Want to Reboot server from ASPX page

Discussion in 'ASP .Net Security' started by Terry, Apr 18, 2004.

  1. Terry

    Terry Guest

    I am developing a asp.net web based service application for our product
    I am trying to trigger a reboot of the server based on a user request
    I believe I have all the appropriate code for AdjustingTokens etc an
    all those calls seem to succeed, however, the final call to ExitWindowsE
    is failing with 'Access Denied'

    In my machine.config, I have already set the userName to 'System' as
    seem to require this for some other functionality I implemented. I also trie
    to impersonate a local user account with admin priviledges via my application
    web.config file but that failed as well with the same 'Access Denied' (by th
    way what exactly does 'impersonate' in the web.config do when the machine.config
    file already lets me specify the user as 'SYSTEM'?

    I expect there is some other security thing that I need to twiddle ... any ideas greatl
    appreciated (with as much detail as possible, I am very new to this whole web securit
    stuff)

    Thanks

    Terr
     
    Terry, Apr 18, 2004
    #1
    1. Advertising

  2. Terry

    Chris Botha Guest

    Terry, first get the code to run in a normal Windows App, so you know that
    it works.
    After that, it should be a security issue, and impersonation should work,
    but you also have to switch off anonymous access to the virtual directory
    for impersonation to work.
    To ensure that your impersonation is set up correctly, add a test call
    somewhere in a form, returning the current user, and check that it is what
    you expect (not the anonymous, or ASP.NET user, etc). To get the current
    user, call
    System.Security.Principal.WindowsIdentity.GetCurrent().Name

    "Terry" <> wrote in message
    news:...
    > I am developing a asp.net web based service application for our product.
    > I am trying to trigger a reboot of the server based on a user request.
    > I believe I have all the appropriate code for AdjustingTokens etc and
    > all those calls seem to succeed, however, the final call to ExitWindowsEx
    > is failing with 'Access Denied'.
    >
    > In my machine.config, I have already set the userName to 'System' as I
    > seem to require this for some other functionality I implemented. I also

    tried
    > to impersonate a local user account with admin priviledges via my

    applications
    > web.config file but that failed as well with the same 'Access Denied' (by

    the
    > way what exactly does 'impersonate' in the web.config do when the

    machine.config
    > file already lets me specify the user as 'SYSTEM'?)
    >
    > I expect there is some other security thing that I need to twiddle ... any

    ideas greatly
    > appreciated (with as much detail as possible, I am very new to this whole

    web security
    > stuff).
    >
    > Thanks,
    >
    > Terry
    >
     
    Chris Botha, Apr 18, 2004
    #2
    1. Advertising

  3. Terry

    Terry Guest

    OK, I have verified that the shutdown related code is working fine fro
    a regular app

    How do I switch off anonymous access to the virtual directory
    Are you talking about adding a statement like <deny user="?"
    in my web.config file or are you talking about a setting i
    the IIS Service Mgr

    I am using a simple application based 'Forms' authentication
    In this case if I use <identity impersonate="true" /> who woul
    it be impersonating ... or in this case because I am using Form
    authentication would I have to spell all that out like
    <identity impersonate="true" userName="abc" password="def"

    I am still a little puzzled by all this impersonate stuff ... if you d
    impersonation what is the point of setting the user='SYSTEM' i
    the machine.config file

    Thanks

    Terr

    ----- Chris Botha wrote: ----

    Terry, first get the code to run in a normal Windows App, so you know tha
    it works
    After that, it should be a security issue, and impersonation should work
    but you also have to switch off anonymous access to the virtual director
    for impersonation to work
    To ensure that your impersonation is set up correctly, add a test cal
    somewhere in a form, returning the current user, and check that it is wha
    you expect (not the anonymous, or ASP.NET user, etc). To get the curren
    user, cal
    System.Security.Principal.WindowsIdentity.GetCurrent().Nam

    "Terry" <> wrote in messag
    news:..
    > I am developing a asp.net web based service application for our product
    > I am trying to trigger a reboot of the server based on a user request
    > I believe I have all the appropriate code for AdjustingTokens etc an
    > all those calls seem to succeed, however, the final call to ExitWindowsE
    > is failing with 'Access Denied'
    >> In my machine.config, I have already set the userName to 'System' as

    > seem to require this for some other functionality I implemented. I als

    trie
    > to impersonate a local user account with admin priviledges via m

    application
    > web.config file but that failed as well with the same 'Access Denied' (b

    th
    > way what exactly does 'impersonate' in the web.config do when th

    machine.confi
    > file already lets me specify the user as 'SYSTEM'?
    >> I expect there is some other security thing that I need to twiddle ... an

    ideas greatl
    > appreciated (with as much detail as possible, I am very new to this whol

    web securit
    > stuff)
    >> Thanks
    >> Terr

    >
     
    Terry, Apr 18, 2004
    #3
  4. If you are using Forms authentication and have impersonation enabled, you
    are impersonating the anonymous user configured in IIS to be used for
    anonymous requests (IUSER_MACHINENAME by default).

    If you need SYSTEM privileges to do what you need to do, you must not
    impersonate the anonymous user. You could set the processModel to SYSTEM
    (like you said you did before) and that should work, as the processModel
    account is the account the request runs under when you are not
    impersonating.

    However, running under SYSTEM is generally not a good idea for other
    security reasons. It is probably a better idea to create a COM+ component
    that does the required functionality and run that with an identity with the
    correct permissions. Then, you would call that COM+ component from your
    application.

    It is hard for me to imagine why you would want to allow a remote web
    request to reboot the server, but I guess we'll help you do that if that's
    what you want...

    Joe K.

    "Terry" <> wrote in message
    news:...
    > OK, I have verified that the shutdown related code is working fine from
    > a regular app.
    >
    > How do I switch off anonymous access to the virtual directory?
    > Are you talking about adding a statement like <deny user="?">
    > in my web.config file or are you talking about a setting in
    > the IIS Service Mgr.
    >
    > I am using a simple application based 'Forms' authentication.
    > In this case if I use <identity impersonate="true" /> who would
    > it be impersonating ... or in this case because I am using Forms
    > authentication would I have to spell all that out like
    > <identity impersonate="true" userName="abc" password="def">
    >
    > I am still a little puzzled by all this impersonate stuff ... if you do
    > impersonation what is the point of setting the user='SYSTEM' in
    > the machine.config file?
    >
    > Thanks,
    >
    > Terry
    >
    > ----- Chris Botha wrote: -----
    >
    > Terry, first get the code to run in a normal Windows App, so you know

    that
    > it works.
    > After that, it should be a security issue, and impersonation should

    work,
    > but you also have to switch off anonymous access to the virtual

    directory
    > for impersonation to work.
    > To ensure that your impersonation is set up correctly, add a test

    call
    > somewhere in a form, returning the current user, and check that it is

    what
    > you expect (not the anonymous, or ASP.NET user, etc). To get the

    current
    > user, call
    > System.Security.Principal.WindowsIdentity.GetCurrent().Name
    >
    > "Terry" <> wrote in message
    > news:...
    > > I am developing a asp.net web based service application for our

    product.
    > > I am trying to trigger a reboot of the server based on a user

    request.
    > > I believe I have all the appropriate code for AdjustingTokens etc

    and
    > > all those calls seem to succeed, however, the final call to

    ExitWindowsEx
    > > is failing with 'Access Denied'.
    > >> In my machine.config, I have already set the userName to 'System'

    as I
    > > seem to require this for some other functionality I implemented. I

    also
    > tried
    > > to impersonate a local user account with admin priviledges via my

    > applications
    > > web.config file but that failed as well with the same 'Access

    Denied' (by
    > the
    > > way what exactly does 'impersonate' in the web.config do when the

    > machine.config
    > > file already lets me specify the user as 'SYSTEM'?)
    > >> I expect there is some other security thing that I need to twiddle

    .... any
    > ideas greatly
    > > appreciated (with as much detail as possible, I am very new to this

    whole
    > web security
    > > stuff).
    > >> Thanks,
    > >> Terry

    > >
     
    Joe Kaplan \(MVP - ADSI\), Apr 19, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ken Tucker
    Replies:
    0
    Views:
    1,698
    Ken Tucker
    Jul 5, 2003
  2. =?Utf-8?B?VGVycnk=?=

    Want to Reboot server from ASPX page

    =?Utf-8?B?VGVycnk=?=, Apr 18, 2004, in forum: ASP .Net
    Replies:
    5
    Views:
    411
    Sharon
    Apr 19, 2004
  3. rooster575
    Replies:
    2
    Views:
    419
    Trevor Benedict R
    Jun 18, 2004
  4. Condor
    Replies:
    0
    Views:
    664
    Condor
    Nov 3, 2004
  5. =?Utf-8?B?UFc=?=
    Replies:
    1
    Views:
    447
    =?Utf-8?B?UFc=?=
    Jan 25, 2005
Loading...

Share This Page