Registry access permission doesn't obey impersonated user

Discussion in 'ASP .Net Security' started by Karim, Sep 3, 2003.

  1. Karim

    Karim Guest

    I have an asp.net application that impersonates a user. I did a test for
    reading a registry key and noticed that the app can read the key even
    though the user does not have access to that key. aspnet user does not have
    not access either. After denying read access to the key for different
    users, I found out that the INTERACTIVE user is the one that determines the
    permissions.

    How can I deny asp.net apps from reading the registry? Why isn't the app
    following the impersonated user's registry permissions?

    karim
    Karim, Sep 3, 2003
    #1
    1. Advertising

  2. Karim

    alexey Guest

    Karim,

    Could you give me a hint how to create such a code to impersonate from
    ASPNET and read the Registry? I am working on a similar application right
    now and can't make impersonation work.

    Thanks

    Alexey



    "Karim" <karim3411@!!yahoo!!.com> wrote in message
    news:ee30ngspkbua$...
    >
    > I have an asp.net application that impersonates a user. I did a test for
    > reading a registry key and noticed that the app can read the key even
    > though the user does not have access to that key. aspnet user does not

    have
    > not access either. After denying read access to the key for different
    > users, I found out that the INTERACTIVE user is the one that determines

    the
    > permissions.
    >
    > How can I deny asp.net apps from reading the registry? Why isn't the app
    > following the impersonated user's registry permissions?
    >
    > karim
    alexey, Sep 3, 2003
    #2
    1. Advertising

  3. Karim

    Hernan Ochoa Guest

    how are you imperonating? by calling LogonUser?
    does your app use windows auth and impersonation?


    "Karim" <karim3411@!!yahoo!!.com> wrote in message
    news:ee30ngspkbua$...
    >
    > I have an asp.net application that impersonates a user. I did a test for
    > reading a registry key and noticed that the app can read the key even
    > though the user does not have access to that key. aspnet user does not

    have
    > not access either. After denying read access to the key for different
    > users, I found out that the INTERACTIVE user is the one that determines

    the
    > permissions.
    >
    > How can I deny asp.net apps from reading the registry? Why isn't the app
    > following the impersonated user's registry permissions?
    >
    > karim
    Hernan Ochoa, Sep 3, 2003
    #3
  4. Karim

    Karim Guest

    On Wed, 3 Sep 2003 06:25:19 -0400, alexey wrote:

    > Karim,
    >
    > Could you give me a hint how to create such a code to impersonate from
    > ASPNET and read the Registry? I am working on a similar application right
    > now and can't make impersonation work.
    >
    > Thanks
    >
    > Alexey
    >
    >
    >
    > "Karim" <karim3411@!!yahoo!!.com> wrote in message
    > news:ee30ngspkbua$...
    >>
    >> I have an asp.net application that impersonates a user. I did a test for
    >> reading a registry key and noticed that the app can read the key even
    >> though the user does not have access to that key. aspnet user does not

    > have
    >> not access either. After denying read access to the key for different
    >> users, I found out that the INTERACTIVE user is the one that determines

    > the
    >> permissions.
    >>
    >> How can I deny asp.net apps from reading the registry? Why isn't the app
    >> following the impersonated user's registry permissions?
    >>
    >> karim


    I am using the <identity impersonate=true username=.. password=.. tag in
    web.config. While file access permissions are being followed correctly, the
    registry permissions is not making sense to me. Let's say username is
    'donald'. When I have deny read persmissions for aspnet and donald on that
    registry key, my asp.net app can still read the registry key!
    The user that actually determines the access is INTERACTIVE. I don't want
    any asp.net to be able to read *any* registry key. If I deny INTERACTIVE
    read access on the whole registry, I probably will break something on the
    system?

    karim
    Karim, Sep 3, 2003
    #4
  5. Karim

    Hernan Ochoa Guest

    > I am using the <identity impersonate=true username=.. password=.. tag in
    > web.config. While file access permissions are being followed correctly,

    the
    > registry permissions is not making sense to me. Let's say username is
    > 'donald'. When I have deny read persmissions for aspnet and donald on that
    > registry key, my asp.net app can still read the registry key!
    > The user that actually determines the access is INTERACTIVE. I don't want
    > any asp.net to be able to read *any* registry key. If I deny INTERACTIVE
    > read access on the whole registry, I probably will break something on the
    > system?
    >
    > karim


    if you're using the <identity> tag in your web.config file, then your app is
    running
    under the context of the user you've specified in the <identity> tag, and
    not under
    the aspnet account. Maybe that's your problem.

    bye!
    Hernan
    Hernan Ochoa, Sep 4, 2003
    #5
  6. Karim

    Karim Guest

    On Thu, 4 Sep 2003 00:09:33 -0300, Hernan Ochoa wrote:

    >> I am using the <identity impersonate=true username=.. password=.. tag in
    >> web.config. While file access permissions are being followed correctly,

    > the
    >> registry permissions is not making sense to me. Let's say username is
    >> 'donald'. When I have deny read persmissions for aspnet and donald on that
    >> registry key, my asp.net app can still read the registry key!
    >> The user that actually determines the access is INTERACTIVE. I don't want
    >> any asp.net to be able to read *any* registry key. If I deny INTERACTIVE
    >> read access on the whole registry, I probably will break something on the
    >> system?
    >>
    >> karim

    >
    > if you're using the <identity> tag in your web.config file, then your app is
    > running
    > under the context of the user you've specified in the <identity> tag, and
    > not under
    > the aspnet account. Maybe that's your problem.


    Like I said, I denied the user in the identity (donald in this case) read
    access to the registry key. I added aspnet user to the deny just in case
    the asp.net uses the 'aspnet' user. The asp.net app was still able to read
    the registry key.

    Karim
    Karim, Sep 4, 2003
    #6
  7. Karim

    Hernan Ochoa Guest

    Hi,

    so, I tested accessing the registry from an asp.net app and everything works
    fine, this is what I did:

    -I created a webapp called testwebapp
    -added a button and a label
    -the handler for the button is:

    LabelTest.Text =
    Registry.LocalMachine.OpenSubKey("SOFTWARE\\mykey").GetValue("myvalue").ToSt
    ring();


    -I created the registry key and value

    -I load the webapp, click the button, and the content is shown, as expected.

    -now, I use regedt32, I change the permissions on the key so ASPNET is
    DENIED read and full control to the key

    -now, I click on the button, and as expected, the following is shown:



    Server Error in '/testwebapp' Application.
    ----------------------------------------------------------------------------
    ----

    Security Exception
    Description: The application attempted to perform an operation not allowed
    by the security policy. To grant this application the required permission
    please contact your system administrator or change the application's trust
    level in the configuration file.

    Exception Details: System.Security.SecurityException: Requested registry
    access is not allowed.

    Source Error:

    Line 50: private void Button1_Click(object sender, System.EventArgs e)
    Line 51: {
    Line 52: LabelTest.Text =
    Registry.LocalMachine.OpenSubKey("SOFTWARE\\mykey").GetValue("myvalue").ToSt
    ring();
    Line 53:
    Line 54: }

    Source File: webform1.aspx.cs Line: 52

    Stack Trace:

    [SecurityException: Requested registry access is not allowed.]
    Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
    +440
    Microsoft.Win32.RegistryKey.OpenSubKey(String name) +27
    testwebapp.WebForm1.Button1_Click(Object sender, EventArgs e) in
    webform1.aspx.cs:52
    System.Web.UI.WebControls.Button.OnClick(EventArgs e) +108

    System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePo
    stBackEvent(String eventArgument) +58
    System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler
    sourceControl, String eventArgument) +18
    System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +33
    System.Web.UI.Page.ProcessRequestMain() +2075
    System.Web.UI.Page.ProcessRequest() +218
    System.Web.UI.Page.ProcessRequest(HttpContext context) +18

    System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionSte
    p.Execute() +179
    System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
    completedSynchronously) +87



    ----------------------------------------------------------------------------
    ----




    I don't know, maybe you can post the exact code you're using so we can try
    to see if that has something to do with the

    problem you're experiencing.



    bye!
    Hernan Ochoa, Sep 4, 2003
    #7
  8. Karim

    Karim Guest

    On Thu, 4 Sep 2003 17:48:58 -0300, Hernan Ochoa wrote:

    > Hi,
    >
    > so, I tested accessing the registry from an asp.net app and everything works
    > fine, this is what I did:
    >
    > -I created a webapp called testwebapp
    > -added a button and a label
    > -the handler for the button is:
    >
    > LabelTest.Text =
    > Registry.LocalMachine.OpenSubKey("SOFTWARE\\mykey").GetValue("myvalue").ToSt
    > ring();
    >
    >
    > -I created the registry key and value
    >
    > -I load the webapp, click the button, and the content is shown, as expected.
    >
    > -now, I use regedt32, I change the permissions on the key so ASPNET is
    > DENIED read and full control to the key
    >
    > -now, I click on the button, and as expected, the following is shown:
    >
    >
    >
    > Server Error in '/testwebapp' Application.
    > ----------------------------------------------------------------------------
    > ----
    >
    > Security Exception
    > Description: The application attempted to perform an operation not allowed
    > by the security policy. To grant this application the required permission
    > please contact your system administrator or change the application's trust
    > level in the configuration file.
    >
    > Exception Details: System.Security.SecurityException: Requested registry
    > access is not allowed.
    >
    > Source Error:
    >
    > Line 50: private void Button1_Click(object sender, System.EventArgs e)
    > Line 51: {
    > Line 52: LabelTest.Text =
    > Registry.LocalMachine.OpenSubKey("SOFTWARE\\mykey").GetValue("myvalue").ToSt
    > ring();
    > Line 53:
    > Line 54: }
    >
    > Source File: webform1.aspx.cs Line: 52
    >
    > Stack Trace:
    >
    > [SecurityException: Requested registry access is not allowed.]
    > Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
    > +440
    > Microsoft.Win32.RegistryKey.OpenSubKey(String name) +27
    > testwebapp.WebForm1.Button1_Click(Object sender, EventArgs e) in
    > webform1.aspx.cs:52
    > System.Web.UI.WebControls.Button.OnClick(EventArgs e) +108
    >
    > System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePo
    > stBackEvent(String eventArgument) +58
    > System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler
    > sourceControl, String eventArgument) +18
    > System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +33
    > System.Web.UI.Page.ProcessRequestMain() +2075
    > System.Web.UI.Page.ProcessRequest() +218
    > System.Web.UI.Page.ProcessRequest(HttpContext context) +18
    >
    > System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionSte
    > p.Execute() +179
    > System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
    > completedSynchronously) +87
    >
    >
    >
    > ----------------------------------------------------------------------------
    > ----
    >
    >
    >
    >
    > I don't know, maybe you can post the exact code you're using so we can try
    > to see if that has something to do with the
    >
    > problem you're experiencing.
    >
    >
    >
    > bye!


    One thing I want to mention is that you didn't impersonate anyone.
    I did a test on a different machine (2000 pro) and used your sample. I
    found out it's the SYSTEM user that controls the access. aspnet user didn't
    have any effect whether I denied read or not, the app read the key fine.

    What do you have as a user in the processModel section in your
    machine.config? Mine is System and Autogenerate for password.

    Karim
    Karim, Sep 4, 2003
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. HK
    Replies:
    1
    Views:
    3,601
    Cowboy \(Gregory A. Beamer\)
    Apr 1, 2004
  2. =?Utf-8?B?Um9iZXJ0IERyb3pkeg==?=

    HKCU Registry Hive & ASP.NET impersonated application

    =?Utf-8?B?Um9iZXJ0IERyb3pkeg==?=, Jul 29, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    528
    Nicole Calinoiu
    Jul 29, 2004
  3. =?Utf-8?B?c3R1ZXlo?=

    Cannot connect to Access 2000 DB using impersonated user

    =?Utf-8?B?c3R1ZXlo?=, Jun 6, 2005, in forum: ASP .Net
    Replies:
    3
    Views:
    448
    Juan T. Llibre
    Jun 6, 2005
  4. Daniel Luis dos Santos

    Making JTable column widths obey me

    Daniel Luis dos Santos, Feb 15, 2010, in forum: Java
    Replies:
    2
    Views:
    583
    John B. Matthews
    Feb 16, 2010
  5. Marc
    Replies:
    2
    Views:
    106
Loading...

Share This Page