|
|
You're in the
dotnet security
group:Prevent access to advapi32.dll RevertToSelf()
dotnet security:
Sorry to crosspost but it's a security and an ASP.NET problem I have. We run each website site under it's own I_<user> account and ASP.NET is configured to impersonate so requests run under the identity of the I_<user> account. In windows 2000 server how do I prevent a user from calling RevertToSelf() in advapi32.dll and unwinding the impersonation? e.g. [DllImport(@"C:\WINNT\system32\advapi32.dll")] public static extern bool RevertToSelf(); void Page_Load(Object sender, EventArgs e) { // at this point the request is running under impersonation as I_<user> RevertToSelf(); // afterwards it undoes the impersonation and the request is now running as <MACHINE>\ASPNET } I've looked into building a .NET security policy to do this but I'm a bit stuck. Thanks in advance. Kevin
Sorry I should also have said windows 2003 server as well.
Kevin
Hello kevin.kenny@zygonia.net,
the only way to prevent someone from calling into unmanaged code is to run under partial trust. add a <trust level="Medium /> to your web.config - and see if it affects your application. --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com [quoted text, click to view] > Hi All, > > Sorry to crosspost but it's a security and an ASP.NET problem I have. > > We run each website site under it's own I_<user> account and ASP.NET > is configured to impersonate so requests run under the identity of the > I_<user> account. > > In windows 2000 server how do I prevent a user from calling > RevertToSelf() in advapi32.dll and unwinding the impersonation? e.g. > > [DllImport(@"C:\WINNT\system32\advapi32.dll")] > public static extern bool RevertToSelf(); > void Page_Load(Object sender, EventArgs e) { > // at this point the request is running under impersonation as > I_<user> > RevertToSelf(); > // afterwards it undoes the impersonation and the request is > now running as <MACHINE>\ASPNET > } > > I've looked into building a .NET security policy to do this but I'm a > bit stuck. > > Thanks in advance. > Kevin
In addition to what Dominick said, under 2003, I suggest running each app in
its own AppPool, setting the process identity to the identity you want to use and disabling impersonation via web.config. Then, it is a non-issue. Joe K. [quoted text, click to view] <kevin.kenny@zygonia.net> wrote in message news:1127826645.382804.14450@g43g2000cwa.googlegroups.com... > Sorry I should also have said windows 2003 server as well. > > Kevin >
Hello Joe,
sorry, i can only quote myself this time...: "auto impersonation is the spawn of evil" if you use autoimp to isolate web apps, upgrade to IIS6 and use application pools if you use autoimp for impersonation, do it programmatically only where you need it. otherwise this will cause headaches sooner or later. --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com [quoted text, click to view] > In addition to what Dominick said, under 2003, I suggest running each > app in its own AppPool, setting the process identity to the identity > you want to use and disabling impersonation via web.config. Then, it > is a non-issue. > > Joe K. > > <kevin.kenny@zygonia.net> wrote in message > news:1127826645.382804.14450@g43g2000cwa.googlegroups.com... > >> Sorry I should also have said windows 2003 server as well. >> >> Kevin >>
Hi Guys,
Thanks for replying. The problem I have is that this is a hosting platform that I've inherited. The servers can have up to 900 sites customer sites running on them. There is also no chance that the servers running Windows 2000 Server will be upgraded to Windows 2003 in the near future. I did think about having an AppPool per site on 2003 but there are some practicality issues here and also I'm guessing that 900 AppPools isn't really the right answer from a scalability and management aspect. As far as the medium trust thing goes, unfortunately we have customers using OleDB in conjunction with Access database files. Is it possibile to build a custom trust level that has all the restrictions of Medium trust but allow OleDbClientPermission ? Can I create a new policy file based on 'medium_trust.config' and add the OleDbClientPermission? Is this good practice? Sorry if there are obvious answers to these questions but whilst I understand the concept and use of different trust levels, I'm a bit in the unsure about what to do regarding tuning the default policies to our needs. Thanks Again Kevin ps: Dominick, I enjoyed your sessions at DevWeek2005 this year.
Hello kevin.kenny@zygonia.net,
thanks :) unfortunately, setting to partial trust is the only way to prohibit RevertToSelf... ....and OleDb only runs under full trust. here is more info: http://www.leastprivilege.com/FullyTrustedCodeAndASPNET.aspx --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com [quoted text, click to view] > Hi Guys, > > Thanks for replying. The problem I have is that this is a hosting > platform that I've inherited. The servers can have up to 900 sites > customer sites running on them. There is also no chance that the > servers running Windows 2000 Server will be upgraded to Windows 2003 > in the near future. > > I did think about having an AppPool per site on 2003 but there are > some practicality issues here and also I'm guessing that 900 AppPools > isn't really the right answer from a scalability and management > aspect. > > As far as the medium trust thing goes, unfortunately we have customers > using OleDB in conjunction with Access database files. > > Is it possibile to build a custom trust level that has all the > restrictions of Medium trust but allow OleDbClientPermission ? > > Can I create a new policy file based on 'medium_trust.config' and add > the OleDbClientPermission? Is this good practice? > > Sorry if there are obvious answers to these questions but whilst I > understand the concept and use of different trust levels, I'm a bit in > the unsure about what to do regarding tuning the default policies to > our needs. > > Thanks Again > Kevin > ps: Dominick, I enjoyed your sessions at DevWeek2005 this year.
Hi Dominick/Joe,
Thanks for your help. Regards Kevin
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
| home · blog · groups | Questions? Comments? Contact the dn |