What's the harm in giving full trust to a website when ACL's are in place?

Some websites require full trust for whatever reason like using third party controls which require full trust.

This is the scenario: say you're hosting a site with full trust and the site owner decided to do something nefarious on the system. The site can only connect to its database. The site is running under a user which is only used for that site. That user has locked down rights on the file system where they can only write/delete/read files in the site's folder/subfolders, in the system's temp folder and in the 'Temporary ASP.NET Files' folder.

My question is can a full trust web site do any harm to the system where the admin can't control? I am no expert in asp.net security but I think one can create a custom config file for the site where certain permissions are revoked while giving them full trust?

I appreciate posting a good resource on securing full trust sites. I don't believe full trust equals having a free ride on the system!

13.10.2009 19:07:54
I vote to bring Little Bobby Tables into the discussion, see what he has to say...
rtperson 13.10.2009 20:20:19

The risk is there may be things you (we) haven't thought of. It's not like Windows has never had a bug to allow user escalation.

13.10.2009 19:57:00