Prevent access to advapi32.dll RevertToSelf()

Discussion in 'ASP .Net Security' started by kevin.kenny@zygonia.net, Sep 27, 2005.

  1. Guest

    Hi All,

    Sorry to crosspost but it's a security and an ASP.NET problem I have.

    We run each website site under it's own I_<user> account and ASP.NET is
    configured to impersonate so requests run under the identity of the
    I_<user> account.

    In windows 2000 server how do I prevent a user from calling
    RevertToSelf() in advapi32.dll and unwinding the impersonation? e.g.

    [DllImport(@"C:\WINNT\system32\advapi32.dll")]
    public static extern bool RevertToSelf();

    void Page_Load(Object sender, EventArgs e) {
    // at this point the request is running under impersonation as
    I_<user>
    RevertToSelf();
    // afterwards it undoes the impersonation and the request is
    now running as <MACHINE>\ASPNET
    }

    I've looked into building a .NET security policy to do this but I'm a
    bit stuck.

    Thanks in advance.
    Kevin
    , Sep 27, 2005
    #1
    1. Advertising

  2. Guest

    Sorry I should also have said windows 2003 server as well.

    Kevin
    , Sep 27, 2005
    #2
    1. Advertising

  3. Hello ,

    the only way to prevent someone from calling into unmanaged code is to run
    under partial trust.

    add a <trust level="Medium /> to your web.config - and see if it affects
    your application.


    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi All,
    >
    > Sorry to crosspost but it's a security and an ASP.NET problem I have.
    >
    > We run each website site under it's own I_<user> account and ASP.NET
    > is configured to impersonate so requests run under the identity of the
    > I_<user> account.
    >
    > In windows 2000 server how do I prevent a user from calling
    > RevertToSelf() in advapi32.dll and unwinding the impersonation? e.g.
    >
    > [DllImport(@"C:\WINNT\system32\advapi32.dll")]
    > public static extern bool RevertToSelf();
    > void Page_Load(Object sender, EventArgs e) {
    > // at this point the request is running under impersonation as
    > I_<user>
    > RevertToSelf();
    > // afterwards it undoes the impersonation and the request is
    > now running as <MACHINE>\ASPNET
    > }
    >
    > I've looked into building a .NET security policy to do this but I'm a
    > bit stuck.
    >
    > Thanks in advance.
    > Kevin
    Dominick Baier [DevelopMentor], Sep 27, 2005
    #3
  4. In addition to what Dominick said, under 2003, I suggest running each app in
    its own AppPool, setting the process identity to the identity you want to
    use and disabling impersonation via web.config. Then, it is a non-issue.

    Joe K.

    <> wrote in message
    news:...
    > Sorry I should also have said windows 2003 server as well.
    >
    > Kevin
    >
    Joe Kaplan \(MVP - ADSI\), Sep 28, 2005
    #4
  5. Hello Joe,

    sorry, i can only quote myself this time...: "auto impersonation is the spawn
    of evil"

    if you use autoimp to isolate web apps, upgrade to IIS6 and use application
    pools
    if you use autoimp for impersonation, do it programmatically only where you
    need it.

    otherwise this will cause headaches sooner or later.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > In addition to what Dominick said, under 2003, I suggest running each
    > app in its own AppPool, setting the process identity to the identity
    > you want to use and disabling impersonation via web.config. Then, it
    > is a non-issue.
    >
    > Joe K.
    >
    > <> wrote in message
    > news:...
    >
    >> Sorry I should also have said windows 2003 server as well.
    >>
    >> Kevin
    >>
    Dominick Baier [DevelopMentor], Sep 28, 2005
    #5
  6. Guest

    Hi Guys,

    Thanks for replying. The problem I have is that this is a hosting
    platform that I've inherited. The servers can have up to 900 sites
    customer sites running on them. There is also no chance that the
    servers running Windows 2000 Server will be upgraded to Windows 2003 in
    the near future.

    I did think about having an AppPool per site on 2003 but there are some
    practicality issues here and also I'm guessing that 900 AppPools isn't
    really the right answer from a scalability and management aspect.

    As far as the medium trust thing goes, unfortunately we have customers
    using OleDB in conjunction with Access database files.

    Is it possibile to build a custom trust level that has all the
    restrictions of Medium trust but allow OleDbClientPermission ?

    Can I create a new policy file based on 'medium_trust.config' and add
    the OleDbClientPermission? Is this good practice?

    Sorry if there are obvious answers to these questions but whilst I
    understand the concept and use of different trust levels, I'm a bit in
    the unsure about what to do regarding tuning the default policies to
    our needs.

    Thanks Again
    Kevin
    ps: Dominick, I enjoyed your sessions at DevWeek2005 this year.
    , Sep 28, 2005
    #6
  7. Hello ,

    thanks :)

    unfortunately, setting to partial trust is the only way to prohibit RevertToSelf...

    ....and OleDb only runs under full trust.

    here is more info:
    http://www.leastprivilege.com/FullyTrustedCodeAndASPNET.aspx

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi Guys,
    >
    > Thanks for replying. The problem I have is that this is a hosting
    > platform that I've inherited. The servers can have up to 900 sites
    > customer sites running on them. There is also no chance that the
    > servers running Windows 2000 Server will be upgraded to Windows 2003
    > in the near future.
    >
    > I did think about having an AppPool per site on 2003 but there are
    > some practicality issues here and also I'm guessing that 900 AppPools
    > isn't really the right answer from a scalability and management
    > aspect.
    >
    > As far as the medium trust thing goes, unfortunately we have customers
    > using OleDB in conjunction with Access database files.
    >
    > Is it possibile to build a custom trust level that has all the
    > restrictions of Medium trust but allow OleDbClientPermission ?
    >
    > Can I create a new policy file based on 'medium_trust.config' and add
    > the OleDbClientPermission? Is this good practice?
    >
    > Sorry if there are obvious answers to these questions but whilst I
    > understand the concept and use of different trust levels, I'm a bit in
    > the unsure about what to do regarding tuning the default policies to
    > our needs.
    >
    > Thanks Again
    > Kevin
    > ps: Dominick, I enjoyed your sessions at DevWeek2005 this year.
    Dominick Baier [DevelopMentor], Sep 28, 2005
    #7
  8. Guest

    Hi Dominick/Joe,

    Thanks for your help.

    Regards
    Kevin
    , Oct 3, 2005
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    2
    Views:
    1,375
    Joe Kaplan \(MVP - ADSI\)
    Sep 28, 2005
  2. Blacksheep
    Replies:
    1
    Views:
    2,201
    White Wolf
    Aug 28, 2003
  3. Podi
    Replies:
    2
    Views:
    810
  4. C

    advapi32.dll / LogonUser

    C, May 16, 2006, in forum: ASP .Net Security
    Replies:
    3
    Views:
    857
    Henning Krause [MVP]
    May 17, 2006
  5. Alex Wolff

    Trying to use Lin ADVAPI32.DLL in ASP.

    Alex Wolff, Sep 21, 2004, in forum: ASP General
    Replies:
    0
    Views:
    218
    Alex Wolff
    Sep 21, 2004
Loading...

Share This Page