Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Registry access permission doesn't obey impersonated user

Reply
Thread Tools

Registry access permission doesn't obey impersonated user

 
 
Karim
Guest
Posts: n/a
 
      09-03-2003

I have an asp.net application that impersonates a user. I did a test for
reading a registry key and noticed that the app can read the key even
though the user does not have access to that key. aspnet user does not have
not access either. After denying read access to the key for different
users, I found out that the INTERACTIVE user is the one that determines the
permissions.

How can I deny asp.net apps from reading the registry? Why isn't the app
following the impersonated user's registry permissions?

karim
 
Reply With Quote
 
 
 
 
alexey
Guest
Posts: n/a
 
      09-03-2003
Karim,

Could you give me a hint how to create such a code to impersonate from
ASPNET and read the Registry? I am working on a similar application right
now and can't make impersonation work.

Thanks

Alexey

http://www.velocityreviews.com/forums/(E-Mail Removed)

"Karim" <karim3411@!!yahoo!!.com> wrote in message
news:ee30ngspkbua$(E-Mail Removed)...
>
> I have an asp.net application that impersonates a user. I did a test for
> reading a registry key and noticed that the app can read the key even
> though the user does not have access to that key. aspnet user does not

have
> not access either. After denying read access to the key for different
> users, I found out that the INTERACTIVE user is the one that determines

the
> permissions.
>
> How can I deny asp.net apps from reading the registry? Why isn't the app
> following the impersonated user's registry permissions?
>
> karim



 
Reply With Quote
 
 
 
 
Hernan Ochoa
Guest
Posts: n/a
 
      09-03-2003
how are you imperonating? by calling LogonUser?
does your app use windows auth and impersonation?


"Karim" <karim3411@!!yahoo!!.com> wrote in message
news:ee30ngspkbua$(E-Mail Removed)...
>
> I have an asp.net application that impersonates a user. I did a test for
> reading a registry key and noticed that the app can read the key even
> though the user does not have access to that key. aspnet user does not

have
> not access either. After denying read access to the key for different
> users, I found out that the INTERACTIVE user is the one that determines

the
> permissions.
>
> How can I deny asp.net apps from reading the registry? Why isn't the app
> following the impersonated user's registry permissions?
>
> karim



 
Reply With Quote
 
Karim
Guest
Posts: n/a
 
      09-03-2003
On Wed, 3 Sep 2003 06:25:19 -0400, alexey wrote:

> Karim,
>
> Could you give me a hint how to create such a code to impersonate from
> ASPNET and read the Registry? I am working on a similar application right
> now and can't make impersonation work.
>
> Thanks
>
> Alexey
>
> (E-Mail Removed)
>
> "Karim" <karim3411@!!yahoo!!.com> wrote in message
> news:ee30ngspkbua$(E-Mail Removed)...
>>
>> I have an asp.net application that impersonates a user. I did a test for
>> reading a registry key and noticed that the app can read the key even
>> though the user does not have access to that key. aspnet user does not

> have
>> not access either. After denying read access to the key for different
>> users, I found out that the INTERACTIVE user is the one that determines

> the
>> permissions.
>>
>> How can I deny asp.net apps from reading the registry? Why isn't the app
>> following the impersonated user's registry permissions?
>>
>> karim


I am using the <identity impersonate=true username=.. password=.. tag in
web.config. While file access permissions are being followed correctly, the
registry permissions is not making sense to me. Let's say username is
'donald'. When I have deny read persmissions for aspnet and donald on that
registry key, my asp.net app can still read the registry key!
The user that actually determines the access is INTERACTIVE. I don't want
any asp.net to be able to read *any* registry key. If I deny INTERACTIVE
read access on the whole registry, I probably will break something on the
system?

karim
 
Reply With Quote
 
Hernan Ochoa
Guest
Posts: n/a
 
      09-04-2003
> I am using the <identity impersonate=true username=.. password=.. tag in
> web.config. While file access permissions are being followed correctly,

the
> registry permissions is not making sense to me. Let's say username is
> 'donald'. When I have deny read persmissions for aspnet and donald on that
> registry key, my asp.net app can still read the registry key!
> The user that actually determines the access is INTERACTIVE. I don't want
> any asp.net to be able to read *any* registry key. If I deny INTERACTIVE
> read access on the whole registry, I probably will break something on the
> system?
>
> karim


if you're using the <identity> tag in your web.config file, then your app is
running
under the context of the user you've specified in the <identity> tag, and
not under
the aspnet account. Maybe that's your problem.

bye!
Hernan


 
Reply With Quote
 
Karim
Guest
Posts: n/a
 
      09-04-2003
On Thu, 4 Sep 2003 00:09:33 -0300, Hernan Ochoa wrote:

>> I am using the <identity impersonate=true username=.. password=.. tag in
>> web.config. While file access permissions are being followed correctly,

> the
>> registry permissions is not making sense to me. Let's say username is
>> 'donald'. When I have deny read persmissions for aspnet and donald on that
>> registry key, my asp.net app can still read the registry key!
>> The user that actually determines the access is INTERACTIVE. I don't want
>> any asp.net to be able to read *any* registry key. If I deny INTERACTIVE
>> read access on the whole registry, I probably will break something on the
>> system?
>>
>> karim

>
> if you're using the <identity> tag in your web.config file, then your app is
> running
> under the context of the user you've specified in the <identity> tag, and
> not under
> the aspnet account. Maybe that's your problem.


Like I said, I denied the user in the identity (donald in this case) read
access to the registry key. I added aspnet user to the deny just in case
the asp.net uses the 'aspnet' user. The asp.net app was still able to read
the registry key.

Karim
 
Reply With Quote
 
Hernan Ochoa
Guest
Posts: n/a
 
      09-04-2003
Hi,

so, I tested accessing the registry from an asp.net app and everything works
fine, this is what I did:

-I created a webapp called testwebapp
-added a button and a label
-the handler for the button is:

LabelTest.Text =
Registry.LocalMachine.OpenSubKey("SOFTWARE\\mykey" ).GetValue("myvalue").ToSt
ring();


-I created the registry key and value

-I load the webapp, click the button, and the content is shown, as expected.

-now, I use regedt32, I change the permissions on the key so ASPNET is
DENIED read and full control to the key

-now, I click on the button, and as expected, the following is shown:



Server Error in '/testwebapp' Application.
----------------------------------------------------------------------------
----

Security Exception
Description: The application attempted to perform an operation not allowed
by the security policy. To grant this application the required permission
please contact your system administrator or change the application's trust
level in the configuration file.

Exception Details: System.Security.SecurityException: Requested registry
access is not allowed.

Source Error:

Line 50: private void Button1_Click(object sender, System.EventArgs e)
Line 51: {
Line 52: LabelTest.Text =
Registry.LocalMachine.OpenSubKey("SOFTWARE\\mykey" ).GetValue("myvalue").ToSt
ring();
Line 53:
Line 54: }

Source File: webform1.aspx.cs Line: 52

Stack Trace:

[SecurityException: Requested registry access is not allowed.]
Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
+440
Microsoft.Win32.RegistryKey.OpenSubKey(String name) +27
testwebapp.WebForm1.Button1_Click(Object sender, EventArgs e) in
webform1.aspx.cs:52
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +108

System.Web.UI.WebControls.Button.System.Web.UI.IPo stBackEventHandler.RaisePo
stBackEvent(String eventArgument) +58
System.Web.UI.Page.RaisePostBackEvent(IPostBackEve ntHandler
sourceControl, String eventArgument) +18
System.Web.UI.Page.RaisePostBackEvent(NameValueCol lection postData) +33
System.Web.UI.Page.ProcessRequestMain() +2075
System.Web.UI.Page.ProcessRequest() +218
System.Web.UI.Page.ProcessRequest(HttpContext context) +18

System.Web.CallHandlerExecutionStep.System.Web.Htt pApplication+IExecutionSte
p.Execute() +179
System.Web.HttpApplication.ExecuteStep(IExecutionS tep step, Boolean&
completedSynchronously) +87



----------------------------------------------------------------------------
----




I don't know, maybe you can post the exact code you're using so we can try
to see if that has something to do with the

problem you're experiencing.



bye!












 
Reply With Quote
 
Karim
Guest
Posts: n/a
 
      09-04-2003
On Thu, 4 Sep 2003 17:48:58 -0300, Hernan Ochoa wrote:

> Hi,
>
> so, I tested accessing the registry from an asp.net app and everything works
> fine, this is what I did:
>
> -I created a webapp called testwebapp
> -added a button and a label
> -the handler for the button is:
>
> LabelTest.Text =
> Registry.LocalMachine.OpenSubKey("SOFTWARE\\mykey" ).GetValue("myvalue").ToSt
> ring();
>
>
> -I created the registry key and value
>
> -I load the webapp, click the button, and the content is shown, as expected.
>
> -now, I use regedt32, I change the permissions on the key so ASPNET is
> DENIED read and full control to the key
>
> -now, I click on the button, and as expected, the following is shown:
>
>
>
> Server Error in '/testwebapp' Application.
> ----------------------------------------------------------------------------
> ----
>
> Security Exception
> Description: The application attempted to perform an operation not allowed
> by the security policy. To grant this application the required permission
> please contact your system administrator or change the application's trust
> level in the configuration file.
>
> Exception Details: System.Security.SecurityException: Requested registry
> access is not allowed.
>
> Source Error:
>
> Line 50: private void Button1_Click(object sender, System.EventArgs e)
> Line 51: {
> Line 52: LabelTest.Text =
> Registry.LocalMachine.OpenSubKey("SOFTWARE\\mykey" ).GetValue("myvalue").ToSt
> ring();
> Line 53:
> Line 54: }
>
> Source File: webform1.aspx.cs Line: 52
>
> Stack Trace:
>
> [SecurityException: Requested registry access is not allowed.]
> Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
> +440
> Microsoft.Win32.RegistryKey.OpenSubKey(String name) +27
> testwebapp.WebForm1.Button1_Click(Object sender, EventArgs e) in
> webform1.aspx.cs:52
> System.Web.UI.WebControls.Button.OnClick(EventArgs e) +108
>
> System.Web.UI.WebControls.Button.System.Web.UI.IPo stBackEventHandler.RaisePo
> stBackEvent(String eventArgument) +58
> System.Web.UI.Page.RaisePostBackEvent(IPostBackEve ntHandler
> sourceControl, String eventArgument) +18
> System.Web.UI.Page.RaisePostBackEvent(NameValueCol lection postData) +33
> System.Web.UI.Page.ProcessRequestMain() +2075
> System.Web.UI.Page.ProcessRequest() +218
> System.Web.UI.Page.ProcessRequest(HttpContext context) +18
>
> System.Web.CallHandlerExecutionStep.System.Web.Htt pApplication+IExecutionSte
> p.Execute() +179
> System.Web.HttpApplication.ExecuteStep(IExecutionS tep step, Boolean&
> completedSynchronously) +87
>
>
>
> ----------------------------------------------------------------------------
> ----
>
>
>
>
> I don't know, maybe you can post the exact code you're using so we can try
> to see if that has something to do with the
>
> problem you're experiencing.
>
>
>
> bye!


One thing I want to mention is that you didn't impersonate anyone.
I did a test on a different machine (2000 pro) and used your sample. I
found out it's the SYSTEM user that controls the access. aspnet user didn't
have any effect whether I denied read or not, the app read the key fine.

What do you have as a user in the processModel section in your
machine.config? Mine is System and Autogenerate for password.

Karim
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Making JTable column widths obey me Daniel Luis dos Santos Java 2 02-16-2010 12:37 AM
Cannot connect to Access 2000 DB using impersonated user =?Utf-8?B?c3R1ZXlo?= ASP .Net 3 06-06-2005 12:47 PM
HKCU Registry Hive & ASP.NET impersonated application =?Utf-8?B?Um9iZXJ0IERyb3pkeg==?= ASP .Net 1 07-29-2004 12:09 PM
A new pop up window will not obey a close command from original page. Marc Javascript 2 11-23-2003 03:21 PM
Change impersonated user during runtime Markus Stehle ASP .Net 5 08-19-2003 11:10 PM



Advertisments