Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   ASP .Net (http://www.velocityreviews.com/forums/f29-asp-net.html)
-   -   Want to Reboot server from ASPX page (http://www.velocityreviews.com/forums/t76176-want-to-reboot-server-from-aspx-page.html)

=?Utf-8?B?VGVycnk=?= 04-18-2004 06:56 PM

Want to Reboot server from ASPX page
 
I am developing a asp.net web based service application for our product
I am trying to trigger a reboot of the server based on a user request
I believe I have all the appropriate code for AdjustingTokens etc an
all those calls seem to succeed, however, the final call to ExitWindowsE
is failing with 'Access Denied'

In my machine.config, I have already set the userName to 'System' as
seem to require this for some other functionality I implemented. I also trie
to impersonate a local user account with admin priviledges via my application
web.config file but that failed as well with the same 'Access Denied' (by th
way what exactly does 'impersonate' in the web.config do when the machine.config
file already lets me specify the user as 'SYSTEM'?

I expect there is some other security thing that I need to twiddle ... any ideas greatl
appreciated (with as much detail as possible, I am very new to this whole web securit
stuff)

Thanks

Terr


Chris Botha 04-18-2004 07:39 PM

Re: Want to Reboot server from ASPX page
 
Terry, first get the code to run in a normal Windows App, so you know that
it works.
After that, it should be a security issue, and impersonation should work,
but you also have to switch off anonymous access to the virtual directory
for impersonation to work.
To ensure that your impersonation is set up correctly, add a test call
somewhere in a form, returning the current user, and check that it is what
you expect (not the anonymous, or ASP.NET user, etc). To get the current
user, call
System.Security.Principal.WindowsIdentity.GetCurre nt().Name

"Terry" <anonymous@discussions.microsoft.com> wrote in message
news:27B39478-93C0-42AE-9ECE-A49E9EC01AE7@microsoft.com...
> I am developing a asp.net web based service application for our product.
> I am trying to trigger a reboot of the server based on a user request.
> I believe I have all the appropriate code for AdjustingTokens etc and
> all those calls seem to succeed, however, the final call to ExitWindowsEx
> is failing with 'Access Denied'.
>
> In my machine.config, I have already set the userName to 'System' as I
> seem to require this for some other functionality I implemented. I also

tried
> to impersonate a local user account with admin priviledges via my

applications
> web.config file but that failed as well with the same 'Access Denied' (by

the
> way what exactly does 'impersonate' in the web.config do when the

machine.config
> file already lets me specify the user as 'SYSTEM'?)
>
> I expect there is some other security thing that I need to twiddle ... any

ideas greatly
> appreciated (with as much detail as possible, I am very new to this whole

web security
> stuff).
>
> Thanks,
>
> Terry
>




=?Utf-8?B?VGVycnk=?= 04-18-2004 10:11 PM

Re: Want to Reboot server from ASPX page
 
OK, I have verified that the shutdown related code is working fine from
a regular app.

How do I switch off anonymous access to the virtual directory?
Are you talking about adding a statement like <deny user="?">
in my web.config file or are you talking about a setting in
the IIS Service Mgr.

I am using a simple application based 'Forms' authentication.
In this case if I use <identity impersonate="true" /> who would
it be impersonating ... or in this case because I am using Forms
authentication would I have to spell all that out like
<identity impersonate="true" userName="abc" password="def">

I am still a little puzzled by all this impersonate stuff ... if you do
impersonation what is the point of setting the user='SYSTEM' in
the machine.config file?

Thanks,

Terry

----- Chris Botha wrote: -----

Terry, first get the code to run in a normal Windows App, so you know that
it works.
After that, it should be a security issue, and impersonation should work,
but you also have to switch off anonymous access to the virtual directory
for impersonation to work.
To ensure that your impersonation is set up correctly, add a test call
somewhere in a form, returning the current user, and check that it is what
you expect (not the anonymous, or ASP.NET user, etc). To get the current
user, call
System.Security.Principal.WindowsIdentity.GetCurre nt().Name

"Terry" <anonymous@discussions.microsoft.com> wrote in message
news:27B39478-93C0-42AE-9ECE-A49E9EC01AE7@microsoft.com...
> I am developing a asp.net web based service application for our product.
> I am trying to trigger a reboot of the server based on a user request.
> I believe I have all the appropriate code for AdjustingTokens etc and
> all those calls seem to succeed, however, the final call to ExitWindowsEx
> is failing with 'Access Denied'.
>> In my machine.config, I have already set the userName to 'System' as I

> seem to require this for some other functionality I implemented. I also

tried
> to impersonate a local user account with admin priviledges via my

applications
> web.config file but that failed as well with the same 'Access Denied' (by

the
> way what exactly does 'impersonate' in the web.config do when the

machine.config
> file already lets me specify the user as 'SYSTEM'?)
>> I expect there is some other security thing that I need to twiddle ... any

ideas greatly
> appreciated (with as much detail as possible, I am very new to this whole

web security
> stuff).
>> Thanks,
>> Terry

>


Chris Botha 04-18-2004 10:43 PM

Re: Want to Reboot server from ASPX page
 
I don't think impersonation works with forms authentication, but I may be
wrong, always some surprise somewhere (it works with Integrated Widows auth,
as well as Basic Auth).
To switch anonymous access off, run IIS Service Manager, find your Web App
under the Default Web Site, right click on it, properties, then Directory
Security, then hit the top edit button and uncheck the anonymous access.
After doing this, hitting the page with IE, if you are not an authenticated
user, you will be prompted to sign in (if you are authenticated, it won't
prompt you), and that will be the user impersonated (unless you specified a
username/password on the impersonate line in the web.config file).

Second solution, I'm not sure if it will work, but it may, write an ActiveX
dll, install it in COM+ specifying the credentials it should run under, and
call it from your aspx page. Beware that if it works, anyone hitting the
page can re-boot the computer.

I don't know what setting the "user='SYSTEM'" in the machine.config does.

"Terry" <anonymous@discussions.microsoft.com> wrote in message
news:7C3AB4EA-79F3-4465-9A5E-DD8379D164D3@microsoft.com...
> OK, I have verified that the shutdown related code is working fine from
> a regular app.
>
> How do I switch off anonymous access to the virtual directory?
> Are you talking about adding a statement like <deny user="?">
> in my web.config file or are you talking about a setting in
> the IIS Service Mgr.
>
> I am using a simple application based 'Forms' authentication.
> In this case if I use <identity impersonate="true" /> who would
> it be impersonating ... or in this case because I am using Forms
> authentication would I have to spell all that out like
> <identity impersonate="true" userName="abc" password="def">
>
> I am still a little puzzled by all this impersonate stuff ... if you do
> impersonation what is the point of setting the user='SYSTEM' in
> the machine.config file?
>
> Thanks,
>
> Terry
>
> ----- Chris Botha wrote: -----
>
> Terry, first get the code to run in a normal Windows App, so you know

that
> it works.
> After that, it should be a security issue, and impersonation should

work,
> but you also have to switch off anonymous access to the virtual

directory
> for impersonation to work.
> To ensure that your impersonation is set up correctly, add a test

call
> somewhere in a form, returning the current user, and check that it is

what
> you expect (not the anonymous, or ASP.NET user, etc). To get the

current
> user, call
> System.Security.Principal.WindowsIdentity.GetCurre nt().Name
>
> "Terry" <anonymous@discussions.microsoft.com> wrote in message
> news:27B39478-93C0-42AE-9ECE-A49E9EC01AE7@microsoft.com...
> > I am developing a asp.net web based service application for our

product.
> > I am trying to trigger a reboot of the server based on a user

request.
> > I believe I have all the appropriate code for AdjustingTokens etc

and
> > all those calls seem to succeed, however, the final call to

ExitWindowsEx
> > is failing with 'Access Denied'.
> >> In my machine.config, I have already set the userName to 'System'

as I
> > seem to require this for some other functionality I implemented. I

also
> tried
> > to impersonate a local user account with admin priviledges via my

> applications
> > web.config file but that failed as well with the same 'Access

Denied' (by
> the
> > way what exactly does 'impersonate' in the web.config do when the

> machine.config
> > file already lets me specify the user as 'SYSTEM'?)
> >> I expect there is some other security thing that I need to twiddle

.... any
> ideas greatly
> > appreciated (with as much detail as possible, I am very new to this

whole
> web security
> > stuff).
> >> Thanks,
> >> Terry

> >




Sharon 04-19-2004 01:58 AM

Re: Want to Reboot server from ASPX page
 
maybe this way will work:

aspx page
=========
<%@ Page Language="cs" %>
<%@ import namespace="System.Threading" %>
<%@ import namespace="test" %>

<%
string[] passArr = new string[2]{"arr val 1", "arr val 2"};

ThreadProc tp = new ThreadProc(passArr);
Thread t = new Thread(new ThreadStart(tp.ThreadProcStart));
t.Start();
%>
<html>
<head>
</head>
<body>
</body>
</html>

thread class
==========
using System.Threading;
using System.IO;

namespace test
{
public class ThreadProc
{
private string[] m_dispStrArr;

public ThreadProc(string[] inStrArr) {
m_dispStrArr = inStrArr;
}

public void ThreadProcStart() {
for (int i = 0; i < 20; i++)
{
StreamWriter fsw =
File.AppendText(System.AppDomain.CurrentDomain.Bas eDirectory + "\\log.txt");
fsw.WriteLine("m_dispStr: " + m_dispStrArr[0] + " " + m_dispStrArr[1]
+ " i: " + i);
fsw.Close();
fsw = null;

Thread.Sleep(1000);
}
}
}
}

it works but, maybe you can find a flaw?

"Chris Botha" <chris_s_botha@AT_h.o.t.m.a.i.l.com> wrote in message
news:OntwFfZJEHA.3544@TK2MSFTNGP10.phx.gbl...
> I don't think impersonation works with forms authentication, but I may be
> wrong, always some surprise somewhere (it works with Integrated Widows

auth,
> as well as Basic Auth).
> To switch anonymous access off, run IIS Service Manager, find your Web App
> under the Default Web Site, right click on it, properties, then Directory
> Security, then hit the top edit button and uncheck the anonymous access.
> After doing this, hitting the page with IE, if you are not an

authenticated
> user, you will be prompted to sign in (if you are authenticated, it won't
> prompt you), and that will be the user impersonated (unless you specified

a
> username/password on the impersonate line in the web.config file).
>
> Second solution, I'm not sure if it will work, but it may, write an

ActiveX
> dll, install it in COM+ specifying the credentials it should run under,

and
> call it from your aspx page. Beware that if it works, anyone hitting the
> page can re-boot the computer.
>
> I don't know what setting the "user='SYSTEM'" in the machine.config does.
>
> "Terry" <anonymous@discussions.microsoft.com> wrote in message
> news:7C3AB4EA-79F3-4465-9A5E-DD8379D164D3@microsoft.com...
> > OK, I have verified that the shutdown related code is working fine from
> > a regular app.
> >
> > How do I switch off anonymous access to the virtual directory?
> > Are you talking about adding a statement like <deny user="?">
> > in my web.config file or are you talking about a setting in
> > the IIS Service Mgr.
> >
> > I am using a simple application based 'Forms' authentication.
> > In this case if I use <identity impersonate="true" /> who would
> > it be impersonating ... or in this case because I am using Forms
> > authentication would I have to spell all that out like
> > <identity impersonate="true" userName="abc" password="def">
> >
> > I am still a little puzzled by all this impersonate stuff ... if you do
> > impersonation what is the point of setting the user='SYSTEM' in
> > the machine.config file?
> >
> > Thanks,
> >
> > Terry
> >
> > ----- Chris Botha wrote: -----
> >
> > Terry, first get the code to run in a normal Windows App, so you

know
> that
> > it works.
> > After that, it should be a security issue, and impersonation should

> work,
> > but you also have to switch off anonymous access to the virtual

> directory
> > for impersonation to work.
> > To ensure that your impersonation is set up correctly, add a test

> call
> > somewhere in a form, returning the current user, and check that it

is
> what
> > you expect (not the anonymous, or ASP.NET user, etc). To get the

> current
> > user, call
> > System.Security.Principal.WindowsIdentity.GetCurre nt().Name
> >
> > "Terry" <anonymous@discussions.microsoft.com> wrote in message
> > news:27B39478-93C0-42AE-9ECE-A49E9EC01AE7@microsoft.com...
> > > I am developing a asp.net web based service application for our

> product.
> > > I am trying to trigger a reboot of the server based on a user

> request.
> > > I believe I have all the appropriate code for AdjustingTokens etc

> and
> > > all those calls seem to succeed, however, the final call to

> ExitWindowsEx
> > > is failing with 'Access Denied'.
> > >> In my machine.config, I have already set the userName to

'System'
> as I
> > > seem to require this for some other functionality I implemented.

I
> also
> > tried
> > > to impersonate a local user account with admin priviledges via my

> > applications
> > > web.config file but that failed as well with the same 'Access

> Denied' (by
> > the
> > > way what exactly does 'impersonate' in the web.config do when the

> > machine.config
> > > file already lets me specify the user as 'SYSTEM'?)
> > >> I expect there is some other security thing that I need to

twiddle
> ... any
> > ideas greatly
> > > appreciated (with as much detail as possible, I am very new to

this
> whole
> > web security
> > > stuff).
> > >> Thanks,
> > >> Terry
> > >

>
>




Sharon 04-19-2004 02:10 AM

Re: Want to Reboot server from ASPX page
 
sorry, wrong thread.

"Sharon" <talsharon@hotmail.com> wrote in message
news:uCI3QmaJEHA.208@tk2msftngp13.phx.gbl...
> maybe this way will work:
>
> aspx page
> =========
> <%@ Page Language="cs" %>
> <%@ import namespace="System.Threading" %>
> <%@ import namespace="test" %>
>
> <%
> string[] passArr = new string[2]{"arr val 1", "arr val 2"};
>
> ThreadProc tp = new ThreadProc(passArr);
> Thread t = new Thread(new ThreadStart(tp.ThreadProcStart));
> t.Start();
> %>
> <html>
> <head>
> </head>
> <body>
> </body>
> </html>
>
> thread class
> ==========
> using System.Threading;
> using System.IO;
>
> namespace test
> {
> public class ThreadProc
> {
> private string[] m_dispStrArr;
>
> public ThreadProc(string[] inStrArr) {
> m_dispStrArr = inStrArr;
> }
>
> public void ThreadProcStart() {
> for (int i = 0; i < 20; i++)
> {
> StreamWriter fsw =
> File.AppendText(System.AppDomain.CurrentDomain.Bas eDirectory +

"\\log.txt");
> fsw.WriteLine("m_dispStr: " + m_dispStrArr[0] + " " + m_dispStrArr[1]
> + " i: " + i);
> fsw.Close();
> fsw = null;
>
> Thread.Sleep(1000);
> }
> }
> }
> }
>
> it works but, maybe you can find a flaw?
>
> "Chris Botha" <chris_s_botha@AT_h.o.t.m.a.i.l.com> wrote in message
> news:OntwFfZJEHA.3544@TK2MSFTNGP10.phx.gbl...
> > I don't think impersonation works with forms authentication, but I may

be
> > wrong, always some surprise somewhere (it works with Integrated Widows

> auth,
> > as well as Basic Auth).
> > To switch anonymous access off, run IIS Service Manager, find your Web

App
> > under the Default Web Site, right click on it, properties, then

Directory
> > Security, then hit the top edit button and uncheck the anonymous access.
> > After doing this, hitting the page with IE, if you are not an

> authenticated
> > user, you will be prompted to sign in (if you are authenticated, it

won't
> > prompt you), and that will be the user impersonated (unless you

specified
> a
> > username/password on the impersonate line in the web.config file).
> >
> > Second solution, I'm not sure if it will work, but it may, write an

> ActiveX
> > dll, install it in COM+ specifying the credentials it should run under,

> and
> > call it from your aspx page. Beware that if it works, anyone hitting the
> > page can re-boot the computer.
> >
> > I don't know what setting the "user='SYSTEM'" in the machine.config

does.
> >
> > "Terry" <anonymous@discussions.microsoft.com> wrote in message
> > news:7C3AB4EA-79F3-4465-9A5E-DD8379D164D3@microsoft.com...
> > > OK, I have verified that the shutdown related code is working fine

from
> > > a regular app.
> > >
> > > How do I switch off anonymous access to the virtual directory?
> > > Are you talking about adding a statement like <deny user="?">
> > > in my web.config file or are you talking about a setting in
> > > the IIS Service Mgr.
> > >
> > > I am using a simple application based 'Forms' authentication.
> > > In this case if I use <identity impersonate="true" /> who would
> > > it be impersonating ... or in this case because I am using Forms
> > > authentication would I have to spell all that out like
> > > <identity impersonate="true" userName="abc" password="def">
> > >
> > > I am still a little puzzled by all this impersonate stuff ... if you

do
> > > impersonation what is the point of setting the user='SYSTEM' in
> > > the machine.config file?
> > >
> > > Thanks,
> > >
> > > Terry
> > >
> > > ----- Chris Botha wrote: -----
> > >
> > > Terry, first get the code to run in a normal Windows App, so you

> know
> > that
> > > it works.
> > > After that, it should be a security issue, and impersonation

should
> > work,
> > > but you also have to switch off anonymous access to the virtual

> > directory
> > > for impersonation to work.
> > > To ensure that your impersonation is set up correctly, add a test

> > call
> > > somewhere in a form, returning the current user, and check that

it
> is
> > what
> > > you expect (not the anonymous, or ASP.NET user, etc). To get the

> > current
> > > user, call
> > > System.Security.Principal.WindowsIdentity.GetCurre nt().Name
> > >
> > > "Terry" <anonymous@discussions.microsoft.com> wrote in message
> > > news:27B39478-93C0-42AE-9ECE-A49E9EC01AE7@microsoft.com...
> > > > I am developing a asp.net web based service application for our

> > product.
> > > > I am trying to trigger a reboot of the server based on a user

> > request.
> > > > I believe I have all the appropriate code for AdjustingTokens

etc
> > and
> > > > all those calls seem to succeed, however, the final call to

> > ExitWindowsEx
> > > > is failing with 'Access Denied'.
> > > >> In my machine.config, I have already set the userName to

> 'System'
> > as I
> > > > seem to require this for some other functionality I

implemented.
> I
> > also
> > > tried
> > > > to impersonate a local user account with admin priviledges via

my
> > > applications
> > > > web.config file but that failed as well with the same 'Access

> > Denied' (by
> > > the
> > > > way what exactly does 'impersonate' in the web.config do when

the
> > > machine.config
> > > > file already lets me specify the user as 'SYSTEM'?)
> > > >> I expect there is some other security thing that I need to

> twiddle
> > ... any
> > > ideas greatly
> > > > appreciated (with as much detail as possible, I am very new to

> this
> > whole
> > > web security
> > > > stuff).
> > > >> Thanks,
> > > >> Terry
> > > >

> >
> >

>
>





All times are GMT. The time now is 11:31 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.