Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
464
Views
0
Helpful
3
Replies

CSA - random temp file in windows folder, no extension

RichardSW
Level 1
Level 1

‎08-24-2008 05:32 PM - edited ‎03-09-2019 09:20 PM

So I have this ASP.NET application that insists on placing its temp files directly in the Windows directory. AND it doesn't use any kind of extension. So how do you allow this without making the windows folder vulnerable?

Here is an example of the event:

TESTMODE: The process 'C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\csc.exe' (as user NT AUTHORITY\NETWORK SERVICE) attempted to access 'C:\WINDOWS\2Z1J1J1Q1Q8Q8Q8X'. The attempted access was a write (operation = OPEN/CREATE). The operation would have been denied.

Wow, crazy! Okay do this:

- create a new File Access Control rule

- set to Priority Allow

- choose your application (in my case, ASP.NET)

- check Read and Write

- create new File Set

- Directories matching: @windows

- Files matching: ????????????????

- but not: *.*

Okay so here is what this does. I compared all the events, and I noticed that the random file is always exactly 16 standard characters, with no extension. The question mark (?) is a single alphanumeric wildcard. By wildcarding the exact size of the string, but not allowing anything with a period (. for an extension), I now have a file set that matches what I need to exclude.

Hope that helps someone with a similar oddity.

Labels:
0 Helpful
3 Replies 3

rnaydenov
Level 1
Level 1

‎08-24-2008 11:48 PM

Thank you Richard!

Great response. I have similar problem. The difference is that this actually never happens - the .Net application tries to write to that default location, but it does not succeeds, because of security restrictions, but the event is actually logged.

Do you know of a way to get around this?

0 Helpful

RichardSW
Level 1
Level 1
In response to rnaydenov

‎08-25-2008 05:10 AM

Sure, I have a complete .NET module built from scratch to take care of this. But you probably don't need the whole thing - can you post a sample event?

0 Helpful

rnaydenov
Level 1
Level 1
In response to RichardSW

‎08-26-2008 07:47 AM

It looks exactly the same - that is why I cannot differentiate between what is real message and what not

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents