Re: Prevent access to advapi32.dll RevertToSelf()

From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 09/27/05

• Next message: Bob: "exclusive C14N canonicalization not supported in .NET 1.1, what now?"
• Previous message: Marius Groenendijk: "Custom security permission exception error message"
• In reply to: kevin.kenny_at_zygonia.net: "Prevent access to advapi32.dll RevertToSelf()"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 27 Sep 2005 07:28:06 -0700

Hello kevin.kenny@zygonia.net,

the only way to prevent someone from calling into unmanaged code is to run
under partial trust.

add a <trust level="Medium /> to your web.config - and see if it affects
your application.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi All,
>
> Sorry to crosspost but it's a security and an ASP.NET problem I have.
>
> We run each website site under it's own I_<user> account and ASP.NET
> is configured to impersonate so requests run under the identity of the
> I_<user> account.
>
> In windows 2000 server how do I prevent a user from calling
> RevertToSelf() in advapi32.dll and unwinding the impersonation? e.g.
>
> [DllImport(@"C:\WINNT\system32\advapi32.dll")]
> public static extern bool RevertToSelf();
> void Page_Load(Object sender, EventArgs e) {
> // at this point the request is running under impersonation as
> I_<user>
> RevertToSelf();
> // afterwards it undoes the impersonation and the request is
> now running as <MACHINE>\ASPNET
> }
>
> I've looked into building a .NET security policy to do this but I'm a
> bit stuck.
>
> Thanks in advance.
> Kevin

---

• Next message: Bob: "exclusive C14N canonicalization not supported in .NET 1.1, what now?"
• Previous message: Marius Groenendijk: "Custom security permission exception error message"
• In reply to: kevin.kenny_at_zygonia.net: "Prevent access to advapi32.dll RevertToSelf()"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Prevent access to advapi32.dll RevertToSelf() ... the only way to prevent someone from calling into unmanaged code is to run ... > Sorry to crosspost but it's a security and an ASP.NET problem I have. ... > public static extern bool RevertToSelf(); ... (microsoft.public.dotnet.framework.aspnet.security) Re: WTC Towers: The case for controlled demolition ... name-calling drivel with no substance related to 9/11 whatsoever. ... I don't like it when they abuse that right to speak negative opinions of other people instead of engaging in constructive debate, particularly when they do so to the exclusion of actually being on-topic, and especially when they crosspost this drivel and it's on-topic in none of the newsgroups thus afflicted. ... Again with calling me a liar! ... (sci.physics)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)