Want to Reboot server from ASPX page

Discussion in 'ASP .Net' started by =?Utf-8?B?VGVycnk=?=, Apr 18, 2004.

  1. I am developing a asp.net web based service application for our product
    I am trying to trigger a reboot of the server based on a user request
    I believe I have all the appropriate code for AdjustingTokens etc an
    all those calls seem to succeed, however, the final call to ExitWindowsE
    is failing with 'Access Denied'

    In my machine.config, I have already set the userName to 'System' as
    seem to require this for some other functionality I implemented. I also trie
    to impersonate a local user account with admin priviledges via my application
    web.config file but that failed as well with the same 'Access Denied' (by th
    way what exactly does 'impersonate' in the web.config do when the machine.config
    file already lets me specify the user as 'SYSTEM'?

    I expect there is some other security thing that I need to twiddle ... any ideas greatl
    appreciated (with as much detail as possible, I am very new to this whole web securit
    stuff)

    Thanks

    Terr
    =?Utf-8?B?VGVycnk=?=, Apr 18, 2004
    #1
    1. Advertising

  2. =?Utf-8?B?VGVycnk=?=

    Chris Botha Guest

    Terry, first get the code to run in a normal Windows App, so you know that
    it works.
    After that, it should be a security issue, and impersonation should work,
    but you also have to switch off anonymous access to the virtual directory
    for impersonation to work.
    To ensure that your impersonation is set up correctly, add a test call
    somewhere in a form, returning the current user, and check that it is what
    you expect (not the anonymous, or ASP.NET user, etc). To get the current
    user, call
    System.Security.Principal.WindowsIdentity.GetCurrent().Name

    "Terry" <> wrote in message
    news:...
    > I am developing a asp.net web based service application for our product.
    > I am trying to trigger a reboot of the server based on a user request.
    > I believe I have all the appropriate code for AdjustingTokens etc and
    > all those calls seem to succeed, however, the final call to ExitWindowsEx
    > is failing with 'Access Denied'.
    >
    > In my machine.config, I have already set the userName to 'System' as I
    > seem to require this for some other functionality I implemented. I also

    tried
    > to impersonate a local user account with admin priviledges via my

    applications
    > web.config file but that failed as well with the same 'Access Denied' (by

    the
    > way what exactly does 'impersonate' in the web.config do when the

    machine.config
    > file already lets me specify the user as 'SYSTEM'?)
    >
    > I expect there is some other security thing that I need to twiddle ... any

    ideas greatly
    > appreciated (with as much detail as possible, I am very new to this whole

    web security
    > stuff).
    >
    > Thanks,
    >
    > Terry
    >
    Chris Botha, Apr 18, 2004
    #2
    1. Advertising

  3. OK, I have verified that the shutdown related code is working fine from
    a regular app.

    How do I switch off anonymous access to the virtual directory?
    Are you talking about adding a statement like <deny user="?">
    in my web.config file or are you talking about a setting in
    the IIS Service Mgr.

    I am using a simple application based 'Forms' authentication.
    In this case if I use <identity impersonate="true" /> who would
    it be impersonating ... or in this case because I am using Forms
    authentication would I have to spell all that out like
    <identity impersonate="true" userName="abc" password="def">

    I am still a little puzzled by all this impersonate stuff ... if you do
    impersonation what is the point of setting the user='SYSTEM' in
    the machine.config file?

    Thanks,

    Terry

    ----- Chris Botha wrote: -----

    Terry, first get the code to run in a normal Windows App, so you know that
    it works.
    After that, it should be a security issue, and impersonation should work,
    but you also have to switch off anonymous access to the virtual directory
    for impersonation to work.
    To ensure that your impersonation is set up correctly, add a test call
    somewhere in a form, returning the current user, and check that it is what
    you expect (not the anonymous, or ASP.NET user, etc). To get the current
    user, call
    System.Security.Principal.WindowsIdentity.GetCurrent().Name

    "Terry" <> wrote in message
    news:...
    > I am developing a asp.net web based service application for our product.
    > I am trying to trigger a reboot of the server based on a user request.
    > I believe I have all the appropriate code for AdjustingTokens etc and
    > all those calls seem to succeed, however, the final call to ExitWindowsEx
    > is failing with 'Access Denied'.
    >> In my machine.config, I have already set the userName to 'System' as I

    > seem to require this for some other functionality I implemented. I also

    tried
    > to impersonate a local user account with admin priviledges via my

    applications
    > web.config file but that failed as well with the same 'Access Denied' (by

    the
    > way what exactly does 'impersonate' in the web.config do when the

    machine.config
    > file already lets me specify the user as 'SYSTEM'?)
    >> I expect there is some other security thing that I need to twiddle ... any

    ideas greatly
    > appreciated (with as much detail as possible, I am very new to this whole

    web security
    > stuff).
    >> Thanks,
    >> Terry

    >
    =?Utf-8?B?VGVycnk=?=, Apr 18, 2004
    #3
  4. =?Utf-8?B?VGVycnk=?=

    Chris Botha Guest

    I don't think impersonation works with forms authentication, but I may be
    wrong, always some surprise somewhere (it works with Integrated Widows auth,
    as well as Basic Auth).
    To switch anonymous access off, run IIS Service Manager, find your Web App
    under the Default Web Site, right click on it, properties, then Directory
    Security, then hit the top edit button and uncheck the anonymous access.
    After doing this, hitting the page with IE, if you are not an authenticated
    user, you will be prompted to sign in (if you are authenticated, it won't
    prompt you), and that will be the user impersonated (unless you specified a
    username/password on the impersonate line in the web.config file).

    Second solution, I'm not sure if it will work, but it may, write an ActiveX
    dll, install it in COM+ specifying the credentials it should run under, and
    call it from your aspx page. Beware that if it works, anyone hitting the
    page can re-boot the computer.

    I don't know what setting the "user='SYSTEM'" in the machine.config does.

    "Terry" <> wrote in message
    news:...
    > OK, I have verified that the shutdown related code is working fine from
    > a regular app.
    >
    > How do I switch off anonymous access to the virtual directory?
    > Are you talking about adding a statement like <deny user="?">
    > in my web.config file or are you talking about a setting in
    > the IIS Service Mgr.
    >
    > I am using a simple application based 'Forms' authentication.
    > In this case if I use <identity impersonate="true" /> who would
    > it be impersonating ... or in this case because I am using Forms
    > authentication would I have to spell all that out like
    > <identity impersonate="true" userName="abc" password="def">
    >
    > I am still a little puzzled by all this impersonate stuff ... if you do
    > impersonation what is the point of setting the user='SYSTEM' in
    > the machine.config file?
    >
    > Thanks,
    >
    > Terry
    >
    > ----- Chris Botha wrote: -----
    >
    > Terry, first get the code to run in a normal Windows App, so you know

    that
    > it works.
    > After that, it should be a security issue, and impersonation should

    work,
    > but you also have to switch off anonymous access to the virtual

    directory
    > for impersonation to work.
    > To ensure that your impersonation is set up correctly, add a test

    call
    > somewhere in a form, returning the current user, and check that it is

    what
    > you expect (not the anonymous, or ASP.NET user, etc). To get the

    current
    > user, call
    > System.Security.Principal.WindowsIdentity.GetCurrent().Name
    >
    > "Terry" <> wrote in message
    > news:...
    > > I am developing a asp.net web based service application for our

    product.
    > > I am trying to trigger a reboot of the server based on a user

    request.
    > > I believe I have all the appropriate code for AdjustingTokens etc

    and
    > > all those calls seem to succeed, however, the final call to

    ExitWindowsEx
    > > is failing with 'Access Denied'.
    > >> In my machine.config, I have already set the userName to 'System'

    as I
    > > seem to require this for some other functionality I implemented. I

    also
    > tried
    > > to impersonate a local user account with admin priviledges via my

    > applications
    > > web.config file but that failed as well with the same 'Access

    Denied' (by
    > the
    > > way what exactly does 'impersonate' in the web.config do when the

    > machine.config
    > > file already lets me specify the user as 'SYSTEM'?)
    > >> I expect there is some other security thing that I need to twiddle

    .... any
    > ideas greatly
    > > appreciated (with as much detail as possible, I am very new to this

    whole
    > web security
    > > stuff).
    > >> Thanks,
    > >> Terry

    > >
    Chris Botha, Apr 18, 2004
    #4
  5. =?Utf-8?B?VGVycnk=?=

    Sharon Guest

    maybe this way will work:

    aspx page
    =========
    <%@ Page Language="cs" %>
    <%@ import namespace="System.Threading" %>
    <%@ import namespace="test" %>

    <%
    string[] passArr = new string[2]{"arr val 1", "arr val 2"};

    ThreadProc tp = new ThreadProc(passArr);
    Thread t = new Thread(new ThreadStart(tp.ThreadProcStart));
    t.Start();
    %>
    <html>
    <head>
    </head>
    <body>
    </body>
    </html>

    thread class
    ==========
    using System.Threading;
    using System.IO;

    namespace test
    {
    public class ThreadProc
    {
    private string[] m_dispStrArr;

    public ThreadProc(string[] inStrArr) {
    m_dispStrArr = inStrArr;
    }

    public void ThreadProcStart() {
    for (int i = 0; i < 20; i++)
    {
    StreamWriter fsw =
    File.AppendText(System.AppDomain.CurrentDomain.BaseDirectory + "\\log.txt");
    fsw.WriteLine("m_dispStr: " + m_dispStrArr[0] + " " + m_dispStrArr[1]
    + " i: " + i);
    fsw.Close();
    fsw = null;

    Thread.Sleep(1000);
    }
    }
    }
    }

    it works but, maybe you can find a flaw?

    "Chris Botha" <chris_s_botha@AT_h.o.t.m.a.i.l.com> wrote in message
    news:...
    > I don't think impersonation works with forms authentication, but I may be
    > wrong, always some surprise somewhere (it works with Integrated Widows

    auth,
    > as well as Basic Auth).
    > To switch anonymous access off, run IIS Service Manager, find your Web App
    > under the Default Web Site, right click on it, properties, then Directory
    > Security, then hit the top edit button and uncheck the anonymous access.
    > After doing this, hitting the page with IE, if you are not an

    authenticated
    > user, you will be prompted to sign in (if you are authenticated, it won't
    > prompt you), and that will be the user impersonated (unless you specified

    a
    > username/password on the impersonate line in the web.config file).
    >
    > Second solution, I'm not sure if it will work, but it may, write an

    ActiveX
    > dll, install it in COM+ specifying the credentials it should run under,

    and
    > call it from your aspx page. Beware that if it works, anyone hitting the
    > page can re-boot the computer.
    >
    > I don't know what setting the "user='SYSTEM'" in the machine.config does.
    >
    > "Terry" <> wrote in message
    > news:...
    > > OK, I have verified that the shutdown related code is working fine from
    > > a regular app.
    > >
    > > How do I switch off anonymous access to the virtual directory?
    > > Are you talking about adding a statement like <deny user="?">
    > > in my web.config file or are you talking about a setting in
    > > the IIS Service Mgr.
    > >
    > > I am using a simple application based 'Forms' authentication.
    > > In this case if I use <identity impersonate="true" /> who would
    > > it be impersonating ... or in this case because I am using Forms
    > > authentication would I have to spell all that out like
    > > <identity impersonate="true" userName="abc" password="def">
    > >
    > > I am still a little puzzled by all this impersonate stuff ... if you do
    > > impersonation what is the point of setting the user='SYSTEM' in
    > > the machine.config file?
    > >
    > > Thanks,
    > >
    > > Terry
    > >
    > > ----- Chris Botha wrote: -----
    > >
    > > Terry, first get the code to run in a normal Windows App, so you

    know
    > that
    > > it works.
    > > After that, it should be a security issue, and impersonation should

    > work,
    > > but you also have to switch off anonymous access to the virtual

    > directory
    > > for impersonation to work.
    > > To ensure that your impersonation is set up correctly, add a test

    > call
    > > somewhere in a form, returning the current user, and check that it

    is
    > what
    > > you expect (not the anonymous, or ASP.NET user, etc). To get the

    > current
    > > user, call
    > > System.Security.Principal.WindowsIdentity.GetCurrent().Name
    > >
    > > "Terry" <> wrote in message
    > > news:...
    > > > I am developing a asp.net web based service application for our

    > product.
    > > > I am trying to trigger a reboot of the server based on a user

    > request.
    > > > I believe I have all the appropriate code for AdjustingTokens etc

    > and
    > > > all those calls seem to succeed, however, the final call to

    > ExitWindowsEx
    > > > is failing with 'Access Denied'.
    > > >> In my machine.config, I have already set the userName to

    'System'
    > as I
    > > > seem to require this for some other functionality I implemented.

    I
    > also
    > > tried
    > > > to impersonate a local user account with admin priviledges via my

    > > applications
    > > > web.config file but that failed as well with the same 'Access

    > Denied' (by
    > > the
    > > > way what exactly does 'impersonate' in the web.config do when the

    > > machine.config
    > > > file already lets me specify the user as 'SYSTEM'?)
    > > >> I expect there is some other security thing that I need to

    twiddle
    > ... any
    > > ideas greatly
    > > > appreciated (with as much detail as possible, I am very new to

    this
    > whole
    > > web security
    > > > stuff).
    > > >> Thanks,
    > > >> Terry
    > > >

    >
    >
    Sharon, Apr 19, 2004
    #5
  6. =?Utf-8?B?VGVycnk=?=

    Sharon Guest

    sorry, wrong thread.

    "Sharon" <> wrote in message
    news:...
    > maybe this way will work:
    >
    > aspx page
    > =========
    > <%@ Page Language="cs" %>
    > <%@ import namespace="System.Threading" %>
    > <%@ import namespace="test" %>
    >
    > <%
    > string[] passArr = new string[2]{"arr val 1", "arr val 2"};
    >
    > ThreadProc tp = new ThreadProc(passArr);
    > Thread t = new Thread(new ThreadStart(tp.ThreadProcStart));
    > t.Start();
    > %>
    > <html>
    > <head>
    > </head>
    > <body>
    > </body>
    > </html>
    >
    > thread class
    > ==========
    > using System.Threading;
    > using System.IO;
    >
    > namespace test
    > {
    > public class ThreadProc
    > {
    > private string[] m_dispStrArr;
    >
    > public ThreadProc(string[] inStrArr) {
    > m_dispStrArr = inStrArr;
    > }
    >
    > public void ThreadProcStart() {
    > for (int i = 0; i < 20; i++)
    > {
    > StreamWriter fsw =
    > File.AppendText(System.AppDomain.CurrentDomain.BaseDirectory +

    "\\log.txt");
    > fsw.WriteLine("m_dispStr: " + m_dispStrArr[0] + " " + m_dispStrArr[1]
    > + " i: " + i);
    > fsw.Close();
    > fsw = null;
    >
    > Thread.Sleep(1000);
    > }
    > }
    > }
    > }
    >
    > it works but, maybe you can find a flaw?
    >
    > "Chris Botha" <chris_s_botha@AT_h.o.t.m.a.i.l.com> wrote in message
    > news:...
    > > I don't think impersonation works with forms authentication, but I may

    be
    > > wrong, always some surprise somewhere (it works with Integrated Widows

    > auth,
    > > as well as Basic Auth).
    > > To switch anonymous access off, run IIS Service Manager, find your Web

    App
    > > under the Default Web Site, right click on it, properties, then

    Directory
    > > Security, then hit the top edit button and uncheck the anonymous access.
    > > After doing this, hitting the page with IE, if you are not an

    > authenticated
    > > user, you will be prompted to sign in (if you are authenticated, it

    won't
    > > prompt you), and that will be the user impersonated (unless you

    specified
    > a
    > > username/password on the impersonate line in the web.config file).
    > >
    > > Second solution, I'm not sure if it will work, but it may, write an

    > ActiveX
    > > dll, install it in COM+ specifying the credentials it should run under,

    > and
    > > call it from your aspx page. Beware that if it works, anyone hitting the
    > > page can re-boot the computer.
    > >
    > > I don't know what setting the "user='SYSTEM'" in the machine.config

    does.
    > >
    > > "Terry" <> wrote in message
    > > news:...
    > > > OK, I have verified that the shutdown related code is working fine

    from
    > > > a regular app.
    > > >
    > > > How do I switch off anonymous access to the virtual directory?
    > > > Are you talking about adding a statement like <deny user="?">
    > > > in my web.config file or are you talking about a setting in
    > > > the IIS Service Mgr.
    > > >
    > > > I am using a simple application based 'Forms' authentication.
    > > > In this case if I use <identity impersonate="true" /> who would
    > > > it be impersonating ... or in this case because I am using Forms
    > > > authentication would I have to spell all that out like
    > > > <identity impersonate="true" userName="abc" password="def">
    > > >
    > > > I am still a little puzzled by all this impersonate stuff ... if you

    do
    > > > impersonation what is the point of setting the user='SYSTEM' in
    > > > the machine.config file?
    > > >
    > > > Thanks,
    > > >
    > > > Terry
    > > >
    > > > ----- Chris Botha wrote: -----
    > > >
    > > > Terry, first get the code to run in a normal Windows App, so you

    > know
    > > that
    > > > it works.
    > > > After that, it should be a security issue, and impersonation

    should
    > > work,
    > > > but you also have to switch off anonymous access to the virtual

    > > directory
    > > > for impersonation to work.
    > > > To ensure that your impersonation is set up correctly, add a test

    > > call
    > > > somewhere in a form, returning the current user, and check that

    it
    > is
    > > what
    > > > you expect (not the anonymous, or ASP.NET user, etc). To get the

    > > current
    > > > user, call
    > > > System.Security.Principal.WindowsIdentity.GetCurrent().Name
    > > >
    > > > "Terry" <> wrote in message
    > > > news:...
    > > > > I am developing a asp.net web based service application for our

    > > product.
    > > > > I am trying to trigger a reboot of the server based on a user

    > > request.
    > > > > I believe I have all the appropriate code for AdjustingTokens

    etc
    > > and
    > > > > all those calls seem to succeed, however, the final call to

    > > ExitWindowsEx
    > > > > is failing with 'Access Denied'.
    > > > >> In my machine.config, I have already set the userName to

    > 'System'
    > > as I
    > > > > seem to require this for some other functionality I

    implemented.
    > I
    > > also
    > > > tried
    > > > > to impersonate a local user account with admin priviledges via

    my
    > > > applications
    > > > > web.config file but that failed as well with the same 'Access

    > > Denied' (by
    > > > the
    > > > > way what exactly does 'impersonate' in the web.config do when

    the
    > > > machine.config
    > > > > file already lets me specify the user as 'SYSTEM'?)
    > > > >> I expect there is some other security thing that I need to

    > twiddle
    > > ... any
    > > > ideas greatly
    > > > > appreciated (with as much detail as possible, I am very new to

    > this
    > > whole
    > > > web security
    > > > > stuff).
    > > > >> Thanks,
    > > > >> Terry
    > > > >

    > >
    > >

    >
    >
    Sharon, Apr 19, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ken Tucker
    Replies:
    0
    Views:
    1,650
    Ken Tucker
    Jul 5, 2003
  2. rooster575
    Replies:
    2
    Views:
    398
    Trevor Benedict R
    Jun 18, 2004
  3. Condor
    Replies:
    0
    Views:
    641
    Condor
    Nov 3, 2004
  4. =?Utf-8?B?UFc=?=
    Replies:
    1
    Views:
    425
    =?Utf-8?B?UFc=?=
    Jan 25, 2005
  5. Terry

    Want to Reboot server from ASPX page

    Terry, Apr 18, 2004, in forum: ASP .Net Security
    Replies:
    3
    Views:
    154
    Joe Kaplan \(MVP - ADSI\)
    Apr 19, 2004
Loading...

Share This Page