Act as part of the operating system for ASPNET - a bad idea??? -- dotnet security

dotnet security : Act as part of the operating system for ASPNET - a bad idea???

cvg
7/5/2005 9:13:29 AM

Hello, a system requires the ASPNET account to be granted "Act as part
of the operating system" priv to execute LogonUser.
Its not actually my system, so I don't know much detail but so far as I
can tell this is quite a bad idea. Its certainly contradictory to MS
recommendations.

Thing is, I'm not sure just how bad an idea it really is.

I know that a process running with this priv can bypass things like as
NT file permissions and can create new security tokens and generally
rough house around the operating system. BUT so far as I can tell, its
not in itself a problem - its only an issue if someone uses another
attack to compromise the web server in which case it makes the attack
much more potentially devastating.

Is this correct?

In .NET 1.1 MS say that ASPNET doesn't this priv anyway - is this
correct or is it just .NET 1.1 on W2K3?

Christine

John Rusk
7/5/2005 2:01:03 PM

[quoted text, click to view]

Christine,

Are you testing under W2k3, or under an older OS? "Act as part of the
operating system" should not be required under win 2003 and win XP. See:
http://aspalliance.com/39

Dominick Baier [DevelopMentor]
7/5/2005 2:22:29 PM

Hello cvg,

ASP.NET itself does not need this priv. If you are talking about the ASPNET
account, you are referring to XP/W2k - under W2k3 network service or another
account is used.
Generally it is a bad idea to run server demons with elevated privileges.
If you absolutely need this priv, try to compartmentalize your app and separate
"normal" code and privileged code using, e.g. Enterprise Services. Otherwise
be really, really sure that the app consists only of robust code.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

[quoted text, click to view]

cvg
7/6/2005 12:26:19 AM

Hi John,

Thanks for that...

The OS is W2K running .NET 1.1.

I know that you should not do this as a matter of course, the real nub
of the matter is *what actually is the risk*?
Is it as I suspect only to make a compromise worse, or does it expose
an exploit in itself?

Thanks

Christine

Joe Kaplan (MVP - ADSI)
7/6/2005 11:09:40 AM

It makes a compromise worse by giving way more privileges to an attacker
than they would have with the default ASP.NET account.

As others have suggested, the safest way to implement this would be to put
the code that calls LogonUser in a COM+ component running under a privileged
identity and then have the web app call that in order to do LogonUser. That
isolates the privileged piece as much as possible.

The very best way to solve this is to move off of Win2K server and adopt 2K3
server ASAP as this problem goes away and you get a lot of other benefits
from doing that in the first place.

Joe K.

[quoted text, click to view]

Got something to say? Click here to post a reply to this thread.

Don't see what you're looking for? Try a search.

View other messages about dotnet security

home · blog · groups

Questions? Comments? Contact the dn