dotnet security: There are tons of posts on this and I have read them all at least twice, but
still am having trouble. For now, never mind security, if I can get this to
work, I'll start re-applying restrictions.

Goal: Run an exe file, like Notepad.exe, from ASP.NET 1.1, on a Win 2003
Server

I have:
Set the application Pool identity to LocalSystem (I am running in native
IIS6 worker Process Isolation mode)
Set the user in machine.config to "SYSTEM" (Yeah, I know this is ignored
under native IIS6)
Set the Anonymous user to Administrator (bad, I know, just show me notepad)
Set the IIS Service to "Allow service to interact with desktop"
Given Everyone (and their brother) full access to system32
Made IUSER_machinename a member of Administrators

Is there some way to just turn freakin secruity OFF?


I CAN:
Start Notepad on my XP development box, using the code below in the "I
CAN'T section", no problemo.
on 2003, Successfully Run the testexe.bat directly from the OS, starting
Notepad.

On 2003, Successfully run a .BAT file that copys a file. VB.net snippet
below
Dim oProcess As New System.Diagnostics.Process
oProcess.StartInfo.WorkingDirectory = "C:\inetpub\wwwroot\TestBed"
'set working dir
oProcess.StartInfo.FileName = "C:\Inetpub\wwwroot\TestBed\testcopy.bat"
'filespec of the bat file
oProcess.StartInfo.Arguments = Now().Ticks
'for unique filename
oProcess.StartInfo.UseShellExecute = False
'runs in background
oProcess.Start()
'runs the process
oProcess.Close()

I CAN'T
Get Notepad (or the exe I really want) to run on 2003, using the VB code
below:
Dim oProcess As New System.Diagnostics.Process
Dim sCommand As String = "testexe.bat" 'this file just has:
notepad.exe testfile.txt
oProcess.StartInfo.WorkingDirectory = "C:\inetpub\wwwroot\TestBed"
'set working dir
oProcess.StartInfo.FileName = sCommand
oProcess.Start()
oProcess.Close()

I am so close, yet so far! Any help will be very much appreciated. My next
step is to pay for and MS support issue, which, actually sounds like a great
idea right now!

TIA,

I am having the exact same problem.. My code will execute under the
ASPNET account but not under the impersonated account. I've been
working on this for days. If ANY1 can help please drop me an e-mail @
jdenis@Plusfunds.com.

Hi Dominick maybe you can help with this question.

System.Diagnostics.Process p = new Process();
p.StartInfo.RedirectStandardOutput=false;
p.StartInfo.FileName = p_DecryptSourcePath+"gpg_run.bat";
p.StartInfo.UseShellExecute = false;
p.StartInfo.WorkingDirectory = p_DecryptSourcePath;
p.StartInfo.RedirectStandardError = true;
p.Start();
p.WaitForExit();
String str = p.StandardError.ReadToEnd();
p.Dispose();

the above code will not run under the impersonated account no matter
what I try.
please help.
the batch file is supposed to decrypt some files that's it.

would the parent security toke inherit from ASPNET. this process works
when I force it to use the aspnet account. and this code is working on
other machine setup similarly.. it's killing me

thank you for helping me with this. I am impersonating and domain
account.. I guess my worker process runs under that account. and I am
running IIS 6

Thank you, I will look into it although I am pretty sure the NETWORK
SERVICE has all sorts of access permissions on that directory and file

I am amazed how stuborn this thing is.. the worker proce is running as
network service. still can't get anywhere with this

hi,

so what are you expecting to see?

Notepad popping up on the server?

This won't work - service demons run in a so called "WindowsStation" and
are not allowed to display an UI or similar...normal non UI processing should
work...

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

[quoted text, click to view]

Thank you so much for your suggestion. I will give it a try. I am
going crazy here.

Try filemon and regmon to see if you are getting some sort of access denied
when attempting to execute that. You can set them to filter on w3wp.exe.
This is way I am usually most successful when trying to track down
permissions problems (although it does not always work).

Joe K.

[quoted text, click to view]

If you are starting a new process while impersonating - the impersonated
account will not be used, but the process will inherit the parent security
token.

I guess the process account does not have the right access rights/privileges
for what you are trying to do.

In 2.0 you can start processes using explicit credentials (but you need to
know the password).

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

[quoted text, click to view]

under which account does your worker process run -

is it IIS 5.x?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

[quoted text, click to view]

by default the worker process runs as NETWORK SERVICE in IIS6....

you can check that be examining the AppPool settings in IIS6 manager...

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

[quoted text, click to view]