Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > To Be or To Impersonate, that is the Question

Reply
Thread Tools

To Be or To Impersonate, that is the Question

 
 
Gary Bagen
Guest
Posts: n/a
 
      03-05-2004
Alrighty, my continued foray into accessing network resources from the
web server continues...

When employees hit the intranet ASP.NET applications on our web
servers (dev, test, prod), they may need access to network resources
from those servers (like the network printer or another network
share).

We are not running Kerberos so that throws out IIS impersonation of
the Windows user hitting the app. (<identity impersonate="true" /> in
web.config).

That leaves three options that I have found:
1) In the web.config of each app: <identity impersonate="true"
username="registry:HKLM\Software\HiddenCredential\ ASPNET_SETREG,userName"
password="registry:HKLM\Software\HiddenCredential\ ASPNET_SETREG,password"
/>

2) In the machine.config of each server: <identity impersonate="true"
username="registry:HKLM\Software\HiddenCredential\ ASPNET_SETREG,userName"
password="registry:HKLM\Software\HiddenCredential\ ASPNET_SETREG,password"
/>

3) In the ProcessModel of machine.config using the registery pointers
as above. If IIS 6, then the GUI Admin.

Between option 2 & 3, which is the preferred method? The applications
don't care, they'll get that user in either situation (unless they
override identity in web.config).

When I present these three options to the group I want to be able to
tell them the pros and cons between 2 & 3 since they appear very
similar on the surface. I think I understand that underneath option 2
has the worker process imporsonating an identity while option 3 has
the inetinfo.exe being the identity.

Thanks,
Gar
 
Reply With Quote
 
 
 
 
Paul Glavich
Guest
Posts: n/a
 
      03-07-2004
With option 1, obviously web.config is easier to access for a malicious user
than the machine.config (yes, you have the credentials encrypted, but it is
still easier to find this 'clue' than with the machine.config) as the
machine.config is locked down further using ACL's.

The machine.config option affects ASP.NET globally though, so any other
ASP.NET applications on the machine would also be affected.

What about setting up a defined network user, with only minimum priveleges
(to the printer and network share), and storing these credentials in the
database, to use for you to programmatically impersonate. Just a thought.

--
- Paul Glavich


"Gary Bagen" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) m...
> Alrighty, my continued foray into accessing network resources from the
> web server continues...
>
> When employees hit the intranet ASP.NET applications on our web
> servers (dev, test, prod), they may need access to network resources
> from those servers (like the network printer or another network
> share).
>
> We are not running Kerberos so that throws out IIS impersonation of
> the Windows user hitting the app. (<identity impersonate="true" /> in
> web.config).
>
> That leaves three options that I have found:
> 1) In the web.config of each app: <identity impersonate="true"
> username="registry:HKLM\Software\HiddenCredential\ ASPNET_SETREG,userName"
> password="registry:HKLM\Software\HiddenCredential\ ASPNET_SETREG,password"
> />
>
> 2) In the machine.config of each server: <identity impersonate="true"
> username="registry:HKLM\Software\HiddenCredential\ ASPNET_SETREG,userName"
> password="registry:HKLM\Software\HiddenCredential\ ASPNET_SETREG,password"
> />
>
> 3) In the ProcessModel of machine.config using the registery pointers
> as above. If IIS 6, then the GUI Admin.
>
> Between option 2 & 3, which is the preferred method? The applications
> don't care, they'll get that user in either situation (unless they
> override identity in web.config).
>
> When I present these three options to the group I want to be able to
> tell them the pros and cons between 2 & 3 since they appear very
> similar on the surface. I think I understand that underneath option 2
> has the worker process imporsonating an identity while option 3 has
> the inetinfo.exe being the identity.
>
> Thanks,
> Gar



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
problem in running a basic code in python 3.3.0 that includes HTML file Satabdi Mukherjee Python 1 04-04-2013 07:48 PM
Quick Question - Newby Question =?Utf-8?B?UnlhbiBTbWl0aA==?= ASP .Net 4 02-16-2005 11:59 AM
Question on Transcender Question :-) eddiec MCSE 6 05-20-2004 06:59 AM
Question re: features of the 831 router (also a 924 question) Wayne Cisco 0 03-02-2004 07:57 PM
Syntax Question - Novice Question sean ASP .Net 1 10-20-2003 12:18 PM



Advertisments