Why Full Trust hosting is not recommended when using a shared ASP.NET or shared Windows hosting plan?

The default trust level for ASP.NET web applications is Full, which grants unrestricted permissions. This is a dangerous trust level when working in a shared environment because it allows one web application to interact with the file system of other web applications on the same server.

For example, if you are in a shared environment that physically arranges its shared web applications in a common folder (i.e., C:\Inetpub\wwwroot\WebApp1, C:\Inetpub\wwwroot\WebApp2, …, C:\Inetpub\wwwroot\WebApp3, and so on), one web application could use the following code to display the Web.config contents of all of the other web applications on the server:

For Each folder As DirectoryInfo In parentPathInfo.GetDirectories()
Dim fileOfInterest As String = Path.Combine(folder.FullName, "Web.config")
If File.Exists(fileOfInterest) Then
Dim webConfigReader As StreamReader = File.OpenText(fileOfInterest)
Response.Write(String.Format("<p><b>Data for File {0}:</b></p><p>{1}</p><hr />", fileOfInterest, _                                                 Server.HtmlEncode(webConfigReader.ReadToEnd())))
webConfigReader.Close()
End If
Next

Since connection strings are usually placed in Web.config, the user running the above code would now be able to connect to other customers databases, where there might be sensitive customer information. The point is, if an ASP.NET application is running in full trust, there’s nothing to stop them from reading, creating, modifying, or deleting files in your web application’s file system.

Looking for good Full Trust Windows / ASP.NET Hosting Plans - Try Webhost4life OR Alentus (We have been using them for years now) 

Fortunately, most web hosting companies follow the advice in Microsoft’s ASP.NET 2.0 Hosting Deployment Guide and place their shared web applications in medium trust. This is accomplished by modifying the machine-level Web.config file in the %windir%\Microsoft.NET\Framework\{version}\CONFIG folder. Moreover, this setting can be locked by the web hosting company.

Here are the permissions granted by the medium trust level:

Medium
Permissions are limited to what the application can access within the directory structure of the application.
No file access is permitted outside of the application’s virtual directory hierarchy.
Can access SQL Server
Can send email by using SMTP servers
Limited rights to certain common environment variables
No reflection permissions whatsoever
No sockets permission
To access Web resources, you must explicitly add endpoint ‘URLs’ - either in the originUrl attribute of the element or inside the policy file.

The following exceptions have been granted in addition to the ones listed above:
ODBC
OLEDB
Reflection Permissions
Web Permission

The main differences between ASP.NET 1.1 and ASP.NET 2.0 for the trust levels are the following:
In version 2.0, SQL Server access is available at Medium trust level because the SQL Server .NET Data Provider no longer demands full trust. In version 2.0, SMTP Permission is available at Full, High and Medium trust levels. This allows applications to send email.

To protect shared environment, you can also set the CAS (code access security) Level to Custom (some hosting companies do provide these settings). The custom setting is basically medium level with some exceptions including ODBC, OLEDB, sockets, Reflection Permissions and Web Permissions. Hosting company can set these custom permissions and can add more privileges. This setting cannot be overridden though, which is good.

How to grant Full Trust to your ASP.NET web site on your VPS / Dedicated Server

On your Virtual Private Server or Dedicated server browse to the configuration folder

Normally installation path will be - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG

Open the web.config in notepad

Place following lines at the top of you config with the <configuration> directive replacing yourdomain.com with the name of the IIS web you wish to grant full trust to.

<location path=”yourdomain.com” allowOverride=”true”>
<system.web>
<trust level=”Full” originUrl=”" />
</system.web>
</location>

Other Full Trust Hosting and ASP.NET related articles -

• What is ASP.NET Full trust hosting? and A few good Full trust hosting plans.
• Install dasBlog, you need Full trust hosting (or modified full trust)
• What is ASP.NET and what is ASP.NET hosting?

Now your web.config will look like -

<?xml version=”1.0″ encoding=”utf-8″?>
<!– the root web configuration file –>
<configuration>
<!–
Using a location directive with a missing path attribute
scopes the configuration to the entire machine.  If used in
conjunction with allowOverride=”false”, it can be used to
prevent configuration from being altered on the machine

Administrators that want to restrict permissions granted to
web applications should change the default Trust level and ensure
that overrides are not allowed
–>
<location allowOverride=”true”>
<system.web>
<securityPolicy>
<trustLevel path=”yourdomain.com” name=”Full” policyFile=”internal” />
</securityPolicy>
<trust level=”Full” originUrl=”" />
</system.web>
</location>
<system.net>
<defaultProxy>
<proxy usesystemdefault=”true” />
</defaultProxy>
</system.net>

Looking for good Full or Modified Medium Trust Windows / ASP.NET Hosting Plans - Try Webhost4life OR Alentus (We have been using them for years now)

Facebook attacked by Koobface virus. Are social networking users more vulnerable to virus attacks?

BOSTON (Reuters)—Facebook’s 120 million users are being targeted by a virus dubbed “Koobface” that uses the social network’s messaging system to infect PCs, then tries to gather sensitive information such as credit card numbers.

It is the latest attack by hackers increasingly looking to prey on users of social networking sites.

“A few other viruses have tried to use Facebook in similar ways to propagate themselves,” Facebook spokesman Barry Schnitt said in an e-mail. He said a “very small percentage of users” had been affected by these viruses.

“It is on the rise, relative to other threats like e-mails,” said Craig Schmugar, a researcher with McAfee Inc.

Koobface spreads by sending notes to friends of someone whose PC has been infected. The messages, with subject headers like, “You look just awesome in this new movie,” direct recipients to a website where they are asked to download what it claims is an update of Adobe Systems Inc’s Flash player.

If they download the software, users end up with an infected computer, which then takes users to contaminated sites when they try to use search engines from Google, Yahoo, MSN and Live.com, according McAfee.

McAfee warned in a blog entry on Wednesday that its researchers had discovered that Koobface was making the rounds on Facebook.

Social network MySpace, owned by News Corp, was hit by a version of Koobface in August and used security technology to eradicate it, according to a company spokeswoman. The virus has not cropped up since then, she said.

Facebook has told members to delete contaminated e-mails and has posted directions at www.facebook.com/security on how to clean infected computers.

So as opposed to network attacks, online users can increasingly be infected by viruses by simply visiting everyday Web sites, the 13th edition of the Internet Security Threat Report prepared by leading security provider, Symantec Corporation said.

In the last few years spammers took the security industry by storm and showcased their new tactics and techniques for mass disruption. It seems like the trend will continue to grow and now social networking sites will also be used to filter information directly from users computers. I personally think social networking sites are most vulnerable because as they are login based most of the users trust the messages, videos and pictures and other sources of information and thus don’t think twice before clicking.

Well, it looks like things need to change and that too pretty soon. Happy Blogging!

Open Source Content Management System - Code named "Oxite" released by Microsoft

Microsoft via its CodePlex site has released an alpha version of its Open source CMS code named "Oxite"

Microsoft made the Oxite source code available for download on December 5. Oxite is available under the Microsoft Public License (MS-Pl), one of its OSI-certified open-source licenses.

Here is a Microsoft’s description of "Oxite" -

“Oxite provides you with a strong foundation you can build upon - pingbacks, trackbacks, anonymous or authenticated commenting (with optional moderation), gravatar support, RSS feeds at any page level, support for MetaWebLog API (think Windows Live Writer integration made easy), web admin panel, support for Open Search format allowing users to search your site using their browser’s search box, and more - so, you can spend time on designing a great experience.”

Microsoft claims that "Oxite" is more then a blogging engine and can support large web sites.

I was wondering why Microsoft felt a need to develop another content-management system, given that SharePoint Server provides content-management functionality.  One obvious difference is the open-/closed-source aspect of the projects.

For last couple of years, Microsoft is aggressively showing its interest in the Open Source Projects and is trying to make a mark in the open source developer’s market. For more information on Microsoft’s Open Source initiatives you can visit this link - http://www.microsoft.com/opensource/

What is ASP.NET and what is ASP.NET hosting?

ASP.NET is a web scripting language that has been around the web application field for many years now. Initially, it was used and coded / related as well-known Visual Studio 2003 based on .NET version 1.0, and more recently as Visual Studio 2008, based on .NET version 3.5. Around 4-5 years ago, several developers took a big jump from the regular ASP to .NET by including several Microsoft applications, application scripts and add-ons. An array of hybrid scripts and applications ensured the development of ASP.Net hosting.

This special ASP web hosting solution provide many intuitive features like cross platform compatibility, quick application development, robust features and an added advantage of using the old VB applications. The magnanimous transformation to a .NET developmental environment was very expensive and costly, and the changeover was not cosmetic at all. It was a huge transformation beyond everybody’s expectation.

Good ASP.NET web hosting plan -

WebHost4Life.com (Click HERE to visit) - WebHost4Life Hosting is the most affordable, reliable and flexible hosting provider. I have a number of sites with them and they are really fantastic.

Using an ASP.NET based web hosting solution is very costly affair and it may create a huge overhead for small to medium sized web sites. Hosting a web site on the platform poses many challenges and difficulties as developers are still trying to overcome.

For example - one of the hosting problems faced by ASP.NET developers is running there ASP.NET web applications with Medium Trust or Full Trust. Not all web hosts provide Full Trust Hosting because of obvious security reasons. But a lot of applications designed in ASP.NET and available on the web do need Full Trust Hosting to run as expected. If you are curious to know more about Medium trust and Full trust hosting, I have written a previous post on Full Trust hosting that can be reached by clicking here -  What is ASP.NET Full trust hosting? and A few good Full trust hosting plans.

Some of the advantages of ASP.NET hosting are:

• ASP.NET is the latest technology from Microsoft for the express development of web applications. An intuitive paradigm called .NET Framework makes the backbone of the web application. This special framework along with IIS ensures that the web server created is robust and sturdy and the web application development is a breeze.
• ASP.NET web servers offer you the abilities to develop very powerful database driven applications. It is also subject oriented and includes many special tools for the programmers.
• Applications developed on the web servers are ultra quick and lightening fast. The server response is also quicker and the user’s web experience is excellent. Developers can play around with server cache by using a  set of commands via code.
• ASP.NET web hosting allows you to create a cache memory of those pages that your site visitors frequently visit for fresh and updated information.
• It is also possible to integrate several web part controls within the ASP.NET web server. Web Parts is a new breed of efficient controls that enable you to add rich, professional content, design and layout to your website, in addition to the capability to edit and change that content, design and layout directly from an application page.
• It is also fairly easy to include a number of administration, extensibility, management, performance, and scalability enhancements.
• Themes and skins are easy to change with an ASP.NET web hosting package. You can define and set style information as a theme and apply that particular style information on a global basis to pages or controls.
• You do not have to wait for a long time to get your site up and running. You can even start uploading your web applications right away in a moment!
• ASP.NET web hosting also allows you to self manage Backup / Recovery of invaluable customer data and its reinvent facility backs up all data on a daily basis and is readily available for recovery at anytime at your express request.

ASP.NET web hosting is a very good framework for instantly creating a new array of more efficient, highly interactive and personalized web surfing ambience that work across all the most popular browsers like IE, Firefox and Opera. However, one of the prominent disadvantages of ASP.Net web hosting is that it requires hosting only on a Microsoft web server, which should not deter you, unless you have other critical needs and requirements.

At present, most of database driven web sites depend on the fantastic technology of ASP.NET, just to protect and retain their invaluable data and information. As the demand for dynamic web applications grows rapidly, you will need to take a deep look at highly advanced and sophisticated web hosting servers that run and managed by highly efficient ASP.NET technology.

Another issue with ASP.NET application hosting is its deployment. As it was said by some one “There is more to putting up a good Web application than just developing it“. I have collected a few useful links / URLs that will help you host and deploy your ASP.NET web applications effectively.

If you are looking for ASP .Net hosting, here is a high quality ASP.NET web hosting provider -
WebHost4Life.com (Click HERE to visit)

• K. Scott Allen’s “10 Tips for Shrink-wrapping ASP.NET Applications”
• This is one of the many tips from Scott Gu’s ASP.NET 2.0 Tips, Tricks, Recipes and Gotchas series.
• The Microsoft ASP.NET 2.0 Hosting Deployment Guide (downloadable Word doc)
• Top 10 Best Practices for Production ASP.NET Applications by Kyle

« Previous Page — Next Page »