Some websites require full trust for whatever reason like using third party controls which require full trust.
This is the scenario: say you're hosting a site with full trust and the site owner decided to do something nefarious on the system. The site can only connect to its database. The site is running under a user which is only used for that site. That user has locked down rights on the file system where they can only write/delete/read files in the site's folder/subfolders, in the system's temp folder and in the 'Temporary ASP.NET Files' folder.
My question is can a full trust web site do any harm to the system where the admin can't control? I am no expert in asp.net security but I think one can create a custom config file for the site where certain permissions are revoked while giving them full trust?
I appreciate posting a good resource on securing full trust sites. I don't believe full trust equals having a free ride on the system!
-
The risk is there may be things you (we) haven't thought of. It's not like Windows has never had a bug to allow user escalation.
0 comments:
Post a Comment