> Hi All,
>
> Sorry to crosspost but it's a security and an ASP.NET problem I have.
>
> We run each website site under it's own I_<user> account and ASP.NET
> is configured to impersonate so requests run under the identity of the
> I_<user> account.
>
> In windows 2000 server how do I prevent a user from calling
> RevertToSelf() in advapi32.dll and unwinding the impersonation? e.g.
>
> [DllImport(@"C:\WINNT\system32\advapi32.dll")]
> public static extern bool RevertToSelf();
> void Page_Load(Object sender, EventArgs e) {
> // at this point the request is running under impersonation as
> I_<user>
> RevertToSelf();
> // afterwards it undoes the impersonation and the request is
> now running as <MACHINE>\ASPNET
> }
>
> I've looked into building a .NET security policy to do this but I'm a
> bit stuck.
>
> Thanks in advance.
> Kevin