Remote control of windows service with windows 2003 server

Discussion in 'ASP .Net' started by pberna, Nov 13, 2004.

  1. pberna

    pberna Guest

    Dear all,

    I built a Web Form application to start and stop a Windows Service remotely.
    I successful tested the application on Windows 2000 server + IIS. I must
    include the ASPNET user
    to the Administration group (on server side) to have the necessary
    authorization to start a Windows Service (I don't understand why "Power
    User" rights are not enough to do the same thing)

    Although I'm able to start a service using windows 2000 server platform, I'm
    not able to do the same things in the Windows 2003 server edition where the
    same Web Form application has been installed (.NET framework has been
    installed by default during Windows server installation process). I know
    that in Windows 2003 server the default account for a ASPNET applications is
    NETWORK SERVICE, but I don't find any user with this name in the user
    list/group. If I try to create this user and error message tell me that the
    NETWORK SERVICE user is already defined. The problem is that it doesn't
    appear in the user list (My computer-> Manage > user)

    Any idea ?

    Thank you
    Best Regards
    pberna, Nov 13, 2004
    #1
    1. Advertising

  2. pberna

    Scott Allen Guest

    Hi pberna:

    It's generally a bad idea to run ASP.NET under an administrator
    account, as it makes it easier for a malicious user to have admin
    rights on a machine. Have you investigated impersonation?
    http://msdn.microsoft.com/library/d...-us/cpguide/html/cpconaspnetimpersonation.asp

    As for the NETWORK SERVICE account, there are two types of accounts on
    the machine: user accounts and built in security principals. The built
    in security principals do not appear in the list of users. You can
    still add them to a group if you go to My computer -> Manage ->
    Groups. You can right click a group and select Properties, then click
    Add. You can type in the name you need, or click Advanced and Find Now
    to select the principal from a list - you'll notice at the top of the
    dialog under Object Types the dialog will search for both user objects
    and built in security principal objects.

    In any case, a best practice is to avoid elevating the privileges of
    any of these built in accounts. Impersonation is a safer approach.

    --
    Scott
    http://www.OdeToCode.com/blogs/scott/

    On Sat, 13 Nov 2004 19:36:21 GMT, "pberna" <> wrote:

    >Dear all,
    >
    >I built a Web Form application to start and stop a Windows Service remotely.
    >I successful tested the application on Windows 2000 server + IIS. I must
    >include the ASPNET user
    >to the Administration group (on server side) to have the necessary
    >authorization to start a Windows Service (I don't understand why "Power
    >User" rights are not enough to do the same thing)
    >
    >Although I'm able to start a service using windows 2000 server platform, I'm
    >not able to do the same things in the Windows 2003 server edition where the
    >same Web Form application has been installed (.NET framework has been
    >installed by default during Windows server installation process). I know
    >that in Windows 2003 server the default account for a ASPNET applications is
    >NETWORK SERVICE, but I don't find any user with this name in the user
    >list/group. If I try to create this user and error message tell me that the
    >NETWORK SERVICE user is already defined. The problem is that it doesn't
    >appear in the user list (My computer-> Manage > user)
    >
    >Any idea ?
    >
    >Thank you
    >Best Regards
    >
    Scott Allen, Nov 14, 2004
    #2
    1. Advertising

  3. Dear Scott,

    Thanks for your indications
    I red the article, but I'm not sure if impersonation is applicable to the
    Forms
    authentication mode. What do you think ? Am I wrong ?

    1) If impersonation is also active using the Forms authentication mode,
    should the user name related to the token "userName"

    <identity impersonate="true" userName="contoso\Jane" password="pass"/>

    be equal to a Windows User name ?

    2) Are there any relationship between Windows password of a Windows User and
    the password of the same User indicated in the web.config file ?

    3) If the ASPNET impersonate a user using the Forms authentication mode,it
    means that the .NET application can access to all resource available for that
    user ?

    Thank you
    Paolo

    "Scott Allen" wrote:

    > Hi pberna:
    >
    > It's generally a bad idea to run ASP.NET under an administrator
    > account, as it makes it easier for a malicious user to have admin
    > rights on a machine. Have you investigated impersonation?
    > http://msdn.microsoft.com/library/d...-us/cpguide/html/cpconaspnetimpersonation.asp
    >
    > As for the NETWORK SERVICE account, there are two types of accounts on
    > the machine: user accounts and built in security principals. The built
    > in security principals do not appear in the list of users. You can
    > still add them to a group if you go to My computer -> Manage ->
    > Groups. You can right click a group and select Properties, then click
    > Add. You can type in the name you need, or click Advanced and Find Now
    > to select the principal from a list - you'll notice at the top of the
    > dialog under Object Types the dialog will search for both user objects
    > and built in security principal objects.
    >
    > In any case, a best practice is to avoid elevating the privileges of
    > any of these built in accounts. Impersonation is a safer approach.
    >
    > --
    > Scott
    > http://www.OdeToCode.com/blogs/scott/
    >
    > On Sat, 13 Nov 2004 19:36:21 GMT, "pberna" <> wrote:
    >
    > >Dear all,
    > >
    > >I built a Web Form application to start and stop a Windows Service remotely.
    > >I successful tested the application on Windows 2000 server + IIS. I must
    > >include the ASPNET user
    > >to the Administration group (on server side) to have the necessary
    > >authorization to start a Windows Service (I don't understand why "Power
    > >User" rights are not enough to do the same thing)
    > >
    > >Although I'm able to start a service using windows 2000 server platform, I'm
    > >not able to do the same things in the Windows 2003 server edition where the
    > >same Web Form application has been installed (.NET framework has been
    > >installed by default during Windows server installation process). I know
    > >that in Windows 2003 server the default account for a ASPNET applications is
    > >NETWORK SERVICE, but I don't find any user with this name in the user
    > >list/group. If I try to create this user and error message tell me that the
    > >NETWORK SERVICE user is already defined. The problem is that it doesn't
    > >appear in the user list (My computer-> Manage > user)
    > >
    > >Any idea ?
    > >
    > >Thank you
    > >Best Regards
    > >

    >
    >
    =?Utf-8?B?cGJlcm5h?=, Nov 15, 2004
    #3
  4. pberna

    Scott Allen Guest

    Hi pberna:

    Impersonation is more difficult in forms authentication. If you use
    the username and password attributes of the <identity> tag then yes,
    you are passing the username and password for a windows account. Every
    local resource ASP.NET touches will be done with the credentials
    specified in the <identity> tag, for example, file access, service
    control, connecting to a database with a trusted connection.

    Is the web application soley for the purpose of controlling the
    service? Is it exposed to the Internet?

    --
    Scott
    http://www.OdeToCode.com/blogs/scott/

    On Mon, 15 Nov 2004 07:10:03 -0800, pberna
    <> wrote:

    >Dear Scott,
    >
    >Thanks for your indications
    >I red the article, but I'm not sure if impersonation is applicable to the
    >Forms
    >authentication mode. What do you think ? Am I wrong ?
    >
    >1) If impersonation is also active using the Forms authentication mode,
    >should the user name related to the token "userName"
    >
    ><identity impersonate="true" userName="contoso\Jane" password="pass"/>
    >
    >be equal to a Windows User name ?
    >
    >2) Are there any relationship between Windows password of a Windows User and
    >the password of the same User indicated in the web.config file ?
    >
    >3) If the ASPNET impersonate a user using the Forms authentication mode,it
    >means that the .NET application can access to all resource available for that
    >user ?
    >
    >Thank you
    >Paolo
    >
    >"Scott Allen" wrote:
    >
    >> Hi pberna:
    >>
    >> It's generally a bad idea to run ASP.NET under an administrator
    >> account, as it makes it easier for a malicious user to have admin
    >> rights on a machine. Have you investigated impersonation?
    >> http://msdn.microsoft.com/library/d...-us/cpguide/html/cpconaspnetimpersonation.asp
    >>
    >> As for the NETWORK SERVICE account, there are two types of accounts on
    >> the machine: user accounts and built in security principals. The built
    >> in security principals do not appear in the list of users. You can
    >> still add them to a group if you go to My computer -> Manage ->
    >> Groups. You can right click a group and select Properties, then click
    >> Add. You can type in the name you need, or click Advanced and Find Now
    >> to select the principal from a list - you'll notice at the top of the
    >> dialog under Object Types the dialog will search for both user objects
    >> and built in security principal objects.
    >>
    >> In any case, a best practice is to avoid elevating the privileges of
    >> any of these built in accounts. Impersonation is a safer approach.
    >>
    >> --
    >> Scott
    >> http://www.OdeToCode.com/blogs/scott/
    >>
    >> On Sat, 13 Nov 2004 19:36:21 GMT, "pberna" <> wrote:
    >>
    >> >Dear all,
    >> >
    >> >I built a Web Form application to start and stop a Windows Service remotely.
    >> >I successful tested the application on Windows 2000 server + IIS. I must
    >> >include the ASPNET user
    >> >to the Administration group (on server side) to have the necessary
    >> >authorization to start a Windows Service (I don't understand why "Power
    >> >User" rights are not enough to do the same thing)
    >> >
    >> >Although I'm able to start a service using windows 2000 server platform, I'm
    >> >not able to do the same things in the Windows 2003 server edition where the
    >> >same Web Form application has been installed (.NET framework has been
    >> >installed by default during Windows server installation process). I know
    >> >that in Windows 2003 server the default account for a ASPNET applications is
    >> >NETWORK SERVICE, but I don't find any user with this name in the user
    >> >list/group. If I try to create this user and error message tell me that the
    >> >NETWORK SERVICE user is already defined. The problem is that it doesn't
    >> >appear in the user list (My computer-> Manage > user)
    >> >
    >> >Any idea ?
    >> >
    >> >Thank you
    >> >Best Regards
    >> >

    >>
    >>
    Scott Allen, Nov 15, 2004
    #4
  5. pberna

    pberna Guest

    Dear Scott,

    Thank again. I'm trying to use your indication now

    The application is used only to start/stop a service remotely and to
    launch/terminate an application remotely. Yes, the application is exposed to
    the internet.
    I think that I could also use Windows Authentication instead of Web Form
    authentication, but I have a company firewall between the client and the
    server (under my full control), so I want to be sure that all messages are
    based on http protocol. Sorry but I'm moving the first step on this
    technology

    Regards,
    Paolo

    "Scott Allen" <bitmask@[nospam].fred.net> ha scritto nel messaggio
    news:p...
    > Hi pberna:
    >
    > Impersonation is more difficult in forms authentication. If you use
    > the username and password attributes of the <identity> tag then yes,
    > you are passing the username and password for a windows account. Every
    > local resource ASP.NET touches will be done with the credentials
    > specified in the <identity> tag, for example, file access, service
    > control, connecting to a database with a trusted connection.
    >
    > Is the web application soley for the purpose of controlling the
    > service? Is it exposed to the Internet?
    >
    > --
    > Scott
    > http://www.OdeToCode.com/blogs/scott/
    >
    > On Mon, 15 Nov 2004 07:10:03 -0800, pberna
    > <> wrote:
    >
    >>Dear Scott,
    >>
    >>Thanks for your indications
    >>I red the article, but I'm not sure if impersonation is applicable to the
    >>Forms
    >>authentication mode. What do you think ? Am I wrong ?
    >>
    >>1) If impersonation is also active using the Forms authentication mode,
    >>should the user name related to the token "userName"
    >>
    >><identity impersonate="true" userName="contoso\Jane" password="pass"/>
    >>
    >>be equal to a Windows User name ?
    >>
    >>2) Are there any relationship between Windows password of a Windows User
    >>and
    >>the password of the same User indicated in the web.config file ?
    >>
    >>3) If the ASPNET impersonate a user using the Forms authentication mode,it
    >>means that the .NET application can access to all resource available for
    >>that
    >>user ?
    >>
    >>Thank you
    >>Paolo
    >>
    >>"Scott Allen" wrote:
    >>
    >>> Hi pberna:
    >>>
    >>> It's generally a bad idea to run ASP.NET under an administrator
    >>> account, as it makes it easier for a malicious user to have admin
    >>> rights on a machine. Have you investigated impersonation?
    >>> http://msdn.microsoft.com/library/d...-us/cpguide/html/cpconaspnetimpersonation.asp
    >>>
    >>> As for the NETWORK SERVICE account, there are two types of accounts on
    >>> the machine: user accounts and built in security principals. The built
    >>> in security principals do not appear in the list of users. You can
    >>> still add them to a group if you go to My computer -> Manage ->
    >>> Groups. You can right click a group and select Properties, then click
    >>> Add. You can type in the name you need, or click Advanced and Find Now
    >>> to select the principal from a list - you'll notice at the top of the
    >>> dialog under Object Types the dialog will search for both user objects
    >>> and built in security principal objects.
    >>>
    >>> In any case, a best practice is to avoid elevating the privileges of
    >>> any of these built in accounts. Impersonation is a safer approach.
    >>>
    >>> --
    >>> Scott
    >>> http://www.OdeToCode.com/blogs/scott/
    >>>
    >>> On Sat, 13 Nov 2004 19:36:21 GMT, "pberna" <> wrote:
    >>>
    >>> >Dear all,
    >>> >
    >>> >I built a Web Form application to start and stop a Windows Service
    >>> >remotely.
    >>> >I successful tested the application on Windows 2000 server + IIS. I
    >>> >must
    >>> >include the ASPNET user
    >>> >to the Administration group (on server side) to have the necessary
    >>> >authorization to start a Windows Service (I don't understand why "Power
    >>> >User" rights are not enough to do the same thing)
    >>> >
    >>> >Although I'm able to start a service using windows 2000 server
    >>> >platform, I'm
    >>> >not able to do the same things in the Windows 2003 server edition
    >>> >where the
    >>> >same Web Form application has been installed (.NET framework has been
    >>> >installed by default during Windows server installation process). I
    >>> >know
    >>> >that in Windows 2003 server the default account for a ASPNET
    >>> >applications is
    >>> >NETWORK SERVICE, but I don't find any user with this name in the user
    >>> >list/group. If I try to create this user and error message tell me that
    >>> >the
    >>> >NETWORK SERVICE user is already defined. The problem is that it doesn't
    >>> >appear in the user list (My computer-> Manage > user)
    >>> >
    >>> >Any idea ?
    >>> >
    >>> >Thank you
    >>> >Best Regards
    >>> >
    >>>
    >>>

    >
    pberna, Nov 15, 2004
    #5
  6. pberna

    Scott Allen Guest

    Hi Paolo:

    I understand, this is a tricky area to be in especially if it is your
    first step.

    --
    Scott
    http://www.OdeToCode.com/blogs/scott/

    On Mon, 15 Nov 2004 19:06:12 GMT, "pberna" <> wrote:

    >Dear Scott,
    >
    >Thank again. I'm trying to use your indication now
    >
    >The application is used only to start/stop a service remotely and to
    >launch/terminate an application remotely. Yes, the application is exposed to
    >the internet.
    >I think that I could also use Windows Authentication instead of Web Form
    >authentication, but I have a company firewall between the client and the
    >server (under my full control), so I want to be sure that all messages are
    >based on http protocol. Sorry but I'm moving the first step on this
    >technology
    >
    >Regards,
    >Paolo
    >
    >"Scott Allen" <bitmask@[nospam].fred.net> ha scritto nel messaggio
    >news:p...
    >> Hi pberna:
    >>
    >> Impersonation is more difficult in forms authentication. If you use
    >> the username and password attributes of the <identity> tag then yes,
    >> you are passing the username and password for a windows account. Every
    >> local resource ASP.NET touches will be done with the credentials
    >> specified in the <identity> tag, for example, file access, service
    >> control, connecting to a database with a trusted connection.
    >>
    >> Is the web application soley for the purpose of controlling the
    >> service? Is it exposed to the Internet?
    >>
    >> --
    >> Scott
    >> http://www.OdeToCode.com/blogs/scott/
    >>
    >> On Mon, 15 Nov 2004 07:10:03 -0800, pberna
    >> <> wrote:
    >>
    >>>Dear Scott,
    >>>
    >>>Thanks for your indications
    >>>I red the article, but I'm not sure if impersonation is applicable to the
    >>>Forms
    >>>authentication mode. What do you think ? Am I wrong ?
    >>>
    >>>1) If impersonation is also active using the Forms authentication mode,
    >>>should the user name related to the token "userName"
    >>>
    >>><identity impersonate="true" userName="contoso\Jane" password="pass"/>
    >>>
    >>>be equal to a Windows User name ?
    >>>
    >>>2) Are there any relationship between Windows password of a Windows User
    >>>and
    >>>the password of the same User indicated in the web.config file ?
    >>>
    >>>3) If the ASPNET impersonate a user using the Forms authentication mode,it
    >>>means that the .NET application can access to all resource available for
    >>>that
    >>>user ?
    >>>
    >>>Thank you
    >>>Paolo
    >>>
    >>>"Scott Allen" wrote:
    >>>
    >>>> Hi pberna:
    >>>>
    >>>> It's generally a bad idea to run ASP.NET under an administrator
    >>>> account, as it makes it easier for a malicious user to have admin
    >>>> rights on a machine. Have you investigated impersonation?
    >>>> http://msdn.microsoft.com/library/d...-us/cpguide/html/cpconaspnetimpersonation.asp
    >>>>
    >>>> As for the NETWORK SERVICE account, there are two types of accounts on
    >>>> the machine: user accounts and built in security principals. The built
    >>>> in security principals do not appear in the list of users. You can
    >>>> still add them to a group if you go to My computer -> Manage ->
    >>>> Groups. You can right click a group and select Properties, then click
    >>>> Add. You can type in the name you need, or click Advanced and Find Now
    >>>> to select the principal from a list - you'll notice at the top of the
    >>>> dialog under Object Types the dialog will search for both user objects
    >>>> and built in security principal objects.
    >>>>
    >>>> In any case, a best practice is to avoid elevating the privileges of
    >>>> any of these built in accounts. Impersonation is a safer approach.
    >>>>
    >>>> --
    >>>> Scott
    >>>> http://www.OdeToCode.com/blogs/scott/
    >>>>
    >>>> On Sat, 13 Nov 2004 19:36:21 GMT, "pberna" <> wrote:
    >>>>
    >>>> >Dear all,
    >>>> >
    >>>> >I built a Web Form application to start and stop a Windows Service
    >>>> >remotely.
    >>>> >I successful tested the application on Windows 2000 server + IIS. I
    >>>> >must
    >>>> >include the ASPNET user
    >>>> >to the Administration group (on server side) to have the necessary
    >>>> >authorization to start a Windows Service (I don't understand why "Power
    >>>> >User" rights are not enough to do the same thing)
    >>>> >
    >>>> >Although I'm able to start a service using windows 2000 server
    >>>> >platform, I'm
    >>>> >not able to do the same things in the Windows 2003 server edition
    >>>> >where the
    >>>> >same Web Form application has been installed (.NET framework has been
    >>>> >installed by default during Windows server installation process). I
    >>>> >know
    >>>> >that in Windows 2003 server the default account for a ASPNET
    >>>> >applications is
    >>>> >NETWORK SERVICE, but I don't find any user with this name in the user
    >>>> >list/group. If I try to create this user and error message tell me that
    >>>> >the
    >>>> >NETWORK SERVICE user is already defined. The problem is that it doesn't
    >>>> >appear in the user list (My computer-> Manage > user)
    >>>> >
    >>>> >Any idea ?
    >>>> >
    >>>> >Thank you
    >>>> >Best Regards
    >>>> >
    >>>>
    >>>>

    >>

    >
    Scott Allen, Nov 15, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kieran Kelly
    Replies:
    3
    Views:
    845
    Shaji
    Sep 29, 2003
  2. Juan T. Llibre [MVP]
    Replies:
    4
    Views:
    2,988
    Patrick Olurotimi Ige
    Dec 9, 2004
  3. Jeremy Holt
    Replies:
    0
    Views:
    482
    Jeremy Holt
    Apr 1, 2005
  4. Replies:
    0
    Views:
    1,733
  5. Simon Hart
    Replies:
    2
    Views:
    17,513
    Simon Hart
    Mar 16, 2006
Loading...

Share This Page