Setting IPGrant on a folder from a WebMethod

Discussion in 'ASP .Net Security' started by DAve, Feb 21, 2005.

  1. DAve

    DAve Guest

    I want to be able to limit access to a folder in IIS by IP address. I
    am trying to add IP addresses from a WebMethod to the IPGrant property.
    Here's my code:

    DirectoryEntry defaultRoot = new
    DirectoryEntry("IIS://SERVERNAME/w3svc/1/root/examplefolder",username,password,
    AuthenticationTypes.Secure);
    defaultRoot.RefreshCache();
    object oIPSecurity = defaultRoot.Invoke("Get", new
    string[]{"IPSecurity"});
    Type t = oIPSecurity.GetType();
    //Get the list of granted IPs
    Array IPs = (Array)t.InvokeMember("IPGrant", BindingFlags.GetProperty,
    null, oIPSecurity, null);
    //create a new Array of IPs
    object[] newIPs = new object[IPs.Length+1];
    //copy the existing IPs to the new Array
    IPs.CopyTo(newIPs,0);
    //add a new value
    newIPs.SetValue("192.168.0.21",IPs.Length);
    //Set the new IPlist
    t.InvokeMember("IPGrant", BindingFlags.SetProperty, null, oIPSecurity,
    new object[]{newIPs});
    defaultRoot.Invoke("Put", new object[]{"IPSecurity", oIPSecurity});
    defaultRoot.CommitChanges();

    When executed, I get this error:

    System.UnauthorizedAccessException: Access is denied. at
    System.DirectoryServices.Interop.IAds.SetInfo() at
    System.DirectoryServices.DirectoryEntry.CommitChanges()

    >From the research I've done, I'm concerned that the solution to this

    problem is going to be a security threat. Any thoughts or alternative
    ideas to accomplish this?

    Thanks,

    David
     
    DAve, Feb 21, 2005
    #1
    1. Advertising

  2. The IIS provider for ADSI doesn't use alternate credentials. It only works
    based on the security context of the current thread. The credentials you
    pass in are simply ignored.

    In order to get this to work, you need to make the current security context
    have the correct rights to perform the action.

    Joe K.

    "DAve" <> wrote in message
    news:...
    >I want to be able to limit access to a folder in IIS by IP address. I
    > am trying to add IP addresses from a WebMethod to the IPGrant property.
    > Here's my code:
    >
    > DirectoryEntry defaultRoot = new
    > DirectoryEntry("IIS://SERVERNAME/w3svc/1/root/examplefolder",username,password,
    > AuthenticationTypes.Secure);
    > defaultRoot.RefreshCache();
    > object oIPSecurity = defaultRoot.Invoke("Get", new
    > string[]{"IPSecurity"});
    > Type t = oIPSecurity.GetType();
    > //Get the list of granted IPs
    > Array IPs = (Array)t.InvokeMember("IPGrant", BindingFlags.GetProperty,
    > null, oIPSecurity, null);
    > //create a new Array of IPs
    > object[] newIPs = new object[IPs.Length+1];
    > //copy the existing IPs to the new Array
    > IPs.CopyTo(newIPs,0);
    > //add a new value
    > newIPs.SetValue("192.168.0.21",IPs.Length);
    > //Set the new IPlist
    > t.InvokeMember("IPGrant", BindingFlags.SetProperty, null, oIPSecurity,
    > new object[]{newIPs});
    > defaultRoot.Invoke("Put", new object[]{"IPSecurity", oIPSecurity});
    > defaultRoot.CommitChanges();
    >
    > When executed, I get this error:
    >
    > System.UnauthorizedAccessException: Access is denied. at
    > System.DirectoryServices.Interop.IAds.SetInfo() at
    > System.DirectoryServices.DirectoryEntry.CommitChanges()
    >
    >>From the research I've done, I'm concerned that the solution to this

    > problem is going to be a security threat. Any thoughts or alternative
    > ideas to accomplish this?
    >
    > Thanks,
    >
    > David
    >
     
    Joe Kaplan \(MVP - ADSI\), Feb 21, 2005
    #2
    1. Advertising

  3. To change the current security context - would I accomplish this in my
    web.config or machine.config files? Or would I need to use the
    impersonate method?

    Thanks for your help,

    David

    *** Sent via Developersdex http://www.developersdex.com ***
    Don't just participate in USENET...get rewarded for it!
     
    David Salonius, Feb 21, 2005
    #3
  4. My web service is running under NT AUTHORITY\NETWORK SERVICE. I've then
    given full control under folder security to that user. Under Advanced
    Security Settings, I've verified that NETWORK SERVICE has full control
    to all permissions. The error still persists. Is this what you're
    referring to?

    Thanks,

    David

    *** Sent via Developersdex http://www.developersdex.com ***
    Don't just participate in USENET...get rewarded for it!
     
    David Salonius, Feb 21, 2005
    #4
  5. My guess is that you need to be an administrator in order to change the IIS
    metabase. That is normally required.

    Did you consider changing the Application Pool identity to an administrator
    account? That should accomplish your goal, at least for testing purposes.

    However, you may not wish to solve the problem that way. Running your app
    pool as administrator opens you up to some significant security risks. You
    may wish to put the IIS ADSI code in a COM+ component and run that under a
    separate identity with admin privileges. This would allow your main web
    application process to continue running with least privileges (as NETWORK
    SERVICE).

    Joe K.

    "David Salonius" <> wrote in message
    news:...
    >
    > My web service is running under NT AUTHORITY\NETWORK SERVICE. I've then
    > given full control under folder security to that user. Under Advanced
    > Security Settings, I've verified that NETWORK SERVICE has full control
    > to all permissions. The error still persists. Is this what you're
    > referring to?
    >
    > Thanks,
    >
    > David
    >
    > *** Sent via Developersdex http://www.developersdex.com ***
    > Don't just participate in USENET...get rewarded for it!
     
    Joe Kaplan \(MVP - ADSI\), Feb 21, 2005
    #5
  6. DAve

    IPGrunt Guest

    On 21 Feb 2005, David Salonius <> postulated in
    news::

    >
    > My web service is running under NT AUTHORITY\NETWORK SERVICE. I've

    then
    > given full control under folder security to that user. Under

    Advanced
    > Security Settings, I've verified that NETWORK SERVICE has full

    control
    > to all permissions. The error still persists. Is this what you're
    > referring to?
    >
    > Thanks,
    >
    > David
    >
    > *** Sent via Developersdex http://www.developersdex.com ***
    > Don't just participate in USENET...get rewarded for it!


    Use IIS to manage this for you, buy assigning a new application pool
    for this site that impersonates administrator (using LocalSystem as
    Identity). (I use one called AdmininstrationPool that I keep reserved
    for roles where I need this level access).

    Remember, This IS a security hole, so be careful who has access.

    -- ipgrunt
     
    IPGrunt, Feb 21, 2005
    #6
  7. Setting the user in the Application Pool identity to an administrator
    account solved the problem. From what I can tell, as long as my web
    methods folder is locked down to where no one can upload code, this
    should be safe. Is that a fair assessment?

    Thanks,

    David

    *** Sent via Developersdex http://www.developersdex.com ***
    Don't just participate in USENET...get rewarded for it!
     
    David Salonius, Feb 21, 2005
    #7
  8. I'd make sure you don't use that app pool for any other websites or
    applications on the same server. Always use a different app pool with lower
    privileges for other sites. That will help restrict it as well.

    Other than that, it is up to you to consider whether you need to go to COM+
    or not for additional security. As long as you don't have any other entry
    points into this site and you are comfortable with the security you are
    providing, then I think it can be secure. Just be careful and spend some
    time doing some threat modeling to make sure you don't miss anything.

    Joe K.

    "David Salonius" <> wrote in message
    news:%...
    >
    >
    > Setting the user in the Application Pool identity to an administrator
    > account solved the problem. From what I can tell, as long as my web
    > methods folder is locked down to where no one can upload code, this
    > should be safe. Is that a fair assessment?
    >
    > Thanks,
    >
    > David
    >
    > *** Sent via Developersdex http://www.developersdex.com ***
    > Don't just participate in USENET...get rewarded for it!
     
    Joe Kaplan \(MVP - ADSI\), Feb 21, 2005
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. THY
    Replies:
    3
    Views:
    2,954
    Alvin Bruney
    Oct 16, 2003
  2. William LaMartin

    _vti_cnf folder in the bin folder-- a problem?

    William LaMartin, Nov 10, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    1,707
    Oliver
    Nov 10, 2003
  3. Dan
    Replies:
    7
    Views:
    18,593
    catherine sea
    Oct 28, 2010
  4. Jon Maz
    Replies:
    12
    Views:
    4,851
    Vadim Chekan
    Jul 1, 2004
  5. madhu
    Replies:
    0
    Views:
    424
    madhu
    Oct 5, 2006
Loading...

Share This Page