I plan on offering free and cheap ASP.NET web hosting. I am creating my own back end panel in C#/ASPNET. When a new account is created, I am programmatically creating the website and app pool in IIS using Microsoft.Web.Administration.

How can I go about blocking any kind of security threats related to ASP.NET for the websites I created programmatically? I mean in general, how would I go about securing IIS/ASP.NET?

Putting customers in their own AppPools is a good first step.

In addition, you can limit the required trust level, from full to something less.

You should also have each AppPool run as a unique Windows user, with all of their website files owned by the same user.

Wow, I looked right over that trust level! For free hosting, is LOW the best choice? I'm not sure how to create a Windows user account and set permissions on a directory to that user- how hard is this in C#?

Lower levels of trust are more secure.  The tradeoff is that they also severely restrict what your users are able to do.  If your free hosting is only intended to support extremely vanilla sites, then low should be fine.  You can look in the system web.config files to see the exact differences from one trust level to another.

Creating and managing user accounts is easy, particularly with .NET 3.5, where you can use the AccountManagement library.  Here's a link to a page with some example code:

http://www.codeproject.com/KB/system/usingAccountManagement.aspx

You would probably also want to assign all of your free users to a common group, to help ease certain management aspects.

BTW, another cool feature that you might want to use if you intend to support both free and paid sites is Windows System Resource Manager (WSRM).  It comes with Windows 2008, and can allow you to limit the CPU time used by certain groups of users/AppPools/etc.

Thank you. You have helped me a lot, I greatly apperciate it.

I have two friends who would like to try out having their own site but do not want to fork out money until they can see what it is all about. Do you think the method you've listed here would be appropriate for creating them an account to play with until they know if they would like to purchase hosting as well?

MissEn4med:

I have two friends who would like to try out having their own site but do not want to fork out money until they can see what it is all about. Do you think the method you've listed here would be appropriate for creating them an account to play with until they know if they would like to purchase hosting as well?

Not sure what you are asking, do they need hosting?

Also, I am getting a error on the server now when it attempts to create the website in IIS7. Server is Windows 2008:

Server Error in '/new' Application.

---

Filename: redirection.config
Error: Cannot read configuration file due to insufficient permissions

[UnauthorizedAccessException: Filename: redirection.config
Error: Cannot read configuration file due to insufficient permissions

]
   Microsoft.Web.Administration.Interop.AppHostWritableAdminManager.GetAdminSection(String bstrSectionName, String bstrSectionPath) +0
   Microsoft.Web.Administration.Configuration.GetSectionInternal(ConfigurationSection section, String sectionPath, String locationPath) +218
   Microsoft.Web.Administration.ServerManager.get_SitesSection() +121
   Microsoft.Web.Administration.ServerManager.get_Sites() +31

Any ideas?

Hi again, I meant, I have two friends who each want to do a website, so I thought I would create each of them an account off my VPS so that they could play around with hosting and try and create their sites, but to be honest I'm not sure how to do that since I just use the VPS for myself.

ThomasMack:

Any ideas?

Is there something about the error message that isn't clear?  It looks like you need to grant permission to your AppPool user to access the files that you're trying to change.