Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Remote control of windows service with windows 2003 server

Reply
Thread Tools

Remote control of windows service with windows 2003 server

 
 
pberna
Guest
Posts: n/a
 
      11-13-2004
Dear all,

I built a Web Form application to start and stop a Windows Service remotely.
I successful tested the application on Windows 2000 server + IIS. I must
include the ASPNET user
to the Administration group (on server side) to have the necessary
authorization to start a Windows Service (I don't understand why "Power
User" rights are not enough to do the same thing)

Although I'm able to start a service using windows 2000 server platform, I'm
not able to do the same things in the Windows 2003 server edition where the
same Web Form application has been installed (.NET framework has been
installed by default during Windows server installation process). I know
that in Windows 2003 server the default account for a ASPNET applications is
NETWORK SERVICE, but I don't find any user with this name in the user
list/group. If I try to create this user and error message tell me that the
NETWORK SERVICE user is already defined. The problem is that it doesn't
appear in the user list (My computer-> Manage > user)

Any idea ?

Thank you
Best Regards


 
Reply With Quote
 
 
 
 
Scott Allen
Guest
Posts: n/a
 
      11-14-2004
Hi pberna:

It's generally a bad idea to run ASP.NET under an administrator
account, as it makes it easier for a malicious user to have admin
rights on a machine. Have you investigated impersonation?
http://msdn.microsoft.com/library/de...ersonation.asp

As for the NETWORK SERVICE account, there are two types of accounts on
the machine: user accounts and built in security principals. The built
in security principals do not appear in the list of users. You can
still add them to a group if you go to My computer -> Manage ->
Groups. You can right click a group and select Properties, then click
Add. You can type in the name you need, or click Advanced and Find Now
to select the principal from a list - you'll notice at the top of the
dialog under Object Types the dialog will search for both user objects
and built in security principal objects.

In any case, a best practice is to avoid elevating the privileges of
any of these built in accounts. Impersonation is a safer approach.

--
Scott
http://www.OdeToCode.com/blogs/scott/

On Sat, 13 Nov 2004 19:36:21 GMT, "pberna" <(E-Mail Removed)> wrote:

>Dear all,
>
>I built a Web Form application to start and stop a Windows Service remotely.
>I successful tested the application on Windows 2000 server + IIS. I must
>include the ASPNET user
>to the Administration group (on server side) to have the necessary
>authorization to start a Windows Service (I don't understand why "Power
>User" rights are not enough to do the same thing)
>
>Although I'm able to start a service using windows 2000 server platform, I'm
>not able to do the same things in the Windows 2003 server edition where the
>same Web Form application has been installed (.NET framework has been
>installed by default during Windows server installation process). I know
>that in Windows 2003 server the default account for a ASPNET applications is
>NETWORK SERVICE, but I don't find any user with this name in the user
>list/group. If I try to create this user and error message tell me that the
>NETWORK SERVICE user is already defined. The problem is that it doesn't
>appear in the user list (My computer-> Manage > user)
>
>Any idea ?
>
>Thank you
>Best Regards
>


 
Reply With Quote
 
 
 
 
=?Utf-8?B?cGJlcm5h?=
Guest
Posts: n/a
 
      11-15-2004
Dear Scott,

Thanks for your indications
I red the article, but I'm not sure if impersonation is applicable to the
Forms
authentication mode. What do you think ? Am I wrong ?

1) If impersonation is also active using the Forms authentication mode,
should the user name related to the token "userName"

<identity impersonate="true" userName="contoso\Jane" password="pass"/>

be equal to a Windows User name ?

2) Are there any relationship between Windows password of a Windows User and
the password of the same User indicated in the web.config file ?

3) If the ASPNET impersonate a user using the Forms authentication mode,it
means that the .NET application can access to all resource available for that
user ?

Thank you
Paolo

"Scott Allen" wrote:

> Hi pberna:
>
> It's generally a bad idea to run ASP.NET under an administrator
> account, as it makes it easier for a malicious user to have admin
> rights on a machine. Have you investigated impersonation?
> http://msdn.microsoft.com/library/de...ersonation.asp
>
> As for the NETWORK SERVICE account, there are two types of accounts on
> the machine: user accounts and built in security principals. The built
> in security principals do not appear in the list of users. You can
> still add them to a group if you go to My computer -> Manage ->
> Groups. You can right click a group and select Properties, then click
> Add. You can type in the name you need, or click Advanced and Find Now
> to select the principal from a list - you'll notice at the top of the
> dialog under Object Types the dialog will search for both user objects
> and built in security principal objects.
>
> In any case, a best practice is to avoid elevating the privileges of
> any of these built in accounts. Impersonation is a safer approach.
>
> --
> Scott
> http://www.OdeToCode.com/blogs/scott/
>
> On Sat, 13 Nov 2004 19:36:21 GMT, "pberna" <(E-Mail Removed)> wrote:
>
> >Dear all,
> >
> >I built a Web Form application to start and stop a Windows Service remotely.
> >I successful tested the application on Windows 2000 server + IIS. I must
> >include the ASPNET user
> >to the Administration group (on server side) to have the necessary
> >authorization to start a Windows Service (I don't understand why "Power
> >User" rights are not enough to do the same thing)
> >
> >Although I'm able to start a service using windows 2000 server platform, I'm
> >not able to do the same things in the Windows 2003 server edition where the
> >same Web Form application has been installed (.NET framework has been
> >installed by default during Windows server installation process). I know
> >that in Windows 2003 server the default account for a ASPNET applications is
> >NETWORK SERVICE, but I don't find any user with this name in the user
> >list/group. If I try to create this user and error message tell me that the
> >NETWORK SERVICE user is already defined. The problem is that it doesn't
> >appear in the user list (My computer-> Manage > user)
> >
> >Any idea ?
> >
> >Thank you
> >Best Regards
> >

>
>

 
Reply With Quote
 
Scott Allen
Guest
Posts: n/a
 
      11-15-2004
Hi pberna:

Impersonation is more difficult in forms authentication. If you use
the username and password attributes of the <identity> tag then yes,
you are passing the username and password for a windows account. Every
local resource ASP.NET touches will be done with the credentials
specified in the <identity> tag, for example, file access, service
control, connecting to a database with a trusted connection.

Is the web application soley for the purpose of controlling the
service? Is it exposed to the Internet?

--
Scott
http://www.OdeToCode.com/blogs/scott/

On Mon, 15 Nov 2004 07:10:03 -0800, pberna
<(E-Mail Removed)> wrote:

>Dear Scott,
>
>Thanks for your indications
>I red the article, but I'm not sure if impersonation is applicable to the
>Forms
>authentication mode. What do you think ? Am I wrong ?
>
>1) If impersonation is also active using the Forms authentication mode,
>should the user name related to the token "userName"
>
><identity impersonate="true" userName="contoso\Jane" password="pass"/>
>
>be equal to a Windows User name ?
>
>2) Are there any relationship between Windows password of a Windows User and
>the password of the same User indicated in the web.config file ?
>
>3) If the ASPNET impersonate a user using the Forms authentication mode,it
>means that the .NET application can access to all resource available for that
>user ?
>
>Thank you
>Paolo
>
>"Scott Allen" wrote:
>
>> Hi pberna:
>>
>> It's generally a bad idea to run ASP.NET under an administrator
>> account, as it makes it easier for a malicious user to have admin
>> rights on a machine. Have you investigated impersonation?
>> http://msdn.microsoft.com/library/de...ersonation.asp
>>
>> As for the NETWORK SERVICE account, there are two types of accounts on
>> the machine: user accounts and built in security principals. The built
>> in security principals do not appear in the list of users. You can
>> still add them to a group if you go to My computer -> Manage ->
>> Groups. You can right click a group and select Properties, then click
>> Add. You can type in the name you need, or click Advanced and Find Now
>> to select the principal from a list - you'll notice at the top of the
>> dialog under Object Types the dialog will search for both user objects
>> and built in security principal objects.
>>
>> In any case, a best practice is to avoid elevating the privileges of
>> any of these built in accounts. Impersonation is a safer approach.
>>
>> --
>> Scott
>> http://www.OdeToCode.com/blogs/scott/
>>
>> On Sat, 13 Nov 2004 19:36:21 GMT, "pberna" <(E-Mail Removed)> wrote:
>>
>> >Dear all,
>> >
>> >I built a Web Form application to start and stop a Windows Service remotely.
>> >I successful tested the application on Windows 2000 server + IIS. I must
>> >include the ASPNET user
>> >to the Administration group (on server side) to have the necessary
>> >authorization to start a Windows Service (I don't understand why "Power
>> >User" rights are not enough to do the same thing)
>> >
>> >Although I'm able to start a service using windows 2000 server platform, I'm
>> >not able to do the same things in the Windows 2003 server edition where the
>> >same Web Form application has been installed (.NET framework has been
>> >installed by default during Windows server installation process). I know
>> >that in Windows 2003 server the default account for a ASPNET applications is
>> >NETWORK SERVICE, but I don't find any user with this name in the user
>> >list/group. If I try to create this user and error message tell me that the
>> >NETWORK SERVICE user is already defined. The problem is that it doesn't
>> >appear in the user list (My computer-> Manage > user)
>> >
>> >Any idea ?
>> >
>> >Thank you
>> >Best Regards
>> >

>>
>>


 
Reply With Quote
 
pberna
Guest
Posts: n/a
 
      11-15-2004
Dear Scott,

Thank again. I'm trying to use your indication now

The application is used only to start/stop a service remotely and to
launch/terminate an application remotely. Yes, the application is exposed to
the internet.
I think that I could also use Windows Authentication instead of Web Form
authentication, but I have a company firewall between the client and the
server (under my full control), so I want to be sure that all messages are
based on http protocol. Sorry but I'm moving the first step on this
technology

Regards,
Paolo

"Scott Allen" <bitmask@[nospam].fred.net> ha scritto nel messaggio
news(E-Mail Removed)...
> Hi pberna:
>
> Impersonation is more difficult in forms authentication. If you use
> the username and password attributes of the <identity> tag then yes,
> you are passing the username and password for a windows account. Every
> local resource ASP.NET touches will be done with the credentials
> specified in the <identity> tag, for example, file access, service
> control, connecting to a database with a trusted connection.
>
> Is the web application soley for the purpose of controlling the
> service? Is it exposed to the Internet?
>
> --
> Scott
> http://www.OdeToCode.com/blogs/scott/
>
> On Mon, 15 Nov 2004 07:10:03 -0800, pberna
> <(E-Mail Removed)> wrote:
>
>>Dear Scott,
>>
>>Thanks for your indications
>>I red the article, but I'm not sure if impersonation is applicable to the
>>Forms
>>authentication mode. What do you think ? Am I wrong ?
>>
>>1) If impersonation is also active using the Forms authentication mode,
>>should the user name related to the token "userName"
>>
>><identity impersonate="true" userName="contoso\Jane" password="pass"/>
>>
>>be equal to a Windows User name ?
>>
>>2) Are there any relationship between Windows password of a Windows User
>>and
>>the password of the same User indicated in the web.config file ?
>>
>>3) If the ASPNET impersonate a user using the Forms authentication mode,it
>>means that the .NET application can access to all resource available for
>>that
>>user ?
>>
>>Thank you
>>Paolo
>>
>>"Scott Allen" wrote:
>>
>>> Hi pberna:
>>>
>>> It's generally a bad idea to run ASP.NET under an administrator
>>> account, as it makes it easier for a malicious user to have admin
>>> rights on a machine. Have you investigated impersonation?
>>> http://msdn.microsoft.com/library/de...ersonation.asp
>>>
>>> As for the NETWORK SERVICE account, there are two types of accounts on
>>> the machine: user accounts and built in security principals. The built
>>> in security principals do not appear in the list of users. You can
>>> still add them to a group if you go to My computer -> Manage ->
>>> Groups. You can right click a group and select Properties, then click
>>> Add. You can type in the name you need, or click Advanced and Find Now
>>> to select the principal from a list - you'll notice at the top of the
>>> dialog under Object Types the dialog will search for both user objects
>>> and built in security principal objects.
>>>
>>> In any case, a best practice is to avoid elevating the privileges of
>>> any of these built in accounts. Impersonation is a safer approach.
>>>
>>> --
>>> Scott
>>> http://www.OdeToCode.com/blogs/scott/
>>>
>>> On Sat, 13 Nov 2004 19:36:21 GMT, "pberna" <(E-Mail Removed)> wrote:
>>>
>>> >Dear all,
>>> >
>>> >I built a Web Form application to start and stop a Windows Service
>>> >remotely.
>>> >I successful tested the application on Windows 2000 server + IIS. I
>>> >must
>>> >include the ASPNET user
>>> >to the Administration group (on server side) to have the necessary
>>> >authorization to start a Windows Service (I don't understand why "Power
>>> >User" rights are not enough to do the same thing)
>>> >
>>> >Although I'm able to start a service using windows 2000 server
>>> >platform, I'm
>>> >not able to do the same things in the Windows 2003 server edition
>>> >where the
>>> >same Web Form application has been installed (.NET framework has been
>>> >installed by default during Windows server installation process). I
>>> >know
>>> >that in Windows 2003 server the default account for a ASPNET
>>> >applications is
>>> >NETWORK SERVICE, but I don't find any user with this name in the user
>>> >list/group. If I try to create this user and error message tell me that
>>> >the
>>> >NETWORK SERVICE user is already defined. The problem is that it doesn't
>>> >appear in the user list (My computer-> Manage > user)
>>> >
>>> >Any idea ?
>>> >
>>> >Thank you
>>> >Best Regards
>>> >
>>>
>>>

>



 
Reply With Quote
 
Scott Allen
Guest
Posts: n/a
 
      11-15-2004
Hi Paolo:

I understand, this is a tricky area to be in especially if it is your
first step.

--
Scott
http://www.OdeToCode.com/blogs/scott/

On Mon, 15 Nov 2004 19:06:12 GMT, "pberna" <(E-Mail Removed)> wrote:

>Dear Scott,
>
>Thank again. I'm trying to use your indication now
>
>The application is used only to start/stop a service remotely and to
>launch/terminate an application remotely. Yes, the application is exposed to
>the internet.
>I think that I could also use Windows Authentication instead of Web Form
>authentication, but I have a company firewall between the client and the
>server (under my full control), so I want to be sure that all messages are
>based on http protocol. Sorry but I'm moving the first step on this
>technology
>
>Regards,
>Paolo
>
>"Scott Allen" <bitmask@[nospam].fred.net> ha scritto nel messaggio
>news(E-Mail Removed).. .
>> Hi pberna:
>>
>> Impersonation is more difficult in forms authentication. If you use
>> the username and password attributes of the <identity> tag then yes,
>> you are passing the username and password for a windows account. Every
>> local resource ASP.NET touches will be done with the credentials
>> specified in the <identity> tag, for example, file access, service
>> control, connecting to a database with a trusted connection.
>>
>> Is the web application soley for the purpose of controlling the
>> service? Is it exposed to the Internet?
>>
>> --
>> Scott
>> http://www.OdeToCode.com/blogs/scott/
>>
>> On Mon, 15 Nov 2004 07:10:03 -0800, pberna
>> <(E-Mail Removed)> wrote:
>>
>>>Dear Scott,
>>>
>>>Thanks for your indications
>>>I red the article, but I'm not sure if impersonation is applicable to the
>>>Forms
>>>authentication mode. What do you think ? Am I wrong ?
>>>
>>>1) If impersonation is also active using the Forms authentication mode,
>>>should the user name related to the token "userName"
>>>
>>><identity impersonate="true" userName="contoso\Jane" password="pass"/>
>>>
>>>be equal to a Windows User name ?
>>>
>>>2) Are there any relationship between Windows password of a Windows User
>>>and
>>>the password of the same User indicated in the web.config file ?
>>>
>>>3) If the ASPNET impersonate a user using the Forms authentication mode,it
>>>means that the .NET application can access to all resource available for
>>>that
>>>user ?
>>>
>>>Thank you
>>>Paolo
>>>
>>>"Scott Allen" wrote:
>>>
>>>> Hi pberna:
>>>>
>>>> It's generally a bad idea to run ASP.NET under an administrator
>>>> account, as it makes it easier for a malicious user to have admin
>>>> rights on a machine. Have you investigated impersonation?
>>>> http://msdn.microsoft.com/library/de...ersonation.asp
>>>>
>>>> As for the NETWORK SERVICE account, there are two types of accounts on
>>>> the machine: user accounts and built in security principals. The built
>>>> in security principals do not appear in the list of users. You can
>>>> still add them to a group if you go to My computer -> Manage ->
>>>> Groups. You can right click a group and select Properties, then click
>>>> Add. You can type in the name you need, or click Advanced and Find Now
>>>> to select the principal from a list - you'll notice at the top of the
>>>> dialog under Object Types the dialog will search for both user objects
>>>> and built in security principal objects.
>>>>
>>>> In any case, a best practice is to avoid elevating the privileges of
>>>> any of these built in accounts. Impersonation is a safer approach.
>>>>
>>>> --
>>>> Scott
>>>> http://www.OdeToCode.com/blogs/scott/
>>>>
>>>> On Sat, 13 Nov 2004 19:36:21 GMT, "pberna" <(E-Mail Removed)> wrote:
>>>>
>>>> >Dear all,
>>>> >
>>>> >I built a Web Form application to start and stop a Windows Service
>>>> >remotely.
>>>> >I successful tested the application on Windows 2000 server + IIS. I
>>>> >must
>>>> >include the ASPNET user
>>>> >to the Administration group (on server side) to have the necessary
>>>> >authorization to start a Windows Service (I don't understand why "Power
>>>> >User" rights are not enough to do the same thing)
>>>> >
>>>> >Although I'm able to start a service using windows 2000 server
>>>> >platform, I'm
>>>> >not able to do the same things in the Windows 2003 server edition
>>>> >where the
>>>> >same Web Form application has been installed (.NET framework has been
>>>> >installed by default during Windows server installation process). I
>>>> >know
>>>> >that in Windows 2003 server the default account for a ASPNET
>>>> >applications is
>>>> >NETWORK SERVICE, but I don't find any user with this name in the user
>>>> >list/group. If I try to create this user and error message tell me that
>>>> >the
>>>> >NETWORK SERVICE user is already defined. The problem is that it doesn't
>>>> >appear in the user list (My computer-> Manage > user)
>>>> >
>>>> >Any idea ?
>>>> >
>>>> >Thank you
>>>> >Best Regards
>>>> >
>>>>
>>>>

>>

>


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Upgrading from x32 Server 2003 r2 to x64 server 2003 r2 clucas009 Windows 64bit 4 03-26-2009 11:38 PM
Faulting application error occured while installing SQL Server service pack 3a(sp3a) on Windows Server 2003 Ent 64bit Edition Joshua Son Windows 64bit 0 03-16-2007 01:09 AM
Problem with ASP.NET Remote Debugging on Windows 2003 Server jcomber@southwestwater.co.uk ASP .Net 0 12-06-2005 12:03 PM
Remote Assistance fails to connect, remote remote host name could not be resolved Peter Sale Wireless Networking 1 12-11-2004 09:09 PM
Windows 2003 Server or Exchange Server 2003 first????? Ozzie MCSA 1 11-30-2004 01:10 AM



Advertisments