What permissions needed to launch a COM+ object

Discussion in 'ASP .Net' started by Dave Kolb, Jan 23, 2004.

  1. Dave Kolb

    Dave Kolb Guest

    If I make ASPNET a member of the admins group it can launch my COM+ object
    but I do not want to do that.

    What permissions do I need to set for the lowly ASPNET user so that it can
    launch a COM+ object. I tried playing with COM+ roles in the MMC but not
    with any luck. My COM+ object itself does not do any role checking.

    Thanks,
    Dave
    Dave Kolb, Jan 23, 2004
    #1
    1. Advertising

  2. Hi Dave,

    You might want to review the last few paragraphs in this article to see how
    to configure the ASPNET account so it can do what it needs and no more:

    HOW TO: Secure an ASP.NET Application by Using Windows Security

    http://support.microsoft.com/default.aspx?scid=kb;en-us;315736


    "Dave Kolb" <> wrote in message
    news:u2j$...
    > If I make ASPNET a member of the admins group it can launch my COM+ object
    > but I do not want to do that.
    >
    > What permissions do I need to set for the lowly ASPNET user so that it can
    > launch a COM+ object. I tried playing with COM+ roles in the MMC but not
    > with any luck. My COM+ object itself does not do any role checking.
    >
    > Thanks,
    > Dave
    >
    >
    Ken Cox [Microsoft MVP], Jan 24, 2004
    #2
    1. Advertising

  3. Here are some steps posted elsewhere by Microsoft to get ASP.NET going
    safely:

    "Basically, this is not recommended because it will make your system
    vulnerable. By running the process as the System account this basically
    means that if anyone were able to get control of this process they would
    have all of the priviledges that SYSTEM would have on the server and as you
    know it has many.
    My suggestion would be to Create a weak account that has the correct
    permissions, and then
    configure the <processModel> section of the Machine.config file to use
    that account.
    Here are some simple steps you can follow to grant NTFS permissions.
    Keep in mind that if you are running the 1.0 framework you will need to
    replace v1.1.4322 with v1.0.3705
    1. Create the domain user and grant it "Log on as a Service", "Log on as a
    Batch Job", "Deny Logon Locally", “Access this Computer from the Network”
    2. Add domain user to the local Users Group
    3. Grant domain user read access to C:\Winnt\microsoft.net
    4. Grant domain user Full Control to C:\WINNT\TEMP
    5. Grant domain user Full Control to
    C:\winnt\Microsoft.Net\framework\v1.1.4322\Temporary Asp.Net files
    6. Grant domain user Read access
    toC:\WINNT\Microsoft.Net\Framework\v1.1.4322
    7. Ensure domain user has Read access
    toC:\Winnt\Microsoft.Net\Framework\v1.1.4322\config
    8. Ensure domain user has Read access to C:\Winnt\Assembly
    Note: You should use the following command to add permissions to this
    folder because it is a special folder and does not have a security tab
    cacls c:\winnt\assembly /e /t /p domain\useraccount:R

    9. Modify the
    c:\winnt\microsoft.net\framework\v1.1.4322\config\machine.config under
    <processModel> change these lines to read
    Username="domain\user"
    Password="password"
    10. Restart IIS for the machine.config changes to take effect
    You can use the following command to enforce the policy changes without a
    reboot:
    SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE"



    "Dave Kolb" <> wrote in message
    news:u2j$...
    > If I make ASPNET a member of the admins group it can launch my COM+ object
    > but I do not want to do that.
    >
    > What permissions do I need to set for the lowly ASPNET user so that it can
    > launch a COM+ object. I tried playing with COM+ roles in the MMC but not
    > with any luck. My COM+ object itself does not do any role checking.
    >
    > Thanks,
    > Dave
    >
    >
    Ken Cox [Microsoft MVP], Jan 24, 2004
    #3
  4. Dave Kolb

    Dave Kolb Guest

    Thanks for the suggestions Ken.

    I found that I could merely give ASPNET read access to the COM+ dll I
    registered and then assign a role to the COM+ component allowing only a
    particular local impersonated user to have access and I have a reasonably
    secure COM object that I can run as a separate identity to do the network
    access I require while keeping the rest of ASPNET as a lowly user rather
    than running it as SYSTEM as my cohorts were doing in order to get network
    access. You have to impersonate the local user in order to access the COM+
    object.

    I will also review your suggestions.

    Thanks,
    Dave

    "Ken Cox [Microsoft MVP]" <> wrote in message
    news:...
    > Here are some steps posted elsewhere by Microsoft to get ASP.NET going
    > safely:
    >
    > "Basically, this is not recommended because it will make your system
    > vulnerable. By running the process as the System account this basically
    > means that if anyone were able to get control of this process they would
    > have all of the priviledges that SYSTEM would have on the server and as

    you
    > know it has many.
    > My suggestion would be to Create a weak account that has the correct
    > permissions, and then
    > configure the <processModel> section of the Machine.config file to use
    > that account.
    > Here are some simple steps you can follow to grant NTFS permissions.
    > Keep in mind that if you are running the 1.0 framework you will need to
    > replace v1.1.4322 with v1.0.3705
    > 1. Create the domain user and grant it "Log on as a Service", "Log on as a
    > Batch Job", "Deny Logon Locally", “Access this Computer from the Network”
    > 2. Add domain user to the local Users Group
    > 3. Grant domain user read access to C:\Winnt\microsoft.net
    > 4. Grant domain user Full Control to C:\WINNT\TEMP
    > 5. Grant domain user Full Control to
    > C:\winnt\Microsoft.Net\framework\v1.1.4322\Temporary Asp.Net files
    > 6. Grant domain user Read access
    > toC:\WINNT\Microsoft.Net\Framework\v1.1.4322
    > 7. Ensure domain user has Read access
    > toC:\Winnt\Microsoft.Net\Framework\v1.1.4322\config
    > 8. Ensure domain user has Read access to C:\Winnt\Assembly
    > Note: You should use the following command to add permissions to this
    > folder because it is a special folder and does not have a security tab
    > cacls c:\winnt\assembly /e /t /p domain\useraccount:R
    >
    > 9. Modify the
    > c:\winnt\microsoft.net\framework\v1.1.4322\config\machine.config under
    > <processModel> change these lines to read
    > Username="domain\user"
    > Password="password"
    > 10. Restart IIS for the machine.config changes to take effect
    > You can use the following command to enforce the policy changes without a
    > reboot:
    > SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE"
    >
    >
    >
    > "Dave Kolb" <> wrote in message
    > news:u2j$...
    > > If I make ASPNET a member of the admins group it can launch my COM+

    object
    > > but I do not want to do that.
    > >
    > > What permissions do I need to set for the lowly ASPNET user so that it

    can
    > > launch a COM+ object. I tried playing with COM+ roles in the MMC but not
    > > with any luck. My COM+ object itself does not do any role checking.
    > >
    > > Thanks,
    > > Dave
    > >
    > >

    >
    Dave Kolb, Jan 24, 2004
    #4
  5. Dave Kolb

    Dave Kolb Guest

    Oops - that was not clear. Though I could have ASPNET run the COM+ object, I
    actually imperonsate a local user and give that user only access to the COM+
    object. THat way only certain web apps can run the object. Dave

    "Dave Kolb" <> wrote in message
    news:...
    > Thanks for the suggestions Ken.
    >
    > I found that I could merely give ASPNET read access to the COM+ dll I
    > registered and then assign a role to the COM+ component allowing only a
    > particular local impersonated user to have access and I have a reasonably
    > secure COM object that I can run as a separate identity to do the network
    > access I require while keeping the rest of ASPNET as a lowly user rather
    > than running it as SYSTEM as my cohorts were doing in order to get network
    > access. You have to impersonate the local user in order to access the COM+
    > object.
    >
    > I will also review your suggestions.
    >
    > Thanks,
    > Dave
    >
    > "Ken Cox [Microsoft MVP]" <> wrote in message
    > news:...
    > > Here are some steps posted elsewhere by Microsoft to get ASP.NET going
    > > safely:
    > >
    > > "Basically, this is not recommended because it will make your system
    > > vulnerable. By running the process as the System account this basically
    > > means that if anyone were able to get control of this process they would
    > > have all of the priviledges that SYSTEM would have on the server and as

    > you
    > > know it has many.
    > > My suggestion would be to Create a weak account that has the correct
    > > permissions, and then
    > > configure the <processModel> section of the Machine.config file to use
    > > that account.
    > > Here are some simple steps you can follow to grant NTFS permissions.
    > > Keep in mind that if you are running the 1.0 framework you will need to
    > > replace v1.1.4322 with v1.0.3705
    > > 1. Create the domain user and grant it "Log on as a Service", "Log on as

    a
    > > Batch Job", "Deny Logon Locally", "Access this Computer from the

    Network"
    > > 2. Add domain user to the local Users Group
    > > 3. Grant domain user read access to C:\Winnt\microsoft.net
    > > 4. Grant domain user Full Control to C:\WINNT\TEMP
    > > 5. Grant domain user Full Control to
    > > C:\winnt\Microsoft.Net\framework\v1.1.4322\Temporary Asp.Net files
    > > 6. Grant domain user Read access
    > > toC:\WINNT\Microsoft.Net\Framework\v1.1.4322
    > > 7. Ensure domain user has Read access
    > > toC:\Winnt\Microsoft.Net\Framework\v1.1.4322\config
    > > 8. Ensure domain user has Read access to C:\Winnt\Assembly
    > > Note: You should use the following command to add permissions to this
    > > folder because it is a special folder and does not have a security tab
    > > cacls c:\winnt\assembly /e /t /p domain\useraccount:R
    > >
    > > 9. Modify the
    > > c:\winnt\microsoft.net\framework\v1.1.4322\config\machine.config under
    > > <processModel> change these lines to read
    > > Username="domain\user"
    > > Password="password"
    > > 10. Restart IIS for the machine.config changes to take effect
    > > You can use the following command to enforce the policy changes without

    a
    > > reboot:
    > > SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE"
    > >
    > >
    > >
    > > "Dave Kolb" <> wrote in message
    > > news:u2j$...
    > > > If I make ASPNET a member of the admins group it can launch my COM+

    > object
    > > > but I do not want to do that.
    > > >
    > > > What permissions do I need to set for the lowly ASPNET user so that it

    > can
    > > > launch a COM+ object. I tried playing with COM+ roles in the MMC but

    not
    > > > with any luck. My COM+ object itself does not do any role checking.
    > > >
    > > > Thanks,
    > > > Dave
    > > >
    > > >

    > >

    >
    >
    Dave Kolb, Jan 24, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Henrik_the_boss
    Replies:
    0
    Views:
    2,643
    Henrik_the_boss
    Nov 5, 2003
  2. Eric Caron
    Replies:
    3
    Views:
    2,633
  3. Scott Allen
    Replies:
    0
    Views:
    431
    Scott Allen
    Jul 13, 2004
  4. Curt K
    Replies:
    0
    Views:
    562
    Curt K
    Nov 3, 2006
  5. Paul Shapiro
    Replies:
    2
    Views:
    477
    Paul Shapiro
    Mar 12, 2008
Loading...

Share This Page