Registry access permission doesn't obey impersonated user

[Karim]

I have an asp.net application that impersonates a user. I did a test for
reading a registry key and noticed that the app can read the key even
though the user does not have access to that key. aspnet user does not have
not access either. After denying read access to the key for different
users, I found out that the INTERACTIVE user is the one that determines the
permissions.

How can I deny asp.net apps from reading the registry? Why isn't the app
following the impersonated user's registry permissions?

karim

 

[alexey]

Karim,

Could you give me a hint how to create such a code to impersonate from
ASPNET and read the Registry? I am working on a similar application right
now and can't make impersonation work.

Thanks

Alexey

(e-mail address removed)

 

[Hernan Ochoa]

how are you imperonating? by calling LogonUser?
does your app use windows auth and impersonation?

 

[Karim]

Karim,

Could you give me a hint how to create such a code to impersonate from
ASPNET and read the Registry? I am working on a similar application right
now and can't make impersonation work.

Thanks

Alexey

(e-mail address removed)

I am using the <identity impersonate=true username=.. password=.. tag in
web.config. While file access permissions are being followed correctly, the
registry permissions is not making sense to me. Let's say username is
'donald'. When I have deny read persmissions for aspnet and donald on that
registry key, my asp.net app can still read the registry key!
The user that actually determines the access is INTERACTIVE. I don't want
any asp.net to be able to read *any* registry key. If I deny INTERACTIVE
read access on the whole registry, I probably will break something on the
system?

karim

 

[Hernan Ochoa]

I am using the <identity impersonate=true username=.. password=.. tag in

web.config. While file access permissions are being followed correctly, the
registry permissions is not making sense to me. Let's say username is
'donald'. When I have deny read persmissions for aspnet and donald on that
registry key, my asp.net app can still read the registry key!
The user that actually determines the access is INTERACTIVE. I don't want
any asp.net to be able to read *any* registry key. If I deny INTERACTIVE
read access on the whole registry, I probably will break something on the
system?

karim

if you're using the <identity> tag in your web.config file, then your app is
running
under the context of the user you've specified in the <identity> tag, and
not under
the aspnet account. Maybe that's your problem.

bye!
Hernan

 

[Karim]

if you're using the <identity> tag in your web.config file, then your app is
running
under the context of the user you've specified in the <identity> tag, and
not under
the aspnet account. Maybe that's your problem.

Like I said, I denied the user in the identity (donald in this case) read
access to the registry key. I added aspnet user to the deny just in case
the asp.net uses the 'aspnet' user. The asp.net app was still able to read
the registry key.

Karim

 

[Hernan Ochoa]

Hi,

so, I tested accessing the registry from an asp.net app and everything works
fine, this is what I did:

-I created a webapp called testwebapp
-added a button and a label
-the handler for the button is:

LabelTest.Text =
Registry.LocalMachine.OpenSubKey("SOFTWARE\\mykey").GetValue("myvalue").ToSt
ring();


-I created the registry key and value

-I load the webapp, click the button, and the content is shown, as expected.

-now, I use regedt32, I change the permissions on the key so ASPNET is
DENIED read and full control to the key

-now, I click on the button, and as expected, the following is shown:



Server Error in '/testwebapp' Application.
----------------------------------------------------------------------------
----

Security Exception
Description: The application attempted to perform an operation not allowed
by the security policy. To grant this application the required permission
please contact your system administrator or change the application's trust
level in the configuration file.

Exception Details: System.Security.SecurityException: Requested registry
access is not allowed.

Source Error:

Line 50: private void Button1_Click(object sender, System.EventArgs e)
Line 51: {
Line 52: LabelTest.Text =
Registry.LocalMachine.OpenSubKey("SOFTWARE\\mykey").GetValue("myvalue").ToSt
ring();
Line 53:
Line 54: }

Source File: webform1.aspx.cs Line: 52

Stack Trace:

[SecurityException: Requested registry access is not allowed.]
Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
+440
Microsoft.Win32.RegistryKey.OpenSubKey(String name) +27
testwebapp.WebForm1.Button1_Click(Object sender, EventArgs e) in
webform1.aspx.cs:52
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +108

System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePo
stBackEvent(String eventArgument) +58
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler
sourceControl, String eventArgument) +18
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +33
System.Web.UI.Page.ProcessRequestMain() +2075
System.Web.UI.Page.ProcessRequest() +218
System.Web.UI.Page.ProcessRequest(HttpContext context) +18

System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionSte
p.Execute() +179
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
completedSynchronously) +87



----------------------------------------------------------------------------
----




I don't know, maybe you can post the exact code you're using so we can try
to see if that has something to do with the

problem you're experiencing.



bye!

 

[Karim]

Hi,

so, I tested accessing the registry from an asp.net app and everything works
fine, this is what I did:

-I created a webapp called testwebapp
-added a button and a label
-the handler for the button is:

LabelTest.Text =
Registry.LocalMachine.OpenSubKey("SOFTWARE\\mykey").GetValue("myvalue").ToSt
ring();


-I created the registry key and value

-I load the webapp, click the button, and the content is shown, as expected.

-now, I use regedt32, I change the permissions on the key so ASPNET is
DENIED read and full control to the key

-now, I click on the button, and as expected, the following is shown:



Server Error in '/testwebapp' Application.
----------------------------------------------------------------------------
----

Security Exception
Description: The application attempted to perform an operation not allowed
by the security policy. To grant this application the required permission
please contact your system administrator or change the application's trust
level in the configuration file.

Exception Details: System.Security.SecurityException: Requested registry
access is not allowed.

Source Error:

Line 50: private void Button1_Click(object sender, System.EventArgs e)
Line 51: {
Line 52: LabelTest.Text =
Registry.LocalMachine.OpenSubKey("SOFTWARE\\mykey").GetValue("myvalue").ToSt
ring();
Line 53:
Line 54: }

Source File: webform1.aspx.cs Line: 52

Stack Trace:

[SecurityException: Requested registry access is not allowed.]
Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
+440
Microsoft.Win32.RegistryKey.OpenSubKey(String name) +27
testwebapp.WebForm1.Button1_Click(Object sender, EventArgs e) in
webform1.aspx.cs:52
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +108

System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePo
stBackEvent(String eventArgument) +58
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler
sourceControl, String eventArgument) +18
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +33
System.Web.UI.Page.ProcessRequestMain() +2075
System.Web.UI.Page.ProcessRequest() +218
System.Web.UI.Page.ProcessRequest(HttpContext context) +18

System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionSte
p.Execute() +179
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
completedSynchronously) +87



----------------------------------------------------------------------------
----




I don't know, maybe you can post the exact code you're using so we can try
to see if that has something to do with the

problem you're experiencing.



bye!

One thing I want to mention is that you didn't impersonate anyone.
I did a test on a different machine (2000 pro) and used your sample. I
found out it's the SYSTEM user that controls the access. aspnet user didn't
have any effect whether I denied read or not, the app read the key fine.

What do you have as a user in the processModel section in your
machine.config? Mine is System and Autogenerate for password.

Karim