Re: NTFS + Impersonation + Asp.Net

From: David Fanning (dfanning@europeancredit.com)
Date: 09/20/02 

From: "David Fanning" <dfanning@europeancredit.com>
Date: Fri, 20 Sep 2002 07:46:22 -0700

Thanks for your help 'Dirk' ;)

I tried both the auditing and a html file, sure enough
the an ASP process was trying to access something and
the html was behaving as I would have expected (ie denying
access to the TestUser).

As far as securing, on an NT Account basis, the aspx, asmx
etc files go I still don't really have a solution at a
file level.

It seems that once a user has been authenticaed against a
web site (asp.net), he/she can hop to another webpage
(presuming they know the address and it's a .net page)
without any problem as far as NTFS is concerned (because
the page is being accessed by the ASP identity rather than
user the users identity). This surely can't be the case!

So far all I've read about NTFS and ASP.net is people
saying enable the ASP process to run under a SYSTEM
identity, this at best is a cop out from the real problem
of poor security.

>-----Original Message-----
>I think Willy is right then about the ASPNET account
being
>the user doing the work for you because you have MACHINE
>set as your worker process user.
>
>Have you tried using the auditing for NTFS? (go to the
>properties of the folder, on the Security tab, click the
>Advanced button and then go to the auditing tab and add
in
>your ASPNET account, your TestUser account and see who
>actually gets the NTFS Success Audit in Event Viewer?
That
>would tell you exactly who is accessing the folder then ;)
>
>Could another thing to try, be to create a plain html
page
>with the same Deny permissions and see if your TestUser
is
>able to access that, just to see if .NET is anything to
do
>with your problem?
>
>>-----Original Message-----
>>Sorry for the confusion.
>>
>>This is the SetUp:
>>1. processModel is machine.config is running
as "machine".
>>2. Website is set for windows authen. + impersonate user.
>>3. IIS set for Windows Authen. + certificate required.
>>4. Certificate is mapped to a user account 'TestUser'.
>>5. I apply NTFS DENY permissions for the 'TestUser' to
an
>>aspx file within the site.
>>6. When accessing the aspx via a url, the certificates
>>correctly map the user to 'TestUser', however the page
is
>>still shown.
>>
>>The page is shown even though the user identity as set
by
>>IIS is 'TestUser' and the aspx file has DENY permissions
>>for the 'TestUser'.
>>
>>So basically if you map a user to a certain NT account
>>when accessing a site, can you not deny that user access
>>to aspx files through NTFS, it appears not!
>>
>>David
>>
>>
>>>-----Original Message-----
>>>i'm a little confused here now :(
>>>
>>>i thought if you set a username and password in the
>>>processModel part of the machine.config file (is this
>>what
>>>u did David?) you then ran .NET under that account at
>all
>>>times, so that you could uniform all NTFS permissions
on
>>>web folders, SQL server roles, Active Directory LDAP
>>>permissions, etc and have everything running under a
>>>single managed account instead of switching between the
>>>ASPNET worker process and the user accounts?
>>>
>>>>-----Original Message-----
>>>>Ok, so is the bottom line is that you cannot protect
>>>>aspx, asmx files with NTFS using NT User accounts?
>>>>
>>>>Isn't that quite a big oversight on security?
>>>>
>>>>David
>>>>
>>>>
>>>>
>>>>>-----Original Message-----
>>>>>No, the worker process runs as "aspnet" or any other
>>>>principal as configured in your machine.config file,
>>note
>>>>that the process is
>>>>>shared by all asp.net applications and that process
>>must
>>>>be able to touch/compile all pages, your code actualy
>>>>never touches a page.
>>>>>Your request will be handled by a "worker process"
>>>>thread from the thread pool, and only this thread will
>>>run
>>>>with the
>>>>>impersonation access token, when your code loads a
new
>>>>page/assembly or calls a not yet JITTED method, a
>thread
>>>>switch will occur
>>>>>and the loader or Jitter will run using the "aspnet"
>>>>process token.
>>>>>
>>>>>Willy.
>>>>>
>>>>>
>>>>>
>>>>>"David Fanning" <dfanning@europeancredit.com> wrote
in
>>>>message news:3f8701c26093$a7b08e20
>>>$35ef2ecf@TKMSFTNGXA11...
>>>>>> Sorry for the last reply, guess I didn't read your
>>>>reply.
>>>>>>
>>>>>> So are you saying that it's not possible to protect
>>>>>> framework recognised pages (aspx, etc.) with NTFS
>>>>>> permissions because you still have to give
>>permissions
>>>>to
>>>>>> the asp.net worker process to access the page?
>>>>>>
>>>>>> I thought since I'm using impersonation and that the
>>>>>> worker process would take the identity of the NT
User
>>>>>> account and so allow me to place permissions on
>files
>>>>for
>>>>>> that user account.
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> David
>>>>>>
>>>>>>
>>>>>> >-----Original Message-----
>>>>>> >What page are you talking about?
>>>>>> >Note that .aspx .asmx etc. pages are read by the
>>>worker
>>>>>> asp.net process BEFORE your code executes.
>>>>>> >
>>>>>> >Willy.
>>>>>> >
>>>>>> >"David Fanning" <dfanning@europeancredit.com>
wrote
>>in
>>>>>> message news:380e01c2608f$4426f9b0
>$2ae2c90a@phx.gbl...
>>>>>> >>
>>>>>> >> Ok, appologies I know Impersonation has been
done
>>to
>>>>>> death
>>>>>> >> however I couldn't find much help about NTFS file
>>>>>> >> permissions and Asp.Net.
>>>>>> >>
>>>>>> >> My problem is as follows;
>>>>>> >> I've deployed an Asp.Net app so it impersonates
>>the
>>>>user
>>>>>> >> logging in with a valid certificate (certificate
>>>>>> mapping).
>>>>>> >> I'm pretty sure the impersonation is working
>>>>correctly,
>>>>>> >> I've check both the User.Identity.Name and the
>more
>>>>>> useful
>>>>>> >>
>>System.Security.Principal.WindowsIdentity.GetCurrent
>>>>>> >> ().Name and both appeared to reflect the correct
>NT
>>>>>> >> Account.
>>>>>> >>
>>>>>> >> HOWEVER, as a test I set NTFS file permisions to
>>>>refuse
>>>>>> >> access to a web page for this NT Account
>>(TestUser).
>>>>>> Guess
>>>>>> >> what, the web page was still shown.
>>>>>> >>
>>>>>> >> What's going on here, I thought any 'Deny' NTFS
>>>>>> >> permissions take precendence over 'Grant'.
>>>>>> >>
>>>>>> >> Are there any good resources that explains,
>>>>preferably
>>>>>> >> with an example exactly how to setup NTFS file
>>>>security
>>>>>> >> with an Asp.Net app executing under a
>>>>specific 'User' NT
>>>>>> >> account.
>>>>>> >>
>>>>>> >> Many Thanks
>>>>>> >>
>>>>>> >> David
>>>>>> >>
>>>>>> >>
>>>>>> >
>>>>>> >
>>>>>> >.
>>>>>> >
>>>>>
>>>>>
>>>>>.
>>>>>
>>>>.
>>>>
>>>.
>>>
>>.
>>
>.
>

Quantcast