I have a simple ASP.net Web Forms Content Management System (CMS) running under IIS 7.5 on a shared hosting platform. The CMS allows authenticated users with an appropriate ASP.net Role access to a number of web pages that allow the site adminisitrator to add/edit/delete folders, pages etc. Access to these admin pages is controlled via a 'gatekeeper' web.config file in the top-level admin folder.
The Network Service for this web application is given full file system rights to the whole web site so it can access and modify the pages therein.
Recently, a web site using this system has been 'hacked' and additional .html files have been added to the web site structure. I am fairly certain that the web forms authentication for each site has not been compromised (very limited user base), so I suspected an FTP security issue of some kind.
I contacted the web hosting company and they have suggested that it is the rights given to the site worker process (Network Service) that is the problem making the site open to such 'file injection' and the only way to stop the hacking would be to remove the rights from the Network Service account. The problem is that in so doing I would effectively disable the CMS system.
As you might have gethered, I am out of my depth here, so any information advice on what I should be looking at and how the Network Service rights issue could open up this type of vulnerability would be much appreciated.