Re: Thread identity
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 10/07/05
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: Forms authentication and search engines"
- In reply to: Dominick Baier [DevelopMentor]: "Re: Thread identity"
- Next in thread: Raster: "Re: Thread identity"
- Reply: Raster: "Re: Thread identity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 6 Oct 2005 17:06:44 -0500
Agreed. I was just trying to explain the available approaches. The COM+
method is definitely the way to go. However, he may not want to deal with
that. As long as the risks are known (which I did not explain in any good
detail :)).
Joe K.
"Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
wrote in message news:42565460feb538c798e19ee8f701@news.microsoft.com...
> Hello Joe,
>
> please - don't use impersonation for that -
> both approaches using impersonation will get you in trouble -
>
> a) WP runs as admin
> when an attacker can take over the application - he is admin
>
> b) WP runs as ASPNET - you impersonate admin
> you need to use LogonUser for that - where do you want to store the admin
> pwd - what happens with password change policy a.s.o...
>
> write a local COM+ server (even remoting would be ok :) that has the
> necessary privileges - factor out the code - and call into it from your
> ASP.NET app
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> You can impersonate an administrator for the duration of the call, or
>> you can run the worker process as the administrator and undo the
>> impersonation during the call. You can also put the admin code in a
>> COM+ application that runs under a different identity.
>>
>> The WindowsImpersonationContext starts and stops impersonation. The
>> only other thing is getting the logon token for the administrator to
>> use to impersonate. The MSDN docs on WindowsImpersonationContext have
>> a good sample on that though. Then the problem is securely storing
>> the credentials...
>>
>> Joe K.
>>
>> "Raster Space" <raster2000@hotmail.com> wrote in message
>> news:di3v0t$pdn$1@phys-news1.kolumbus.fi...
>>
>>> I have managed Web Application running on ASPNET user rights. How can
>>> I execute certain (not all) methods with administrator privileges?
>>> Any ideas?
>>>
>
>
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: Forms authentication and search engines"
- In reply to: Dominick Baier [DevelopMentor]: "Re: Thread identity"
- Next in thread: Raster: "Re: Thread identity"
- Reply: Raster: "Re: Thread identity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
