Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Prevent access to advapi32.dll RevertToSelf()

Reply
Thread Tools

Prevent access to advapi32.dll RevertToSelf()

 
 
kevin.kenny@zygonia.net
Guest
Posts: n/a
 
      09-27-2005
Hi All,

Sorry to crosspost but it's a security and an ASP.NET problem I have.

We run each website site under it's own I_<user> account and ASP.NET is
configured to impersonate so requests run under the identity of the
I_<user> account.

In windows 2000 server how do I prevent a user from calling
RevertToSelf() in advapi32.dll and unwinding the impersonation? e.g.

[DllImport(@"C:\WINNT\system32\advapi32.dll")]
public static extern bool RevertToSelf();

void Page_Load(Object sender, EventArgs e) {
// at this point the request is running under impersonation as
I_<user>
RevertToSelf();
// afterwards it undoes the impersonation and the request is
now running as <MACHINE>\ASPNET
}

I've looked into building a .NET security policy to do this but I'm a
bit stuck.

Thanks in advance.
Kevin

 
Reply With Quote
 
 
 
 
kevin.kenny@zygonia.net
Guest
Posts: n/a
 
      09-27-2005
Sorry I should also have said windows 2003 server as well.

Kevin

 
Reply With Quote
 
 
 
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      09-27-2005
Hello http://www.velocityreviews.com/forums/(E-Mail Removed),

the only way to prevent someone from calling into unmanaged code is to run
under partial trust.

add a <trust level="Medium /> to your web.config - and see if it affects
your application.


---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi All,
>
> Sorry to crosspost but it's a security and an ASP.NET problem I have.
>
> We run each website site under it's own I_<user> account and ASP.NET
> is configured to impersonate so requests run under the identity of the
> I_<user> account.
>
> In windows 2000 server how do I prevent a user from calling
> RevertToSelf() in advapi32.dll and unwinding the impersonation? e.g.
>
> [DllImport(@"C:\WINNT\system32\advapi32.dll")]
> public static extern bool RevertToSelf();
> void Page_Load(Object sender, EventArgs e) {
> // at this point the request is running under impersonation as
> I_<user>
> RevertToSelf();
> // afterwards it undoes the impersonation and the request is
> now running as <MACHINE>\ASPNET
> }
>
> I've looked into building a .NET security policy to do this but I'm a
> bit stuck.
>
> Thanks in advance.
> Kevin



 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      09-28-2005
In addition to what Dominick said, under 2003, I suggest running each app in
its own AppPool, setting the process identity to the identity you want to
use and disabling impersonation via web.config. Then, it is a non-issue.

Joe K.

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> Sorry I should also have said windows 2003 server as well.
>
> Kevin
>



 
Reply With Quote
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      09-28-2005
Hello Joe,

sorry, i can only quote myself this time...: "auto impersonation is the spawn
of evil"

if you use autoimp to isolate web apps, upgrade to IIS6 and use application
pools
if you use autoimp for impersonation, do it programmatically only where you
need it.

otherwise this will cause headaches sooner or later.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> In addition to what Dominick said, under 2003, I suggest running each
> app in its own AppPool, setting the process identity to the identity
> you want to use and disabling impersonation via web.config. Then, it
> is a non-issue.
>
> Joe K.
>
> <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) ups.com...
>
>> Sorry I should also have said windows 2003 server as well.
>>
>> Kevin
>>



 
Reply With Quote
 
kevin.kenny@zygonia.net
Guest
Posts: n/a
 
      09-28-2005
Hi Guys,

Thanks for replying. The problem I have is that this is a hosting
platform that I've inherited. The servers can have up to 900 sites
customer sites running on them. There is also no chance that the
servers running Windows 2000 Server will be upgraded to Windows 2003 in
the near future.

I did think about having an AppPool per site on 2003 but there are some
practicality issues here and also I'm guessing that 900 AppPools isn't
really the right answer from a scalability and management aspect.

As far as the medium trust thing goes, unfortunately we have customers
using OleDB in conjunction with Access database files.

Is it possibile to build a custom trust level that has all the
restrictions of Medium trust but allow OleDbClientPermission ?

Can I create a new policy file based on 'medium_trust.config' and add
the OleDbClientPermission? Is this good practice?

Sorry if there are obvious answers to these questions but whilst I
understand the concept and use of different trust levels, I'm a bit in
the unsure about what to do regarding tuning the default policies to
our needs.

Thanks Again
Kevin
ps: Dominick, I enjoyed your sessions at DevWeek2005 this year.

 
Reply With Quote
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      09-28-2005
Hello (E-Mail Removed),

thanks

unfortunately, setting to partial trust is the only way to prohibit RevertToSelf...

....and OleDb only runs under full trust.

here is more info:
http://www.leastprivilege.com/FullyT...AndASPNET.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi Guys,
>
> Thanks for replying. The problem I have is that this is a hosting
> platform that I've inherited. The servers can have up to 900 sites
> customer sites running on them. There is also no chance that the
> servers running Windows 2000 Server will be upgraded to Windows 2003
> in the near future.
>
> I did think about having an AppPool per site on 2003 but there are
> some practicality issues here and also I'm guessing that 900 AppPools
> isn't really the right answer from a scalability and management
> aspect.
>
> As far as the medium trust thing goes, unfortunately we have customers
> using OleDB in conjunction with Access database files.
>
> Is it possibile to build a custom trust level that has all the
> restrictions of Medium trust but allow OleDbClientPermission ?
>
> Can I create a new policy file based on 'medium_trust.config' and add
> the OleDbClientPermission? Is this good practice?
>
> Sorry if there are obvious answers to these questions but whilst I
> understand the concept and use of different trust levels, I'm a bit in
> the unsure about what to do regarding tuning the default policies to
> our needs.
>
> Thanks Again
> Kevin
> ps: Dominick, I enjoyed your sessions at DevWeek2005 this year.




 
Reply With Quote
 
kevin.kenny@zygonia.net
Guest
Posts: n/a
 
      10-03-2005
Hi Dominick/Joe,

Thanks for your help.

Regards
Kevin

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How can i prevent to connect my wi-fi zone from other uninvited access point? nomenklatura Wireless Networking 3 01-26-2006 11:21 PM
Prevent Access to Network Using MAC Addresses kware@netexperts.co.uk Cisco 2 07-10-2005 07:16 AM
Prevent access to unsecured wireless network =?Utf-8?B?SmF3cw==?= Wireless Networking 3 05-01-2005 04:31 AM
prevent VTP override by rogue switch on access switchport... wr Cisco 6 09-07-2004 04:16 AM
Prevent access back .Urgent !! =?Utf-8?B?S2hvcg==?= ASP .Net 2 01-20-2004 02:17 PM



Advertisments