CSA - random temp file in windows folder, no extension
So I have this ASP.NET application that insists on placing its temp files directly in the Windows directory. AND it doesn't use any kind of extension. So how do you allow this without making the windows folder vulnerable?
Here is an example of the event:
TESTMODE: The process 'C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\csc.exe' (as user NT AUTHORITY\NETWORK SERVICE) attempted to access 'C:\WINDOWS\2Z1J1J1Q1Q8Q8Q8X'. The attempted access was a write (operation = OPEN/CREATE). The operation would have been denied.
Wow, crazy! Okay do this:
- create a new File Access Control rule
- set to Priority Allow
- choose your application (in my case, ASP.NET)
- check Read and Write
- create new File Set
- Directories matching: @windows
- Files matching: ????????????????
- but not: *.*
Okay so here is what this does. I compared all the events, and I noticed that the random file is always exactly 16 standard characters, with no extension. The question mark (?) is a single alphanumeric wildcard. By wildcarding the exact size of the string, but not allowing anything with a period (. for an extension), I now have a file set that matches what I need to exclude.
Re: CSA - random temp file in windows folder, no extension
Thank you Richard!
Great response. I have similar problem. The difference is that this actually never happens - the .Net application tries to write to that default location, but it does not succeeds, because of security restrictions, but the event is actually logged.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...