Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Thread identity

Reply
Thread Tools

Thread identity

 
 
Raster Space
Guest
Posts: n/a
 
      10-06-2005
I have managed Web Application running on ASPNET user rights. How can I
execute certain (not all) methods with administrator privileges? Any ideas?
 
Reply With Quote
 
 
 
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      10-06-2005
You can impersonate an administrator for the duration of the call, or you
can run the worker process as the administrator and undo the impersonation
during the call. You can also put the admin code in a COM+ application that
runs under a different identity.

The WindowsImpersonationContext starts and stops impersonation. The only
other thing is getting the logon token for the administrator to use to
impersonate. The MSDN docs on WindowsImpersonationContext have a good
sample on that though. Then the problem is securely storing the
credentials...

Joe K.

"Raster Space" <(E-Mail Removed)> wrote in message
news:di3v0t$pdn$(E-Mail Removed)...
>I have managed Web Application running on ASPNET user rights. How can I
>execute certain (not all) methods with administrator privileges? Any ideas?



 
Reply With Quote
 
 
 
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      10-06-2005
Hello Joe,

please - don't use impersonation for that -

both approaches using impersonation will get you in trouble -

a) WP runs as admin
when an attacker can take over the application - he is admin

b) WP runs as ASPNET - you impersonate admin
you need to use LogonUser for that - where do you want to store the admin
pwd - what happens with password change policy a.s.o...

write a local COM+ server (even remoting would be ok that has the necessary
privileges - factor out the code - and call into it from your ASP.NET app

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> You can impersonate an administrator for the duration of the call, or
> you can run the worker process as the administrator and undo the
> impersonation during the call. You can also put the admin code in a
> COM+ application that runs under a different identity.
>
> The WindowsImpersonationContext starts and stops impersonation. The
> only other thing is getting the logon token for the administrator to
> use to impersonate. The MSDN docs on WindowsImpersonationContext have
> a good sample on that though. Then the problem is securely storing
> the credentials...
>
> Joe K.
>
> "Raster Space" <(E-Mail Removed)> wrote in message
> news:di3v0t$pdn$(E-Mail Removed)...
>
>> I have managed Web Application running on ASPNET user rights. How can
>> I execute certain (not all) methods with administrator privileges?
>> Any ideas?
>>



 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      10-06-2005
Agreed. I was just trying to explain the available approaches. The COM+
method is definitely the way to go. However, he may not want to deal with
that. As long as the risks are known (which I did not explain in any good
detail ).

Joe K.

"Dominick Baier [DevelopMentor]" <(E-Mail Removed)>
wrote in message news:(E-Mail Removed) om...
> Hello Joe,
>
> please - don't use impersonation for that -
> both approaches using impersonation will get you in trouble -
>
> a) WP runs as admin
> when an attacker can take over the application - he is admin
>
> b) WP runs as ASPNET - you impersonate admin
> you need to use LogonUser for that - where do you want to store the admin
> pwd - what happens with password change policy a.s.o...
>
> write a local COM+ server (even remoting would be ok that has the
> necessary privileges - factor out the code - and call into it from your
> ASP.NET app
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> You can impersonate an administrator for the duration of the call, or
>> you can run the worker process as the administrator and undo the
>> impersonation during the call. You can also put the admin code in a
>> COM+ application that runs under a different identity.
>>
>> The WindowsImpersonationContext starts and stops impersonation. The
>> only other thing is getting the logon token for the administrator to
>> use to impersonate. The MSDN docs on WindowsImpersonationContext have
>> a good sample on that though. Then the problem is securely storing
>> the credentials...
>>
>> Joe K.
>>
>> "Raster Space" <(E-Mail Removed)> wrote in message
>> news:di3v0t$pdn$(E-Mail Removed)...
>>
>>> I have managed Web Application running on ASPNET user rights. How can
>>> I execute certain (not all) methods with administrator privileges?
>>> Any ideas?
>>>

>
>



 
Reply With Quote
 
Raster
Guest
Posts: n/a
 
      10-07-2005
Thanks guys! The COM+ method works just fine.

Joe Kaplan (MVP - ADSI) wrote:
> Agreed. I was just trying to explain the available approaches. The COM+
> method is definitely the way to go. However, he may not want to deal with
> that. As long as the risks are known (which I did not explain in any good
> detail ).
>
> Joe K.
>
> "Dominick Baier [DevelopMentor]" <(E-Mail Removed)>
> wrote in message news:(E-Mail Removed) om...
>
>>Hello Joe,
>>
>>please - don't use impersonation for that -
>>both approaches using impersonation will get you in trouble -
>>
>>a) WP runs as admin
>>when an attacker can take over the application - he is admin
>>
>>b) WP runs as ASPNET - you impersonate admin
>>you need to use LogonUser for that - where do you want to store the admin
>>pwd - what happens with password change policy a.s.o...
>>
>>write a local COM+ server (even remoting would be ok that has the
>>necessary privileges - factor out the code - and call into it from your
>>ASP.NET app
>>
>>---------------------------------------
>>Dominick Baier - DevelopMentor
>>http://www.leastprivilege.com
>>
>>
>>>You can impersonate an administrator for the duration of the call, or
>>>you can run the worker process as the administrator and undo the
>>>impersonation during the call. You can also put the admin code in a
>>>COM+ application that runs under a different identity.
>>>
>>>The WindowsImpersonationContext starts and stops impersonation. The
>>>only other thing is getting the logon token for the administrator to
>>>use to impersonate. The MSDN docs on WindowsImpersonationContext have
>>>a good sample on that though. Then the problem is securely storing
>>>the credentials...
>>>
>>>Joe K.
>>>
>>>"Raster Space" <(E-Mail Removed)> wrote in message
>>>news:di3v0t$pdn$(E-Mail Removed)...
>>>
>>>
>>>>I have managed Web Application running on ASPNET user rights. How can
>>>>I execute certain (not all) methods with administrator privileges?
>>>>Any ideas?
>>>>

>>
>>

>
>

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ASP.NET 2.0 Impersonation of fixed identity - truncation of identity JimLad ASP .Net 0 01-16-2009 10:42 AM
HttpContext.Current.User.Identity.Name AND Context.User.Identity.Name; nalbayo ASP .Net 2 11-11-2005 11:12 PM
Difference between System.Web.HttpContext.Current.User.Identity.Name and System.Threading.Thread.CurrentPrincipal.Identity.Name jeremy.rice@alkermes.com ASP .Net Security 5 11-08-2005 05:25 PM
Issue with Identity Impersonation and user identity used passed for trusted SQL connection. Frederick D'hont ASP .Net Security 0 07-25-2005 02:41 PM
Difference between HttpContext.Current.User.Identity and identity Impersonation Giovanni Bassi ASP .Net 0 10-20-2003 02:25 PM



Advertisments