Re: WebControls error in an application running under an impersonate identity
From: Larry Hastings (greg.@remove-me.unixsucks.com)
Date: 11/28/02
- Next message: Govind Rathi: "Re: Windows Authentication issue"
- Previous message: Todd Meynink: "Avoiding replay attacks"
- In reply to: Alex Muntean: "Re: WebControls error in an application running under an impersonate identity"
- Next in thread: Alex Muntean: "Re: WebControls error in an application running under an impersonate identity"
- Reply: Alex Muntean: "Re: WebControls error in an application running under an impersonate identity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Larry Hastings" <greg.@remove-me.unixsucks.com> Date: Wed, 27 Nov 2002 20:15:37 -0600
Well,
It's a question actually what would be worse from security point of view to have domain account and password to be listed in plain
text file on your system or run under local system account. Remember that if you'd use domain account and your application would
crash hackers would have domain account to play around your entire AD domain. If it would be Local System account then only local
system is affected. Also you'd be saved from hassles of managing passwords, changind them when developer leaves the company etc,
locked account accounts becouse of security policy changes etc etc. I have been managing IIS servers for big company and none of my
servers been hacked so far becouse if you'd go with 2 basic principles you'd be secure from get go. Which is remove all unnecessary
services, mappings, files from system and update to latest security patches. Now, we have an issue that we have tons of service
accounts which are not gettign their password changed, this accounts references in several files, docs etc. Account being locked out
from time to time and it's difficult to pin point where it's happening etc. I vote with both hands for password-free enviroment
compared to storing password anywhere. Now, in .NET 1.1 there would be a possibility to store passwords in registry in encrypted
form, that might be a good solution but it's not there yet.
Otherwise try this article http://support.microsoft.com/default.aspx?scid=kb;en-us;Q315158 and also there is another article
published somewhere on support.microsoft.com which explicetely tells which permissions are needed for domain account.
G
"Alex Muntean" <munteana@ewc.co.jp> wrote in message news:u5HLXfnlCHA.1824@tkmsftngp04...
> Thank you for answering!
>
> I know that your solution is working. I already tried it on my development
> machine. But I don't want to run aspnet_wp.exe under the SYSTEM account
> because this will expose the system to serious threats. In all MS
> documentation I found the following two advices:
> - Avoid running ASP.NET using the SYSTEM account.
> - Avoid granting the account the “Act as part of the operating system”
> privilege.
>
> I can avoid the first one. I cannot the second since the ASP.NET account has
> to impersonate a domain user, so it needs the “Act as part of the operating
> system” privilege. Anyway, somehow it doesn't work. And I think I have to
> give it some more rights... but where? :) Being part of the Users group has
> Read and Execute rights on Assembly folder. But this seems to not be enough.
>
> .a.
>
>
- Next message: Govind Rathi: "Re: Windows Authentication issue"
- Previous message: Todd Meynink: "Avoiding replay attacks"
- In reply to: Alex Muntean: "Re: WebControls error in an application running under an impersonate identity"
- Next in thread: Alex Muntean: "Re: WebControls error in an application running under an impersonate identity"
- Reply: Alex Muntean: "Re: WebControls error in an application running under an impersonate identity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
