Why is it possible to connect to a database without having given permission to this database
Tony Johansson
I have XP pro with sql server 2005 express.
This is about the windows account ASPNET that is used by IIS. If I right
click on this computer and select manage and then select local users and
groups. I click on item users and then select user ASPNET. When ASPNET is
selected I right click and choose property. Here I choose member in and
check that ASPNET doesn't belong to any group.
Now I start SQL Server Management Studio Express for SQL Server 2005.
I open up Security->Logins and check that ASPNET doesn't exist.
If I now write this url in the browser I can list all the customers from the
customer table in the Northwind database
http://localhost/Northwind/customerdata.aspx
Now to my question how is it possible that the account ASPNET has access to
SQL server when this account is not
listed in the Logins. This account ASPNET should not in any way have access
to SQL Server.
Can somebody help me explain this strange thing ?
In some way this account ASPNET get access to SQL Server but can't
understand how ?
Below is the complete web.config file listed.
**********Start web.config ***********
<?xml version="1.0"?>
<!--
Note: As an alternative to hand editing this file you can use the
web admin tool to configure settings for your application. Use
the Website->Asp.Net Configuration option in Visual Studio.
A full list of settings and comments can be found in
machine.config.comments usually located in
\Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration>
<appSettings/>
<connectionStrings>
<add name="NorthwindConnectionString" connectionString="Data
Source=HEMPC\SQLEXPRESS;Initial Catalog=Northwind;Integrated Security=True"
providerName="System.Data.SqlClient"/>
</connectionStrings>
<system.web>
<!--
Set compilation debug="true" to insert debugging
symbols into the compiled page. Because this
affects performance, set this value to true only
during development.
-->
<compilation debug="true"/>
<!--
The <authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
-->
<authentication mode="Windows"/>
<!--
The <customErrors> section enables configuration
of what to do if/when an unhandled error occurs
during the execution of a request. Specifically,
it enables developers to configure html error pages
to be displayed in place of a error stack trace.
<customErrors mode="RemoteOnly"
defaultRedirect="GenericErrorPage.htm">
<error statusCode="403" redirect="NoAccess.htm" />
<error statusCode="404" redirect="FileNotFound.htm" />
</customErrors>
-->
</system.web>
</configuration>
//Tony
Uri Dimant
> SQL server when this account is not
> listed in the Logins. This account ASPNET should not in any way have
> access to SQL Server.
Perhaps this account is a member of group of Administrators on that
machine
"Tony Johansson" <johansson...@telia.com> wrote in message
news:3UQZm.13970$U5.2...@newsb.telia.net...
Tony Johansson
But to help me find out more information about this kind of problem I did
the following.
I started SQL Server Management Studio Express for SQL Server 2005 and
selected Security->Logins and right clicked and selected properies on item
BUILTIN\Users.
In this dialog Logins Properties - BUILTIN\Users I clicked on Status in the
section "Select a page" and set
the radio button "permission to connect to database engine" to Deny.
When I now enter this url http://localhost/Northwind/customerdata.aspx
in the browser I get this error message Login failed for user
'HEMPC\ASPNET'.
So because of having this kind of error message it seems to me that the
account name ASPNET is
a member of the windows group Users even when I know that this ASPNET is not
included in the group.
There is a one to one connection between the windows group Users and the SQL
server group
BUILTIN\Users
So I checked again this users in My computer by right click on My computer
and select manage
If I list all users that is a member of users I get these three
NT INSTANS \Autentiserade users (S-1-5-11)
NT INSTANS\INTERAKTIV (S-1-5-4)
SQLDebugger
So my question is still how can this account ASPNET be a member of the
window group users ?
//Tony
"Uri Dimant" <ur...@iscar.co.il> skrev i meddelandet
news:uu%23utS4h...@TK2MSFTNGP05.phx.gbl...
Fred
"Tony Johansson" <johansson...@telia.com> a ï¿œcrit dans le message
de groupe de discussion : On%Zm.13984$U5.2...@newsb.telia.net...
> I have tripple checked that the account ASPNET is not a member of any
> group.
Have a look here
http://support.microsoft.com/kb/317012/en-us
Did you try command line tools like "net group" and "net localgroup" ?
--
Fred
fol...@free.fr
Tony Johansson
place the article said that
The ASPNET account is created as a local account when you install ASP.NET.
The ASPNET account belongs only to the Users group on that computer.
From the beginning it did was a member in the Users group but just to learn
how this work I just
removed it. I can easy just add it back again.
But I mean if I remove the account name ASPNET it must be taken away from
that Users group.
As I mention if I check this it do has been removed from the Users group.
I do want to understand this so I hope somebody can help me explain how
ASPNET can be a member
of the users group when it has been removed from this group.
I did the command "net localgroup" and below is the result
C:\Program\Microsoft Visual Studio 8\VC>net localgroup
Alias f�r \\HEMPC
-------------------------------------------------------------------------------
*Administrat�rer
*Ansvariga f�r n�tverkskonfigurering
*Ansvariga f�r replikering
*Ansvariga f�r s�kerhetskopiering
*Anv�ndare
*Anv�ndare av fj�rrskrivbord
*Debugger Users
*G�ster
*HEMPC Admins
*HEMPC Authors
*HEMPC Browsers
*Hj�lptj�nster
*Privilegierade anv�ndare
*SQLServer2005MSSQLServerADHelperUser$HEMPC
*SQLServer2005MSSQLUser$HEMPC$SQLEXPRESS
*SQLServer2005SQLBrowserUser$HEMPC
*Testning
*VS Developers
Kommandot har utf�rts.
I also did the command net group and below is the result from that command
C:\Program\Microsoft Visual Studio 8\VC>net group
This command can only be used on Windows-domaincontrollers. (This row is a
translation from my language)
//Tony
"Fred" <fol...@free.fr.invalid> skrev i meddelandet
news:%23Hd8le6...@TK2MSFTNGP06.phx.gbl...
>
>
> "Tony Johansson" <johansson...@telia.com> a �crit dans le message
Michael Coles
login credentials (maybe impersonation?) to access the SQL instance? You
might also try posting to one of the IIS groups, since this seems more
likely an IIS issue than a SQL Server issue. I say this because IIS is
apparently passing some valid credentials ("Integrated Security=True")
through to your SQL instance. It may just be a simple setting in IIS
Manager like (and keep in mind this is just a guess) ASP.NET Impersonation
Settings, or something similar.
--
Thanks
Michael Coles
SQL Server MVP
Author, "Expert SQL Server 2008 Encryption"
(http://www.apress.com/book/view/1430224649)
----------------
"Tony Johansson" <johansson...@telia.com> wrote in message
news:3UQZm.13970$U5.2...@newsb.telia.net...
Jay
Change the query in your web page to:
select USER_NAME(), CURRENT_USER;
and see what it says.
"Michael Coles" <ad...@geocodenet.com> wrote in message
news:9EAE441E-63C0-4FA2...@microsoft.com...
Norman Yuan
an ASP.NET application. An APS.NET application does not necessarily always
run with MachineName\ASPNET account. It depends on how do you configure the
IIS and the ASP.NET application. For example, if you could impersonate your
ASP.NET so that the user's credential would be used as running account.
There is also IIS that makes difference, depending on IIS5 (XP) or IIS6/7...
So, you need to firstly make it clear which account is used to run your
ASP.NET application. It sounds like in your case ASPNET account isn't used.
This is more ASP.NET issue, so I am not going to say more on this.
There is another possibility, which I am not sure if you may be aware or
not, depending on your ASP.NET/SQL Express knowledge: if you are doing an
ASP.NET project as learning by following an example of a book, the ASP.NET
project may use SQL Server Express' USER INSTANCE. This simplifies SQL
Server Express access configuration on on hand, but confuses and misleads
beginners greatly on the other hand.
"Tony Johansson" <johansson...@telia.com> wrote in message
news:3UQZm.13970$U5.2...@newsb.telia.net...
Tony Johansson
http://localhost/Northwind/customerdata.aspx
and check the result for this select USER_NAME(), CURRENT_USER; in the page
I get guest as the result
So how can account ASPNET be using guest to connect and use the Northwind
database when
I use the IIS 5 which is used in XP.
If I run from VS and have this select USER_NAME(), CURRENT_USER
I get dbo.
So my question is how can account ASPNET be using guest to connect and use
the Northwind database when
I use the IIS 5 which is used in XP.
//Tony
"Jay" <sp...@nospam.org> skrev i meddelandet
news:OscjCQ8h...@TK2MSFTNGP06.phx.gbl...
Jay
you just have a schema for "guest", I have no frickin clue.
Either way, you now know the user asp is using to access the system.
"Tony Johansson" <johansson...@telia.com> wrote in message
news:JT5_m.14023$U5.2...@newsb.telia.net...
Tibor Karaszi
login name. Use for instance the SUSER_SNAME() function for that.
--
Tibor Karaszi, SQL Server MVP
http://www.karaszi.com/sqlserver/default.asp
http://sqlblog.com/blogs/tibor_karaszi
"Tony Johansson" <johansson...@telia.com> wrote in message
news:JT5_m.14023$U5.2...@newsb.telia.net...
Tony Johansson
and when I used VisualStudio
I get my account Tony that I used to login to my machine.
//Tony
"Tibor Karaszi" <tibor_please.n...@hotmail.nomail.com> skrev i
meddelandet news:ua%23sWLGi...@TK2MSFTNGP02.phx.gbl...
Jay
your instance.
"Tony Johansson" <johansson...@telia.com> wrote in message
news:Z%m_m.14043$U5.2...@newsb.telia.net...
Tibor Karaszi
about a Windows connection here).
--
Tibor Karaszi, SQL Server MVP
http://www.karaszi.com/sqlserver/default.asp
http://sqlblog.com/blogs/tibor_karaszi
"Jay" <sp...@nospam.org> wrote in message
news:eTk33gKi...@TK2MSFTNGP06.phx.gbl...