Disadvantages Of Asp.Net Full Trust Security Level

Why shouldn’t we allow any domain to run Asp.Net application under the Full Trust level? Below are the reasons:

If the Asp.Net application is allowed to run under Full Trust level then it can:

    1. Browse(create/edit and delete too) files in the Windows directory using the System.IO namespace.
    2. Browse(create/edit and delete too) folders in the Program Files directory using the System.IO namespace.
    3. Browse(create/edit and delete too) files in the System32 directory using the System.IO namespace.
    4. Output of the OS name and version number using the System.Environment class.
    5. Output of the server's local IP address using server variables, etc.

In short, full trust Asp.Net application can do anything with the server since it gains the full access of the server when run under the Full Trust.

Therefore, do not ever offer any domain a full trust level in the shared server if your are a shared hosting provider. :)


Digg It!DZone It!StumbleUponTechnoratiRedditDel.icio.usNewsVineFurlBlinkList

running asp.net application on full trust level

If you need a full trust level for your asp.net application, you just need to take the following steps at the server end.

1. Locate C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\web.config
2. Add the below tag at the approprite location

<location path="yourdomain.com" allowOverride="true">
    <system.web>
        <trust level="Full" originUrl="*" />
    </system.web>
</location>
 

CAUTIONS

Asp.NET full trust is a dangerous thing. If anyhow hacker manages to compromise your website then he/she can do anything with the server. Here are the a few actions that hacker may take.

1. Browse(create/edit and delete too) files in the Windows directory using the System.IO namespace.
2. Browse(create/edit and delete too) folders in the Program Files directory using the System.IO namespace.
3. Browse(create/edit and delete too) files in the System32 directory using the System.IO namespace.
4. Output of the OS name and version number using the System.Environment class.
5. Output of the server's local IP address using server variables, etc.


In short, full trust Asp.Net application can do anything with the server since it gains the full access of the server when run under the Full Trust.

Digg It!DZone It!StumbleUponTechnoratiRedditDel.icio.usNewsVineFurlBlinkList




Quality & Affordable Web Development | About the Author | Hosted By Windows Hosting | Discuss With Experts At Webmaster Forums