Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Crypto\RSA\MachineKeys

284 views
Skip to first unread message

Scott Duckworth

unread,
Sep 20, 2002, 2:06:59 PM9/20/02
to
Has anyone ever needed to modify the default security settings to the folder
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys ?

We are using a third-party component to create encrypted PDF's on the fly.
It seems to have trouble reading the MachineKeys folder. If we grant the
IUSR account read access to this folder it works.

Is this a security risk?
Any info on this would be helpfull.


Thanks very much

Scott Duckworth
AQS, Inc.


BB

unread,
Sep 21, 2002, 1:50:23 AM9/21/02
to
Not too sure about this, default permission on this key
Default Permissions For the MachineKeys Folders
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q278381

Everyone - Special access which include read.

and IUSR should be in this group as well. there's no need to grant
read access to IUSR.

Rgds.


"Scott Duckworth" <sco...@aqssys.com> wrote in message
news:O1BBeBNYCHA.2232@tkmsftngp12...

Stefan Schachner[MS]

unread,
Sep 23, 2002, 12:15:34 PM9/23/02
to
Let us know if that qarticle doesn't help ...


Stefan B. Schachner MCSE MCP MCP +I
IIS Newsgroup Support

Please do not send email directly to this alias. This is our online account
name for newsgroup participation only.

If you would like to open a support incident with Microsoft, call
1-800-936-5800

This posting is provided “AS IS” with no warranties, and confers no rights.
You assume all risk for your use. © 2001 Microsoft Corporation. All rights
reserved.

Scott Duckworth

unread,
Sep 23, 2002, 2:22:42 PM9/23/02
to
That Q-Article only lists the Default security settings. With the default
settings the OCX still failed. If we add the IUSR account to the MAchineKeys
folder with the following special permissions the OCX functions without a
problem.
List Folder/Read Data
Read Extended Attributes
Read Permissions

We are curious if this poses any security concerns? If so, how can we make
this work without raising any red flags in the security realm?

We are running IIS 5.0 on a Windows 2000 Server machine with SP2.
The OCX is launched by our DLL which is launched via an ASP page. We have
not modified the default IUSR account in any way.


"Stefan Schachner[MS]" <sschac...@microsoft.com> wrote in message
news:KjlLNxxYCHA.2732@cpmsftngxa06...

Stefan Schachner[MS]

unread,
Sep 24, 2002, 7:36:21 AM9/24/02
to
The security breach is you are allowing anyone to be able to access the
contents of this folder..The machine keys are used to encrypt files such as
the IIS 5.0 metabase. To be able to read/write to the metabase a user must
have access to the machine key responsible for the encryption. You really
do not want to give just anyone access to this information, correct?
Now granted they do not have modify but anytime you give he iusr account
additional permissions you run the risk of being exposed...

Scott Duckworth

unread,
Sep 24, 2002, 10:30:07 AM9/24/02
to
What are some alternatives? We need to have this OCX called by a DLL, which
is called by an ASP page. How can we accomplish getting the correct access
without opening up a security hole?

Given that we will:
* Have the WEB server be properly configured, and patched
* WEB server behind a properly configured firewall

Granted, giving the IUSR account any permissions, even minimal, over the
Machine Crypto keys can up the risk of exposure. Are there any "Best
Practices" that we can follow to allow this OCX access to the Crypto keys.


"Stefan Schachner[MS]" <sschac...@microsoft.com> wrote in message

news:9k9M557YCHA.1392@cpmsftngxa06...

0 new messages