Why is "Act as part of the operating system" dangerous?

Discussion in 'ASP .Net Security' started by Arturo, Apr 13, 2004.

  1. Arturo

    Arturo Guest

    Hello everybody:

    I have a question: Why is "Act as part of the operating system"
    dangerous? I have an application that will go live on Windows 2000,
    and it impersonates a user; I have to enable it (it copies some files
    in the server and creates a new IIS application on the server. That's
    why it needs to impersonate a user) I am using LogonUser.

    Thanks!

    Arturo
     
    Arturo, Apr 13, 2004
    #1
    1. Advertising

  2. Act as Part of the Operating System allows the account to do stuff directly
    in kernel mode, bypassing the entire Windows security system if it wants to.
    Essentially, the account is equivalent to SYSTEM.

    Does that answer the question adequately?

    Did you consider the possibility of factoring out this code into a seperate
    component that could run under COM+ so that you could specify a particular
    identity to run as? That would be much more secure? Alternately, moving to
    2003 server fixes this problem as well.

    Joe K.

    "Arturo" <> wrote in message
    news:...
    > Hello everybody:
    >
    > I have a question: Why is "Act as part of the operating system"
    > dangerous? I have an application that will go live on Windows 2000,
    > and it impersonates a user; I have to enable it (it copies some files
    > in the server and creates a new IIS application on the server. That's
    > why it needs to impersonate a user) I am using LogonUser.
    >
    > Thanks!
    >
    > Arturo
     
    Joe Kaplan \(MVP - ADSI\), Apr 13, 2004
    #2
    1. Advertising

  3. Arturo

    Arturo Guest

    > Act as Part of the Operating System allows the account to do stuff directly
    > in kernel mode, bypassing the entire Windows security system if it wants to.
    > Essentially, the account is equivalent to SYSTEM.


    Thanks, Joe. I think I will create a console application and call it.
    That's the easyest solution so far. Thanks!

    Arturo
     
    Arturo, Apr 14, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Anil Kripalani
    Replies:
    2
    Views:
    504
    Eric Lawrence [MSFT]
    Feb 25, 2004
  2. Steven Cheng[MSFT]
    Replies:
    4
    Views:
    4,453
    Steven Cheng[MSFT]
    May 13, 2004
  3. Mr. SweatyFinger

    why why why why why

    Mr. SweatyFinger, Nov 28, 2006, in forum: ASP .Net
    Replies:
    4
    Views:
    991
    Mark Rae
    Dec 21, 2006
  4. Mr. SweatyFinger
    Replies:
    2
    Views:
    2,258
    Smokey Grindel
    Dec 2, 2006
  5. Frank1213
    Replies:
    1
    Views:
    221
    Frank1213
    Nov 28, 2006
Loading...

Share This Page