On Mon, October 13, 2008 15:23, Graeme Fowler wrote: > On Mon, 2008-10-13 at 15:13 -0500, David Dyer-Bennet wrote: >> My desktop system is part of the corporate domain. So are the desktops >> of >> the people doing Windows development. Why would making a server part of >> the domain be any more dangerous than that? And that's standard >> anywhere >> that does Windows development. > > You're personally fairly unlikely to run code as a system account, > especially when developing - you're more likely to run it as yourself. > Of course, many developers and sysadmins make themselves admins on their > own machines (makes installing software just *so* much more convenient > than doing "runas") so the security arguments in those cases are > slightly damaged anyway :)
I think "myself" is defaulting to being an admin on my desktop -- at least I never have any trouble installing code on this system. (*Not* a Windows admin expert!) > Allowing arbitrary code (think of the mass of .NET examples out there) > to be executed under the IIS framework is a dangerous game, especially > (as is often the case) when it's being executed by a user with elevated > privileges (like the Network Service user which IIRC is the default user > for IIS code execution). > > This is, of course, a massive Catch-22 for hosting operations, and is > the reason why app pools came along in IIS6 which allowed almost > complete segregation of execution environments which themselves ran as > non-privileged users. Much tidier than it used to be. Yep, hosting gets complicated, that's for sure! > In your environment you might not be exposing the web servers to that > nasty Intertubes thingmy, which makes security all the easier to manage. Right, we're not. -- David Dyer-Bennet, [EMAIL PROTECTED]; http://dd-b.net/ Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/ Photos: http://dd-b.net/photography/gallery/ Dragaera: http://dragaera.info _______________________________________________ LinuxVirtualServer.org mailing list - [email protected] Send requests to [EMAIL PROTECTED] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
