008 05:15 PM|LINK
Actually, even running the app pool as Local System won't get around CAS. This is an ASP.NET code level check that isn't controlled by the process identity.
To change it, you must change it in the root web.config file. But there are 2 considerations to be mindful of:
But, that said, if you decide to do it, here is how:
In your root web.config, under the <configuration> level, add something like this:
<location allowOverride="false" path="Default Web Site">
<system.web>
<securityPolicy>
<trustLevel name="Full" policyFile="internal"/>
<trustLevel name="High" policyFile="web_hightrust.config"/>
<trustLevel name="Medium" policyFile="web_mediumtrust.config"/>
<trustLevel name="Low" policyFile="web_lowtrust.config"/>
<trustLevel name="Minimal" policyFile="web_minimaltrust.config"/>
</securityPolicy>
<trust level="Full" originUrl=""/>
</system.web>
</location>
This will apply to just the site set in the path attribute and can be set to any of the security policies defined, or Full, as in this example.
Thanks,
Scott
Microsoft MVP - IIS
OrcsWeb
www.orcsweb.com
Tareq
Member
678 Points
271 Posts
Re: Allowing Full Trust for a specific IIS web site
Jan 04, 2008 05:28 PM|LINK
Cool Learned something new today.
WEBPC
Participant
1585 Points
320 Posts
Re: Allowing Full Trust for a specific IIS web site
Jan 04, 2008 07:05 PM|LINK
Scott
thanks for the info. Just to make sure I am on the right path. Am I right in thinking that "Default Web Site" in the
line refers to the site description in IIS and would work for any of the other site descriptions?
I am aware of the security implications but thanks for clarifying them.
Antony
OWScott
Participant
1937 Points
359 Posts
ASPInsiders
MVP
Re: Allowing Full Trust for a specific IIS web site
Jan 04, 2008 10:33 PM|LINK
Hi Antony,
Yes, you're correct. That is just the website name in IIS. In theory it could be confused since IIS6 doesn't enforce site name uniqueness, (in fact, the metabase property is called ServerComment which doesn't even sound like a name of a site) but most people don't have duplicate site names for their own sake.
You can set it up subfolder too if you want, for example path="Site.com/subfolder".
Thanks,
Scott
Microsoft MVP - IIS
OrcsWeb
www.orcsweb.com