|
|
You're in the
dotnet security
group:Implement "run as" for application within application....
dotnet security:
Hello,
I have been asked to implement a 'run as' methodology in a .net application. I have read several threads regarding impersonation but have questions. Here is what I think I need to do.... I have already a 'setting' that can be maintained off of the tool menu so that the 'run as' creditentials can be maintained. I encode and decode the password just in case. Now I want this 'impersonation' to override current creditentials for the program while it is running. Should this be done in the 'load' and 'close' of the main screen of the application? Also, I read something about a powerful setting , something like ' as part of the operating system'. Is this neccessary for the original application user or for the creditentials being used in the impersonation? Basically, the staff wants the application to execute in a 'run as' mode. Can you someone provide some assistance? Thank you in advance.
Well, I don't know much about ProecessStartInformation but I'll look into it.
What I have done do far was to create an impersonate class and in the load routine start the impersonation and in the close routine end impersonaton. Will this work? [quoted text, click to view] "Dominick Baier" wrote:
> Should this happen "inside" your app - like on the current thread - or do > you want to spawn a separate process? > > for a) > > - create a token from the credentials (use LogonUser for that) > - call WindowsIdentity.Impersonate on that token (put that into a using block) > > for b) > > - supply credentials in a ProcessStartInformation > - pass the PSI into Process.Start > > > ----- > Dominick Baier (http://www.leastprivilege.com) > > Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) > > > Hello, > > > > I have been asked to implement a 'run as' methodology in a .net > > application. I have read several threads regarding impersonation but > > have questions. > > > > Here is what I think I need to do.... > > > > I have already a 'setting' that can be maintained off of the tool menu > > so that the 'run as' creditentials can be maintained. I encode and > > decode the password just in case. Now I want this 'impersonation' to > > override current creditentials for the program while it is running. > > > > Should this be done in the 'load' and 'close' of the main screen of > > the application? Also, I read something about a powerful setting , > > something like ' as part of the operating system'. Is this neccessary > > for the original application user or for the creditentials being used > > in the impersonation? > > > > Basically, the staff wants the application to execute in a 'run as' > > mode. Can you someone provide some assistance? > > > > Thank you in advance. > > > > Dean. > > > >
Should this happen "inside" your app - like on the current thread - or do
you want to spawn a separate process? for a) - create a token from the credentials (use LogonUser for that) - call WindowsIdentity.Impersonate on that token (put that into a using block) for b) - supply credentials in a ProcessStartInformation - pass the PSI into Process.Start ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) [quoted text, click to view] > Hello, > > I have been asked to implement a 'run as' methodology in a .net > application. I have read several threads regarding impersonation but > have questions. > > Here is what I think I need to do.... > > I have already a 'setting' that can be maintained off of the tool menu > so that the 'run as' creditentials can be maintained. I encode and > decode the password just in case. Now I want this 'impersonation' to > override current creditentials for the program while it is running. > > Should this be done in the 'load' and 'close' of the main screen of > the application? Also, I read something about a powerful setting , > something like ' as part of the operating system'. Is this neccessary > for the original application user or for the creditentials being used > in the impersonation? > > Basically, the staff wants the application to execute in a 'run as' > mode. Can you someone provide some assistance? > > Thank you in advance. > > Dean. >
You shouldn't do that.
Impersonation should only be done a limited amount of time. Historically impersonation only affects the main thread - .NET works around that behavior for most cases. But you might experience anomalies when creating new threads or doing other kinds of thread switches (e.g. when calling COM components). If you want a process to run under a certain identity - start it like that. Process.Start accomplishes that. ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) [quoted text, click to view] > Well, I don't know much about ProecessStartInformation but I'll look > into it. > What I have done do far was to create an impersonate class and in the > load > routine start the impersonation and in the close routine end > impersonaton. > Will this work? > > "Dominick Baier" wrote: > >> Should this happen "inside" your app - like on the current thread - >> or do you want to spawn a separate process? >> >> for a) >> >> - create a token from the credentials (use LogonUser for that) - call >> WindowsIdentity.Impersonate on that token (put that into a using >> block) >> >> for b) >> >> - supply credentials in a ProcessStartInformation >> - pass the PSI into Process.Start >> ----- >> Dominick Baier (http://www.leastprivilege.com) >> Developing More Secure Microsoft ASP.NET 2.0 Applications >> (http://www.microsoft.com/mspress/books/9989.asp) >> >>> Hello, >>> >>> I have been asked to implement a 'run as' methodology in a .net >>> application. I have read several threads regarding impersonation but >>> have questions. >>> >>> Here is what I think I need to do.... >>> >>> I have already a 'setting' that can be maintained off of the tool >>> menu so that the 'run as' creditentials can be maintained. I encode >>> and decode the password just in case. Now I want this >>> 'impersonation' to override current creditentials for the program >>> while it is running. >>> >>> Should this be done in the 'load' and 'close' of the main screen of >>> the application? Also, I read something about a powerful setting , >>> something like ' as part of the operating system'. Is this >>> neccessary for the original application user or for the >>> creditentials being used in the impersonation? >>> >>> Basically, the staff wants the application to execute in a 'run as' >>> mode. Can you someone provide some assistance? >>> >>> Thank you in advance. >>> >>> Dean. >>>
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
| home · blog · groups | Questions? Comments? Contact the dn |