Re: Encapsulating and Securing Pre-canned ADSI calls

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 01/11/05

  • Next message: Nicole Calinoiu: "Re: Protecting non-asp.net folder contents with forms authentication" 
    Date: Tue, 11 Jan 2005 10:52:32 -0600

    You have a bunch of possible options here.

    You could put all of your Directory Services calls in a separate DLL and put
    it in COM+ under the admin identity. The OS will protect the credentials
    for you. You'll want some sort of business logic security in front of that
    which decides whether the authenticated user in ASP.NET is allowed to call
    that specific function. That can be fairly complicated, but hopefully
    you've thought about how you want that to work.

    You could also set up the process account to use a specific admin identity
    and disable impersonation. That will allow the same basic thing as above.
    You'll need to be sure you control who gets to run code in your process
    though. Depending on the server version, you may need to do some work to
    protect the credentials.

    You could also use a specific identity in your DS calls directly and store
    those credentials in configuration. You may want to encrypt those somehow
    using one of the frameworks for doing that (configuration application block,
    etc.).

    Protecting who can call the code might be a little bit difficult, especially
    if you don't trust your administrators. Your business logic security layer
    can help as it can prevent people from doing unauthorized stuff, regardless
    of whether they used your app to call the function. However, if you don't
    trust your admins, you can always be hacked.

    Joe K.

    "Eugene Katz" <chudikalt_KILL_SPAM_hotmail.com> wrote in message
    news:F60EC445-8A93-4140-92BE-EE0AB71A0073@microsoft.com...
    >I am writing an ASP.NET application which handles new user registration and
    > account reset requests. The application needs to create new users in
    > Active
    > Directory as well as reset user accounts when a password is forgotten,
    > expired or the account is locked out.
    >
    > For added security, we want to encapsulate and secure pre-canned calls to
    > AD, rather than give the ASP.NET application permissions to perform these
    > task in AD directly. The exposed API would also check the business logic,
    > like correct answer to a secret question, before resetting an account.
    >
    > My question is, how do we:
    >
    > 1) Have the API obtain credentials of the user with admin rights in AD,
    > but
    > keep other applications from obtaining the same. DLLs aren't meant to
    > have
    > config files, so we would have to hardcode a path to one, if that was the
    > approach. (Another consideration is an executable that is called by
    > ASP.NET
    > app from command line).
    >
    > 2) Establish a trust between the ASP.NET application and the API, so that
    > other applications cannot use this API. Some sort of signed & trusted
    > code
    > is my guess, but I'm no .NET security expert.
    >
    > Is this even doable? Is there another approach which fits better into the
    > .NET world?
    >
    > Environment-wise, ASP.NET app and the API will run on the same machine,
    > not
    > the same one as AD.
    >
    > Thank you in advance.
    >

  • Next message: Nicole Calinoiu: "Re: Protecting non-asp.net folder contents with forms authentication"