I run a simple .aspx website on a Windows Server 2008 machine.
There is NO impersonation, and
System.Security.Principal.WindowsIdentity.GetCurrent().Name returns NT
AUTHORITY\NETWORK SERVICE, which it the account which the application
pool runs. In my web.config, I have <authentication mode="Forms">.
I tried to test the security of the
application and server by removing file permissions to the .aspx files. I
was greatly worried when the website continued to run without problem
(it should not have been able to read the .aspx files).
on file level auditing, I discovered that the .aspx files were being
read by the machine$ account (if the machine is called Serv1, then the
files would be read by the Serv1$ account, which seems to have access to
all files on the local machine).
Is this a security breach or is this behaviour by design ?
Please can somebody assist, as I am worried.
View Complete Post