Hi James,
Thank you for using MSDN Newsgroup! My name is Steven, and I'll be
assisting you on this issue.
From your description, you'd like to use some older c++ dlls in your
ASP.NET web application. Since these dlls may depend on C++Runtime. You are
wanting some infos on how to generate the access permission so as for those
unmanaged code to be executed properly.
If there is anything I misunderstood, please feel free to let me know.
Based on my research, generally in dotnet, when we need to use some unsafe
code in our application, but we don't want the caller application to have
such high permission. We'd like to use the "Wrapper Code":
here is the description on "Wrapper Code" in MSDN:
------------------------------
Wrapper code, especially where the wrapper has higher trust than code that
uses it, can open a unique set of security weaknesses. Anything done on
behalf of a caller, where the caller's limited permissions are not included
in the appropriate security check, is a potential weakness to be exploited.
Never enable something through the wrapper that the caller could not do
itself. This is a special danger when doing something that involves a
limited security check, as opposed to a full stack walk demand. When
single-level checks are involved, interposing the wrapper code between the
real caller and the API element in question can easily cause the security
check to succeed when it should not, thereby weakening security.
--------------------------------
For more detailed info on secure code in dotnet , you can visit the
following link in MSDN:
#Secure Coding Guidelines
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconsecurecodingguidel
ines.asp?frame=true
As for the situation you described, I think you may first write a wrapper
class to encapsulate those unamanged dlls's functions. This wrapper class
could be a C# or VB.NET assemblies or Managed C++ Asseblies. And then, call
this wrapper component in ASP.NET , thus can make the ASP.NET less strict
on code access security.
Also, as for the "Add the security for IUSR_<system name> to the System32
directory" you mentioned. This only add the permission for the IUSR_<system
name> to access the system32 directory. In fact, by default the ASP.NET's
worker process will run under the MACHINE\ASPNET account , and the code it
executed and resources accessed will use this account to check the
permission. For more information on the ASP.NET security model, you can
have a look at the following tech articles:
http://msdn.microsoft.com/library/en-us/dnbda/html/authaspdotnet.asp?frame=t
rue
http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetch03.asp?frame=t
rue
So based on different condition, the account under which ASP.NET process is
executed will be different, you need to set the permission for the
appropriate account in different situations.
In addition, I've searched some problems which may occur when called
Managed or Unmanaged C++ components
in ASP.NET, you may also have a check to see whether it helps:
#BUG: AppDomainUnloaded Exception When You Use Managed Extensions for C++
Components
http://support.microsoft.com/default.aspx?scid=kb;en-us;309694
Please check out the above items. If you have need any assistance, please
feel free to let me know.
Regards,
Steven Cheng
Microsoft Online Support
Get Secure!
www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
