Re: Thread identity

From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 10/06/05

Next message: Dominick Baier [DevelopMentor]: "Re: Forms authentication and search engines"
Previous message: Joe Kaplan $MVP - ADSI$: "Re: Forms authentication and search engines"
In reply to: Joe Kaplan $MVP - ADSI$: "Re: Thread identity"
Next in thread: Joe Kaplan $MVP - ADSI$: "Re: Thread identity"
Reply: Joe Kaplan $MVP - ADSI$: "Re: Thread identity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 06 Oct 2005 14:05:47 -0700

Hello Joe,

please - don't use impersonation for that -

both approaches using impersonation will get you in trouble -

a) WP runs as admin
when an attacker can take over the application - he is admin

b) WP runs as ASPNET - you impersonate admin
you need to use LogonUser for that - where do you want to store the admin
pwd - what happens with password change policy a.s.o...

write a local COM+ server (even remoting would be ok :) that has the necessary
privileges - factor out the code - and call into it from your ASP.NET app

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> You can impersonate an administrator for the duration of the call, or
> you can run the worker process as the administrator and undo the
> impersonation during the call. You can also put the admin code in a
> COM+ application that runs under a different identity.
>
> The WindowsImpersonationContext starts and stops impersonation. The
> only other thing is getting the logon token for the administrator to
> use to impersonate. The MSDN docs on WindowsImpersonationContext have
> a good sample on that though. Then the problem is securely storing
> the credentials...
>
> Joe K.
>
> "Raster Space" <raster2000@hotmail.com> wrote in message
> news:di3v0t$pdn$1@phys-news1.kolumbus.fi...
>
>> I have managed Web Application running on ASPNET user rights. How can
>> I execute certain (not all) methods with administrator privileges?
>> Any ideas?
>>

Next message: Dominick Baier [DevelopMentor]: "Re: Forms authentication and search engines"
Previous message: Joe Kaplan $MVP - ADSI$: "Re: Forms authentication and search engines"
In reply to: Joe Kaplan $MVP - ADSI$: "Re: Thread identity"
Next in thread: Joe Kaplan $MVP - ADSI$: "Re: Thread identity"
Reply: Joe Kaplan $MVP - ADSI$: "Re: Thread identity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Thread identity
... > Hello Joe, ... > both approaches using impersonation will get you in trouble - ... > when an attacker can take over the application - he is admin ... >> you can run the worker process as the administrator and undo the ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Programmatic Subsite Creation
... I working with a webpart and have I tried impersonation of the admin, ... I ended doing a work around by creating a site template for the top level ... > untighten your portal security trust level in web.config too. ...
(microsoft.public.sharepoint.portalserver.development)
RE: Azman: AzAuthorizationStoreClass.Initialize
... AzMan does not require admin rights to initialize. ... Have you tried to allow the ASPNET local account to read your physical store? ... > asp.net and i am doing impersonation. ...
(microsoft.public.windows.server.active_directory)
Re: Webpart to create new subweb and a list item
... The Create Subweb part works great when I bypass the ... impersonation and log in as an administrator. ... authenticate, ... As the user I'm trying to impersonate is an admin on the ...
(microsoft.public.sharepoint.windowsservices)
Re: WinMgmnt or LDAP Impersonation
... an administrator. ... >> unable to find an impersonation syntax for them. ... > Newsgroups: microsoft.public.win32.programmer.wmi ... > torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway ...
(microsoft.public.scripting.vbscript)