Re: security exception within Microsoft Application Block ExceptionManager.vb

From: Matjaz Ladava (matjaz_at__nospam_ladava.com)
Date: 05/28/03 

Date: Wed, 28 May 2003 23:48:41 +0200

If you set impersonation = true that you were impersonating IUSR account (If
you had enabled anonymous on your IIS). To verify use
WindowsIdentity.GetCurrent().Name in your ASP.NET application.
ASPNET account doesn't have permission to create EventLog's, so it is
advised (also in the pdf you mentioned) , to pre-create EventLog's by
installation program. Don't leave you ASP.NET application in charge of
creating Event's log.
Quote taken from Building Secure ASP.NET....

Accessing the Event Log
Least privileged accounts have sufficient permissions to be able to write
records to the event log by using existing event sources. However, they do
not have sufficient permissions to create new event sources. This requires a
new entry to be placed beneath the following registry hive.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\<log>
To avoid this issue, create the event sources used by your application at
installation time, when administrator privileges are available. A good
approach is to use a .NET installer class, which can be instantiated by the
Windows Installer (if you are using .msi deployment) or by the
InstallUtil.exe system utility if you are not.

If you are unable to create event sources at installation time, you must add
permission to the following registry key and grant access to the ASP.NET
process account (of any impersonated account if your application uses
impersonation).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
The account(s) must have the following minimum permissions:

  a.. Query key value
  b.. Set key value
  c.. Create subkey
  d.. Enumerate subkeys
  e.. Notify
  f.. Read
The following code can be used to write to the Application event log from
ASP.NET once permissions have been applied to the registry:

string source = "Your Application Source";
string logToWriteTo = "Application";
string eventText = "Sample Event";

if (!EventLog.SourceExists(source))
{
  EventLog.CreateEventSource(source, logToWriteTo);
}
EventLog.WriteEntry(source, eventText, EventLogEntryType.Warning,
  234);
Regards

Matjaz Ladava

"Hazzard" <hazz@sonic.net> wrote in message
news:u%23bR6CWJDHA.1656@TK2MSFTNGP10.phx.gbl...
> 70 KB .JPG attached as reference - Exhibit A.
>
> How do I solve this? Impersonation = true in machine.config or web.config
> does not work.
>
> I did remove ASP.NET from Group Administrator Policy - which not only did
> not solve the problem but also would likely give away the store in a
virtual
> looting as I understand and do not want to ever test.
>
> I feel like I a well rounded solutions provider but I moments like this
put
> me in the 'developer in distress' category.
>
> I am getting better on the theory - impersonation - delegation - iis -
> IUSR - windows authentication --- but I am still in the paint by number
mode
> here.
>
> I was ready to plunge back into the 608 pages of secnet.pdf - Building
> Secure ASP.NET Applications..well, I am plunging back into it as I write..
>
> but if someone can help....I would be very grateful. (shouldn't it be
> greatfull?) i would be full of great...
>
> Appreciatively,
>
> Greg Hazzard
>
>
>

Relevant Pages

  • Re: VS.NET 2005 and the "allowDefinition=MachineToApplication" error
    ... Your description of impersonation is great. ... If you want to use the default configured account, eliminate that entry, or configure it as: ... The easiest way to assign correct permissions to all required directories is to run: ... I re-started IIS and tried to access my ASPX page again -- same ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Unable to start application to connect to Access database
    ... Make sure this user account has read/write permissions to the MDB file. ... Here's more info on impersonation: ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: NTFS + Impersonation + Asp.Net
    ... I set impersonation to true in machine.config. ... I must be sure that he can't RevertToSelf and use the asp.net account. ... > permissions because you still have to give permissions to ... as a test I set NTFS file permisions to refuse ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: NTFS + Impersonation + Asp.Net
    ... permissions because you still have to give permissions to ... I thought since I'm using impersonation and that the ... that user account. ... as a test I set NTFS file permisions to refuse ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: SetPassword access denied
    ... safely invoke SetPassword etc..... ... impersonation or using the process token without impersonation) is NOT ... account that is used for performing remote activities in the directory. ... Co-author of "The .NET Developer's Guide to Directory Services ...
    (microsoft.public.windows.server.active_directory)