Security for a worker thread

Discussion in 'ASP .Net Security' started by maa, Feb 10, 2008.

  1. maa

    maa Guest

    How do I adjust the security for a worker thread in asp.net?
    Thanks,
    maa
    maa, Feb 10, 2008
    #1
    1. Advertising

  2. Dominick Baier, Feb 10, 2008
    #2
    1. Advertising

  3. maa

    maa Guest

    I have my main asp.net thread which can access the database using
    impersonation=
    true. I then create worker threads but they don't have rights to the db and
    login fails. Is there a way to delegate/transfer the creating thread rights
    to the worker thread?
    Thanks,
    maa

    "Dominick Baier" wrote:

    > could you expand a little bit more on this?
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
    >
    > > How do I adjust the security for a worker thread in asp.net?
    > > Thanks,
    > > maa

    >
    >
    >
    maa, Feb 10, 2008
    #3
  4. Yes. It depends how you create the threads. There is also a config switch

    see here: http://www.leastprivilege.com/WhatIsAspnetconfig.aspx


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > I have my main asp.net thread which can access the database using
    > impersonation=
    > true. I then create worker threads but they don't have rights to the
    > db and
    > login fails. Is there a way to delegate/transfer the creating thread
    > rights
    > to the worker thread?
    > Thanks,
    > maa
    > "Dominick Baier" wrote:
    >
    >> could you expand a little bit more on this?
    >>
    >> -----
    >> Dominick Baier (http://www.leastprivilege.com)
    >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >> (http://www.microsoft.com/mspress/books/9989.asp)
    >>
    >>> How do I adjust the security for a worker thread in asp.net?
    >>> Thanks,
    >>> maa
    Dominick Baier, Feb 10, 2008
    #4
  5. maa

    maa Guest

    Dominick,

    This will eventually go on a client site so the config switch is not
    accessible. I am using C#/.Net 2.0 so I can possible change the create thread
    to allow the rights to flow. Is that possible?
    In other words I have access programmatically to set the rights/context for
    the new thread.

    Thanks,
    maa

    "Dominick Baier" wrote:

    > Yes. It depends how you create the threads. There is also a config switch
    >
    > see here: http://www.leastprivilege.com/WhatIsAspnetconfig.aspx
    >
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
    >
    > > I have my main asp.net thread which can access the database using
    > > impersonation=
    > > true. I then create worker threads but they don't have rights to the
    > > db and
    > > login fails. Is there a way to delegate/transfer the creating thread
    > > rights
    > > to the worker thread?
    > > Thanks,
    > > maa
    > > "Dominick Baier" wrote:
    > >
    > >> could you expand a little bit more on this?
    > >>
    > >> -----
    > >> Dominick Baier (http://www.leastprivilege.com)
    > >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    > >> (http://www.microsoft.com/mspress/books/9989.asp)
    > >>
    > >>> How do I adjust the security for a worker thread in asp.net?
    > >>> Thanks,
    > >>> maa

    >
    >
    >
    maa, Feb 10, 2008
    #5
  6. I am confused. Are you talking about ASP.NET or clients?

    In general impersonation information flows to newly created threads by default
    since .net 2.0.
    ASP.NET is an exception here because it was considered as a breaking change
    - thats why there is the config file to opt-in to the new behavior.

    How do you create the thread?
    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > Dominick,
    >
    > This will eventually go on a client site so the config switch is not
    > accessible. I am using C#/.Net 2.0 so I can possible change the create
    > thread
    > to allow the rights to flow. Is that possible?
    > In other words I have access programmatically to set the
    > rights/context for
    > the new thread.
    > Thanks,
    > maa
    > "Dominick Baier" wrote:
    >
    >> Yes. It depends how you create the threads. There is also a config
    >> switch
    >>
    >> see here: http://www.leastprivilege.com/WhatIsAspnetconfig.aspx
    >>
    >> -----
    >> Dominick Baier (http://www.leastprivilege.com)
    >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >> (http://www.microsoft.com/mspress/books/9989.asp)
    >>
    >>> I have my main asp.net thread which can access the database using
    >>> impersonation=
    >>> true. I then create worker threads but they don't have rights to
    >>> the
    >>> db and
    >>> login fails. Is there a way to delegate/transfer the creating
    >>> thread
    >>> rights
    >>> to the worker thread?
    >>> Thanks,
    >>> maa
    >>> "Dominick Baier" wrote:
    >>>> could you expand a little bit more on this?
    >>>>
    >>>> -----
    >>>> Dominick Baier (http://www.leastprivilege.com)
    >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>> How do I adjust the security for a worker thread in asp.net?
    >>>>> Thanks,
    >>>>> ma
    Dominick Baier, Feb 10, 2008
    #6
  7. ah and btw - the account need the SeImpersonatePrivilege to make impersonation
    work.


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > I am confused. Are you talking about ASP.NET or clients?
    >
    > In general impersonation information flows to newly created threads by
    > default since .net 2.0. ASP.NET is an exception here because it was
    > considered as a breaking change - thats why there is the config file
    > to opt-in to the new behavior.
    >
    > How do you create the thread?
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    > Developing More Secure Microsoft ASP.NET 2.0 Applications
    > (http://www.microsoft.com/mspress/books/9989.asp)
    >
    >> Dominick,
    >>
    >> This will eventually go on a client site so the config switch is not
    >> accessible. I am using C#/.Net 2.0 so I can possible change the
    >> create
    >> thread
    >> to allow the rights to flow. Is that possible?
    >> In other words I have access programmatically to set the
    >> rights/context for
    >> the new thread.
    >> Thanks,
    >> maa
    >> "Dominick Baier" wrote:
    >>> Yes. It depends how you create the threads. There is also a config
    >>> switch
    >>>
    >>> see here: http://www.leastprivilege.com/WhatIsAspnetconfig.aspx
    >>>
    >>> -----
    >>> Dominick Baier (http://www.leastprivilege.com)
    >>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>> I have my main asp.net thread which can access the database using
    >>>> impersonation=
    >>>> true. I then create worker threads but they don't have rights to
    >>>> the
    >>>> db and
    >>>> login fails. Is there a way to delegate/transfer the creating
    >>>> thread
    >>>> rights
    >>>> to the worker thread?
    >>>> Thanks,
    >>>> maa
    >>>> "Dominick Baier" wrote:
    >>>>> could you expand a little bit more on this?
    >>>>>
    >>>>> -----
    >>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>> How do I adjust the security for a worker thread in asp.net?
    >>>>>> Thanks,
    >>>>>> maa
    Dominick Baier, Feb 10, 2008
    #7
  8. maa

    maa Guest

    I am working in Asp.Net. When I create the threads, the threads can not
    access the database. Sorry for the confusion.
    Thanks,
    maa

    "Dominick Baier" wrote:

    > I am confused. Are you talking about ASP.NET or clients?
    >
    > In general impersonation information flows to newly created threads by default
    > since .net 2.0.
    > ASP.NET is an exception here because it was considered as a breaking change
    > - thats why there is the config file to opt-in to the new behavior.
    >
    > How do you create the thread?
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
    >
    > > Dominick,
    > >
    > > This will eventually go on a client site so the config switch is not
    > > accessible. I am using C#/.Net 2.0 so I can possible change the create
    > > thread
    > > to allow the rights to flow. Is that possible?
    > > In other words I have access programmatically to set the
    > > rights/context for
    > > the new thread.
    > > Thanks,
    > > maa
    > > "Dominick Baier" wrote:
    > >
    > >> Yes. It depends how you create the threads. There is also a config
    > >> switch
    > >>
    > >> see here: http://www.leastprivilege.com/WhatIsAspnetconfig.aspx
    > >>
    > >> -----
    > >> Dominick Baier (http://www.leastprivilege.com)
    > >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    > >> (http://www.microsoft.com/mspress/books/9989.asp)
    > >>
    > >>> I have my main asp.net thread which can access the database using
    > >>> impersonation=
    > >>> true. I then create worker threads but they don't have rights to
    > >>> the
    > >>> db and
    > >>> login fails. Is there a way to delegate/transfer the creating
    > >>> thread
    > >>> rights
    > >>> to the worker thread?
    > >>> Thanks,
    > >>> maa
    > >>> "Dominick Baier" wrote:
    > >>>> could you expand a little bit more on this?
    > >>>>
    > >>>> -----
    > >>>> Dominick Baier (http://www.leastprivilege.com)
    > >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    > >>>> (http://www.microsoft.com/mspress/books/9989.asp)
    > >>>>> How do I adjust the security for a worker thread in asp.net?
    > >>>>> Thanks,
    > >>>>> maa

    >
    >
    >
    maa, Feb 10, 2008
    #8
  9. maa

    maa Guest

    Thread t1 = new Thread(new ParameterizedThreadStart(VAD));
    t1.Start(threadArgs);

    "Dominick Baier" wrote:

    > I am confused. Are you talking about ASP.NET or clients?
    >
    > In general impersonation information flows to newly created threads by default
    > since .net 2.0.
    > ASP.NET is an exception here because it was considered as a breaking change
    > - thats why there is the config file to opt-in to the new behavior.
    >
    > How do you create the thread?
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
    >
    > > Dominick,
    > >
    > > This will eventually go on a client site so the config switch is not
    > > accessible. I am using C#/.Net 2.0 so I can possible change the create
    > > thread
    > > to allow the rights to flow. Is that possible?
    > > In other words I have access programmatically to set the
    > > rights/context for
    > > the new thread.
    > > Thanks,
    > > maa
    > > "Dominick Baier" wrote:
    > >
    > >> Yes. It depends how you create the threads. There is also a config
    > >> switch
    > >>
    > >> see here: http://www.leastprivilege.com/WhatIsAspnetconfig.aspx
    > >>
    > >> -----
    > >> Dominick Baier (http://www.leastprivilege.com)
    > >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    > >> (http://www.microsoft.com/mspress/books/9989.asp)
    > >>
    > >>> I have my main asp.net thread which can access the database using
    > >>> impersonation=
    > >>> true. I then create worker threads but they don't have rights to
    > >>> the
    > >>> db and
    > >>> login fails. Is there a way to delegate/transfer the creating
    > >>> thread
    > >>> rights
    > >>> to the worker thread?
    > >>> Thanks,
    > >>> maa
    > >>> "Dominick Baier" wrote:
    > >>>> could you expand a little bit more on this?
    > >>>>
    > >>>> -----
    > >>>> Dominick Baier (http://www.leastprivilege.com)
    > >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    > >>>> (http://www.microsoft.com/mspress/books/9989.asp)
    > >>>>> How do I adjust the security for a worker thread in asp.net?
    > >>>>> Thanks,
    > >>>>> maa

    >
    >
    >
    maa, Feb 10, 2008
    #9
  10. simply do a

    string username = WindowsIdentity.GetCurrent().Name in your thread proc to
    see if the impersonation token has been flowed.

    or add a watch for $user to the debug watch window

    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > Thread t1 = new Thread(new ParameterizedThreadStart(VAD));
    > t1.Start(threadArgs);
    >
    > "Dominick Baier" wrote:
    >
    >> I am confused. Are you talking about ASP.NET or clients?
    >>
    >> In general impersonation information flows to newly created threads
    >> by default since .net 2.0. ASP.NET is an exception here because it
    >> was considered as a breaking change - thats why there is the config
    >> file to opt-in to the new behavior.
    >>
    >> How do you create the thread?
    >> -----
    >> Dominick Baier (http://www.leastprivilege.com)
    >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >> (http://www.microsoft.com/mspress/books/9989.asp)
    >>
    >>> Dominick,
    >>>
    >>> This will eventually go on a client site so the config switch is not
    >>> accessible. I am using C#/.Net 2.0 so I can possible change the
    >>> create
    >>> thread
    >>> to allow the rights to flow. Is that possible?
    >>> In other words I have access programmatically to set the
    >>> rights/context for
    >>> the new thread.
    >>> Thanks,
    >>> maa
    >>> "Dominick Baier" wrote:
    >>>> Yes. It depends how you create the threads. There is also a config
    >>>> switch
    >>>>
    >>>> see here: http://www.leastprivilege.com/WhatIsAspnetconfig.aspx
    >>>>
    >>>> -----
    >>>> Dominick Baier (http://www.leastprivilege.com)
    >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>> I have my main asp.net thread which can access the database using
    >>>>> impersonation=
    >>>>> true. I then create worker threads but they don't have rights to
    >>>>> the
    >>>>> db and
    >>>>> login fails. Is there a way to delegate/transfer the creating
    >>>>> thread
    >>>>> rights
    >>>>> to the worker thread?
    >>>>> Thanks,
    >>>>> maa
    >>>>> "Dominick Baier" wrote:
    >>>>>> could you expand a little bit more on this?
    >>>>>>
    >>>>>> -----
    >>>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>>> How do I adjust the security for a worker thread in asp.net?
    >>>>>>> Thanks,
    >>>>>>> ma
    Dominick Baier, Feb 10, 2008
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jim Macbeth
    Replies:
    3
    Views:
    520
    Jim Macbeth
    Nov 10, 2003
  2. Weston Weems
    Replies:
    1
    Views:
    398
    Kevin Spencer
    Jan 4, 2005
  3. alex
    Replies:
    1
    Views:
    629
    Lau Lei Cheong
    Feb 4, 2005
  4. Sanjay
    Replies:
    1
    Views:
    650
    George Ter-Saakov
    Feb 21, 2007
  5. Dmitry Teslenko
    Replies:
    0
    Views:
    622
    Dmitry Teslenko
    Jan 3, 2010
Loading...

Share This Page