Dave Burke - Freelance .NET Developer specializing in Online Communities

A freelance .NET Developer

Username="SYSTEM" UPDATE

We moved to VS.NET 1.1 last week and all has gone pretty smoothly.  I did discover the other day that certain web controls no longer served up the data which originated from various remote server shares.  Once I knew the problem the fix was obvious:  it was time to modify the default machine.config file installed with the 1.1 Framework (.../Framework/v1.1.4322/CONFIG/machine.config.)

Changing USERNAME="machine" to USERNAME="SYSTEM" in the PROCESSMODEL section did the trick.  Perhaps .NET should be set to Username="SYSTEM" by default?

Update:  Many thanks to Jim Blizzard and G. Andrew Duthie (again) for straightening me out on this and for showing me that it is definitely not a best practice.  I'll be changing the machine.config username back to “machine” default and using impersonation in the web.config.  See Comments.

Posted: Aug 29 2003, 11:26 PM by daveburke | with 5 comment(s)
Filed under:

Comments

jim blizzard said:

Yikes! No! Do so with care! (Better yet, don't do it at all!) USERNAME="SYSTEM" gives ASP.NET too much power. It runs as a system account (super user in the Unix world), which means that a hacker or a poorly written app could do bad things. If you need more capability, use impersonation, etc. There are better (i.e., much less risky) ways.
# August 30, 2003 2:56 AM

Dave Burke said:

Runs as SA??? I thought it ran as the local ASPNET account. Thanks, Jim! I'll look into it.
# August 30, 2003 10:35 AM

G. Andrew Duthie said:

As Jim points out, you most definitely don't want to "solve" your data access problems by running the ASP.NET worker process as SYSTEM. SYSTEM is an administrator-level account (which is why it "solves" your data access problem, because the Administrators group is added to SQL Server by default, and may also solve network access issues as well).

Given that both ASP.NET v1.0 and v1.1 default to "machine" (which is the ASPNET account on Win2K and XP and the NetworkService account for IIS 6...note that when IIS 6 is running in native mode, the <processModel> element is ignored), the problem with your upgrade must lie somewhere else. I would strongly recommend troubleshooting the actual cause of the problem rather than changing the ASP.NET process identity.
# August 30, 2003 12:44 PM

G. Andrew Duthie said:

BTW - During the beta for ASP.NET 1.0, the default process identity *was* SYSTEM...the team decided to change it at the last minute because it presented a significant security risk if the ASP.NET process was ever compromised.
# August 30, 2003 12:45 PM

Tim Barton said:

I used system because ASPNET could write to the registry for my web app. I tried evrything with no luck
# December 3, 2003 12:40 PM
Leave a Comment

(required) 

(required) 

(optional)

(required)