How To: Secure an ASP.NET Application on a Shared Server
A shared Web server that hosts multiple applications for different customers has the added responsibility to ensure that each application along with the application data be secured so that it is kept private from other application users on the server. The following procedure details the steps to take to secure an ASP.NET application on a shared server.
To Secure an ASP.NET Application on a Shared Server
Host the Web application on a Windows Server 2003. Ensure that the files for your application are stored on a drive that has been formatted using the NTFS file system.
Because all ASP.NET applications run with a single process identity (the local ASPNET account) on Windows 2000 and Windows XP Professional, you cannot truly isolate an application unless you are running on a Windows Server 2003.
In the Computer Management snap-in on your Web server (located in the Administrative Tools folder), select Local Users and Groups under System Tools. Add a new user. This user will be the identity of your application pool, also known as the process identity for your ASP.NET application.
In the Groups folder under Local Users and Groups, add the identity that you just created for your application to the IIS_WPG group. This will ensure that the new identity has the necessary permissions to run as an identity for an application pool.
Using the Internet Information Services (IIS) Manager on your Web server, create an application pool for the application.
Open the properties page for your new application pool and select the Identity tab. Set the identity as Configurable and supply the User name and Password of your application pool identity created previously.
In the Web Sites folder of the Internet Information (IIS) Services Manager, open the properties page for your application. Set the Application Pool of your Web application to the application pool that you just created. You may need to click the Create button to create your Web application as an application, if you have not already done so.
You can place multiple applications in an application pool. Be sure to restrict the applications in an application pool to only those applications that can share data, such as multiple applications for a single customer.
Create a directory for your application pool that will contain the temporary files for the applications in the pool. In the Web.config files for all of the applications in the application pool, specify this new directory as the temporary directory for the application using the tempDirectory attribute of the compilationconfiguration section. For example:
<configuration> <system.web> <compilation tempDirectory="C:\WebApps\AppPool1_Temp" /> </system.web> </configuration>
In the Windows file system. Set the security Access Control Lists (ACLs) so that the application pool identity and any impersonated identities (see ASP.NET Impersonation) for your application have the appropriate access to the files and subdirectories that make up your application, as well as full access to the temporary directory created previously. Remove the IIS_WPG group from these ACLs. Ensure that other users on the server do not have access to these files and folders unless required. This includes removing general groups such as the Everyone or Users groups. Ensure that any impersonated identities are included in the ACLs listed in ASP.NET Required Access Control Lists (ACLs).
You can also improve the security of your application by encrypting any sensitive information in your Web.config files using protected configuration. For more information, see Encrypting Configuration Information Using Protected Configuration.