Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > What permissions needed to launch a COM+ object

Reply
Thread Tools

What permissions needed to launch a COM+ object

 
 
Dave Kolb
Guest
Posts: n/a
 
      01-23-2004
If I make ASPNET a member of the admins group it can launch my COM+ object
but I do not want to do that.

What permissions do I need to set for the lowly ASPNET user so that it can
launch a COM+ object. I tried playing with COM+ roles in the MMC but not
with any luck. My COM+ object itself does not do any role checking.

Thanks,
Dave


 
Reply With Quote
 
 
 
 
Ken Cox [Microsoft MVP]
Guest
Posts: n/a
 
      01-24-2004
Hi Dave,

You might want to review the last few paragraphs in this article to see how
to configure the ASPNET account so it can do what it needs and no more:

HOW TO: Secure an ASP.NET Application by Using Windows Security

http://support.microsoft.com/default...b;en-us;315736


"Dave Kolb" <(E-Mail Removed)> wrote in message
news:u2j$(E-Mail Removed)...
> If I make ASPNET a member of the admins group it can launch my COM+ object
> but I do not want to do that.
>
> What permissions do I need to set for the lowly ASPNET user so that it can
> launch a COM+ object. I tried playing with COM+ roles in the MMC but not
> with any luck. My COM+ object itself does not do any role checking.
>
> Thanks,
> Dave
>
>


 
Reply With Quote
 
 
 
 
Ken Cox [Microsoft MVP]
Guest
Posts: n/a
 
      01-24-2004
Here are some steps posted elsewhere by Microsoft to get ASP.NET going
safely:

"Basically, this is not recommended because it will make your system
vulnerable. By running the process as the System account this basically
means that if anyone were able to get control of this process they would
have all of the priviledges that SYSTEM would have on the server and as you
know it has many.
My suggestion would be to Create a weak account that has the correct
permissions, and then
configure the <processModel> section of the Machine.config file to use
that account.
Here are some simple steps you can follow to grant NTFS permissions.
Keep in mind that if you are running the 1.0 framework you will need to
replace v1.1.4322 with v1.0.3705
1. Create the domain user and grant it "Log on as a Service", "Log on as a
Batch Job", "Deny Logon Locally", “Access this Computer from the Network”
2. Add domain user to the local Users Group
3. Grant domain user read access to C:\Winnt\microsoft.net
4. Grant domain user Full Control to C:\WINNT\TEMP
5. Grant domain user Full Control to
C:\winnt\Microsoft.Net\framework\v1.1.4322\Tempora ry Asp.Net files
6. Grant domain user Read access
toC:\WINNT\Microsoft.Net\Framework\v1.1.4322
7. Ensure domain user has Read access
toC:\Winnt\Microsoft.Net\Framework\v1.1.4322\confi g
8. Ensure domain user has Read access to C:\Winnt\Assembly
Note: You should use the following command to add permissions to this
folder because it is a special folder and does not have a security tab
cacls c:\winnt\assembly /e /t /p domain\useraccount:R

9. Modify the
c:\winnt\microsoft.net\framework\v1.1.4322\config\ machine.config under
<processModel> change these lines to read
Username="domain\user"
Password="password"
10. Restart IIS for the machine.config changes to take effect
You can use the following command to enforce the policy changes without a
reboot:
SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE"



"Dave Kolb" <(E-Mail Removed)> wrote in message
news:u2j$(E-Mail Removed)...
> If I make ASPNET a member of the admins group it can launch my COM+ object
> but I do not want to do that.
>
> What permissions do I need to set for the lowly ASPNET user so that it can
> launch a COM+ object. I tried playing with COM+ roles in the MMC but not
> with any luck. My COM+ object itself does not do any role checking.
>
> Thanks,
> Dave
>
>


 
Reply With Quote
 
Dave Kolb
Guest
Posts: n/a
 
      01-24-2004
Thanks for the suggestions Ken.

I found that I could merely give ASPNET read access to the COM+ dll I
registered and then assign a role to the COM+ component allowing only a
particular local impersonated user to have access and I have a reasonably
secure COM object that I can run as a separate identity to do the network
access I require while keeping the rest of ASPNET as a lowly user rather
than running it as SYSTEM as my cohorts were doing in order to get network
access. You have to impersonate the local user in order to access the COM+
object.

I will also review your suggestions.

Thanks,
Dave

"Ken Cox [Microsoft MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Here are some steps posted elsewhere by Microsoft to get ASP.NET going
> safely:
>
> "Basically, this is not recommended because it will make your system
> vulnerable. By running the process as the System account this basically
> means that if anyone were able to get control of this process they would
> have all of the priviledges that SYSTEM would have on the server and as

you
> know it has many.
> My suggestion would be to Create a weak account that has the correct
> permissions, and then
> configure the <processModel> section of the Machine.config file to use
> that account.
> Here are some simple steps you can follow to grant NTFS permissions.
> Keep in mind that if you are running the 1.0 framework you will need to
> replace v1.1.4322 with v1.0.3705
> 1. Create the domain user and grant it "Log on as a Service", "Log on as a
> Batch Job", "Deny Logon Locally", “Access this Computer from the Network”
> 2. Add domain user to the local Users Group
> 3. Grant domain user read access to C:\Winnt\microsoft.net
> 4. Grant domain user Full Control to C:\WINNT\TEMP
> 5. Grant domain user Full Control to
> C:\winnt\Microsoft.Net\framework\v1.1.4322\Tempora ry Asp.Net files
> 6. Grant domain user Read access
> toC:\WINNT\Microsoft.Net\Framework\v1.1.4322
> 7. Ensure domain user has Read access
> toC:\Winnt\Microsoft.Net\Framework\v1.1.4322\confi g
> 8. Ensure domain user has Read access to C:\Winnt\Assembly
> Note: You should use the following command to add permissions to this
> folder because it is a special folder and does not have a security tab
> cacls c:\winnt\assembly /e /t /p domain\useraccount:R
>
> 9. Modify the
> c:\winnt\microsoft.net\framework\v1.1.4322\config\ machine.config under
> <processModel> change these lines to read
> Username="domain\user"
> Password="password"
> 10. Restart IIS for the machine.config changes to take effect
> You can use the following command to enforce the policy changes without a
> reboot:
> SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE"
>
>
>
> "Dave Kolb" <(E-Mail Removed)> wrote in message
> news:u2j$(E-Mail Removed)...
> > If I make ASPNET a member of the admins group it can launch my COM+

object
> > but I do not want to do that.
> >
> > What permissions do I need to set for the lowly ASPNET user so that it

can
> > launch a COM+ object. I tried playing with COM+ roles in the MMC but not
> > with any luck. My COM+ object itself does not do any role checking.
> >
> > Thanks,
> > Dave
> >
> >

>



 
Reply With Quote
 
Dave Kolb
Guest
Posts: n/a
 
      01-24-2004
Oops - that was not clear. Though I could have ASPNET run the COM+ object, I
actually imperonsate a local user and give that user only access to the COM+
object. THat way only certain web apps can run the object. Dave

"Dave Kolb" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks for the suggestions Ken.
>
> I found that I could merely give ASPNET read access to the COM+ dll I
> registered and then assign a role to the COM+ component allowing only a
> particular local impersonated user to have access and I have a reasonably
> secure COM object that I can run as a separate identity to do the network
> access I require while keeping the rest of ASPNET as a lowly user rather
> than running it as SYSTEM as my cohorts were doing in order to get network
> access. You have to impersonate the local user in order to access the COM+
> object.
>
> I will also review your suggestions.
>
> Thanks,
> Dave
>
> "Ken Cox [Microsoft MVP]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Here are some steps posted elsewhere by Microsoft to get ASP.NET going
> > safely:
> >
> > "Basically, this is not recommended because it will make your system
> > vulnerable. By running the process as the System account this basically
> > means that if anyone were able to get control of this process they would
> > have all of the priviledges that SYSTEM would have on the server and as

> you
> > know it has many.
> > My suggestion would be to Create a weak account that has the correct
> > permissions, and then
> > configure the <processModel> section of the Machine.config file to use
> > that account.
> > Here are some simple steps you can follow to grant NTFS permissions.
> > Keep in mind that if you are running the 1.0 framework you will need to
> > replace v1.1.4322 with v1.0.3705
> > 1. Create the domain user and grant it "Log on as a Service", "Log on as

a
> > Batch Job", "Deny Logon Locally", "Access this Computer from the

Network"
> > 2. Add domain user to the local Users Group
> > 3. Grant domain user read access to C:\Winnt\microsoft.net
> > 4. Grant domain user Full Control to C:\WINNT\TEMP
> > 5. Grant domain user Full Control to
> > C:\winnt\Microsoft.Net\framework\v1.1.4322\Tempora ry Asp.Net files
> > 6. Grant domain user Read access
> > toC:\WINNT\Microsoft.Net\Framework\v1.1.4322
> > 7. Ensure domain user has Read access
> > toC:\Winnt\Microsoft.Net\Framework\v1.1.4322\confi g
> > 8. Ensure domain user has Read access to C:\Winnt\Assembly
> > Note: You should use the following command to add permissions to this
> > folder because it is a special folder and does not have a security tab
> > cacls c:\winnt\assembly /e /t /p domain\useraccount:R
> >
> > 9. Modify the
> > c:\winnt\microsoft.net\framework\v1.1.4322\config\ machine.config under
> > <processModel> change these lines to read
> > Username="domain\user"
> > Password="password"
> > 10. Restart IIS for the machine.config changes to take effect
> > You can use the following command to enforce the policy changes without

a
> > reboot:
> > SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE"
> >
> >
> >
> > "Dave Kolb" <(E-Mail Removed)> wrote in message
> > news:u2j$(E-Mail Removed)...
> > > If I make ASPNET a member of the admins group it can launch my COM+

> object
> > > but I do not want to do that.
> > >
> > > What permissions do I need to set for the lowly ASPNET user so that it

> can
> > > launch a COM+ object. I tried playing with COM+ roles in the MMC but

not
> > > with any luck. My COM+ object itself does not do any role checking.
> > >
> > > Thanks,
> > > Dave
> > >
> > >

> >

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
In-depth documenation on User Permissions, Group Permissions, ACLs, DCLs etc. Curt K ASP .Net 0 11-03-2006 04:54 PM
Minimun permissions needed to perform Exchange related Tasks =?Utf-8?B?Z2JveWQ=?= MCSE 0 10-20-2005 03:16 PM
Object creation - Do we really need to create a parent for a derieved object - can't the base object just point to an already created base object jon wayne C++ 9 09-22-2005 02:06 AM
ASPX file returning obscur runtime error - after changing permissions to a subweb (.net app) to different permissions than on its parent ? Isabelle ASP .Net 0 08-11-2004 02:04 PM
Re: Permissions - giving "everyone" full permissions is bad ? Scott Allen ASP .Net 0 07-13-2004 08:54 PM



Advertisments