Re: COM INterop Security Problem

From: Stefu (stefanroth@hotmail.com)
Date: 11/25/02 

From: "Stefu" <stefanroth@hotmail.com>
Date: Mon, 25 Nov 2002 15:34:43 +0100

Hi Ricardo

If you use ASP.NET to call DCOM components you have to consider several
security issues. Use the links below to get a better understanding of
ASP.NET Security.

I can give you some hints:

1) check the authentication mode of your web site! Do the users connect
anonymous? If yes, what standrad account does IIS use to make the calls?
(Directory Security -> configure a domain account, instead of a local
account). Uncheck all other authentication types, if the users connect
anonymous.

2) impersonate worker thread calls. In the web.config file of your web app
insert the <identity impersonate="true" /> tag.
This leads to impersonation of the worker threads. In case of anonymous
authentication, the configured IIS standard account is used to call the COM
components.

Hope this helps

Steve

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/
authaspdotnet.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht
ml/secnetlpmsdn.asp?frame=true

"Ricardo Martins" <ricarddo@terra.com.br> wrote in message
news:151d401c2947a$98c03710$89f82ecf@TK2MSFTNGXA01...
All,

    In my company we are using a main application running
over MTS (Windows NT 4) enviroment. This main application
has some COM components (DLLīs) that you can use to access
the main application features.
    The MTS used in main application for a security issue,
request user must be in a DOMAIN to use the system and
itīs true using our COM components too.
    I deploy a little .NET (VB.NET) component using a COM
Interop Version of these DLLīs.
    When I run my dot.net application using Windows Forms
the application works fine, but when I try to use the
component in ASP.NET page I allways receive an exception
from COM component.
    The exception details said that a security error
occurred.
     I think that the problem happen 'cause when I use the
component over ASP.NET enviroment the ASPNET is sent to
MTS enviroment but this user doesnīt exists.
     What I need to do to send a valid user from a
specific domain over ASP.NET page to MTS COM component
enviroment?

Regards
Ricardo Martins
ricarddo@terra.com.br

Relevant Pages

  • Risks Digest 25.73
    ... German electronic health card system failure ... Risks of the Cloud: Liquid Motors ... Oakland 2010, IEEE Symposium on Security and Privacy, CFP ... A friend's facebook account was hacked recently (a neat little short-term ...
    (comp.risks)
  • Re: MBSA, Office Update, Versions, Failures
    ... I apologize for posting this to three groups (MBSA, Windows Update, ... with Domain User account. ... Microsoft Baseline Security Advisor (? ... Office 2000 Security Patches - Red X's, ...
    (microsoft.public.officeupdate)
  • Re: write with cURL
    ... you can stop making excuses. ... up an account for you, process the billing, etc. ... possible features from a web site to make up for the security issues. ... Nothing you have told me shows me you know how to lock down a server ...
    (alt.php)
  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... On the IIS directory security tab, anonymous access is disabled, digest ... authentication is disabled, integrated authentication is disabled and basic ... account created has full permissions for the folder and the file that's in it. ...
    (microsoft.public.inetserver.iis.security)
  • [NEWS] Vulnerability Enables Passport Account Hijackings (No Secret Question)
    ... Beyond Security in Canada ... to promote the most advanced vulnerability assessment solutions today. ... A newly disclosed vulnerability could enable attackers to reset the ... who needs to reset his account password can be manipulated by attackers on ...
    (Securiteam)