Scott Hanselman

Accessing Mapped Network Drives via ASP.NET in IIS 6

April 11, '07 Comments [2] Posted in ASP.NET
Sponsored By

A question came up at work today, "How do I access mapped network drives in ASP.NET under IIS 6? It worked before I got IIS 6 and Windows 2003."

IIS 6 and Windows 2003 are considerably more locked down versus previous versions. Additionally, accessing drives via mapped drive letters is frowned upon, likely the layer of redirection, as drives can be REMAPPED by evil-doers.

The preferred way to access network shares is via UNC.If you really wanna use Mapped Drives, there's KB257174.

There's also KB207671 on "How to access network files from IIS applications." This is a pretty funny KB, specifically because of it's first suggestion:

Following are ways to avoid problems when you access network resources from your IIS application:

  • Keep files on the local computer.

This is the equivalent of the classic "Doctor, it hurts when I do this." "Well, don't do that."

The most useful tip in that KB article is the one about Auditing Logons. Rather than guessing or treating IIS as a black box, turn on Login Auditing:

If you cannot determine what kind of logon is occurring on your IIS server to handle requests, you can turn on auditing for Logons and Logoffs. Follow these steps:

1. Click Start, click Settings, click Control Panel, click Administrative Tools, and then click Local Security Policy.

2. After you open Local Security Policy, in the left Tree View pane, click Security Settings, click Local Policies, and then click Audit Policy.

3. Double-click Audit Logon Event and then click Success and Failure. Event Log entries are added under the Security log. You can determine the kind of logon by looking at the event details under the Logon Type:

  2=Interactive, 3=Network, 4=Batch, 5=Service

 No matter how you choose to accomplish your goal, always be aware of the Identity of your Worker Process. That might be ASPNET_WP or W3WP and it might be NETWORKSERVICE, or IUSR_MACHINE Name. Always use the weakest possible user, and make sure the files and the share have the minimal access needed. Don't run your Worker Process as anyone with any power or Administrator to solve file access problems.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. I am a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web
Wednesday, April 11, 2007 11:20:38 PM UTC
You can also use temporary Impersonation to authenticate as some pre-determined user with access limited to only the network resources needed for that application. We did this at my previous employer - made the network admins happy and allowed us to easily access the resources we needed.
Thursday, April 12, 2007 1:25:29 AM UTC
This isn't IIS related -- but for the first time last week I tried using a mapped drive for accessing a WebDAV directory instead of the normal URI, and it was like night and day. The mapped drive was so much FASTER. It really surprised me. (Client=XP Pro, Server=2003)
Tony
Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.