Want to Reboot server from ASPX page

[Guest]

I am developing a asp.net web based service application for our product
I am trying to trigger a reboot of the server based on a user request
I believe I have all the appropriate code for AdjustingTokens etc an
all those calls seem to succeed, however, the final call to ExitWindowsE
is failing with 'Access Denied'

In my machine.config, I have already set the userName to 'System' as
seem to require this for some other functionality I implemented. I also trie
to impersonate a local user account with admin priviledges via my application
web.config file but that failed as well with the same 'Access Denied' (by th
way what exactly does 'impersonate' in the web.config do when the machine.config
file already lets me specify the user as 'SYSTEM'?

I expect there is some other security thing that I need to twiddle ... any ideas greatl
appreciated (with as much detail as possible, I am very new to this whole web securit
stuff)

Thanks

Terr

 

[Chris Botha]

Terry, first get the code to run in a normal Windows App, so you know that
it works.
After that, it should be a security issue, and impersonation should work,
but you also have to switch off anonymous access to the virtual directory
for impersonation to work.
To ensure that your impersonation is set up correctly, add a test call
somewhere in a form, returning the current user, and check that it is what
you expect (not the anonymous, or ASP.NET user, etc). To get the current
user, call
System.Security.Principal.WindowsIdentity.GetCurrent().Name

 

[Guest]

OK, I have verified that the shutdown related code is working fine from
a regular app.

How do I switch off anonymous access to the virtual directory?
Are you talking about adding a statement like <deny user="?">
in my web.config file or are you talking about a setting in
the IIS Service Mgr.

I am using a simple application based 'Forms' authentication.
In this case if I use <identity impersonate="true" /> who would
it be impersonating ... or in this case because I am using Forms
authentication would I have to spell all that out like
<identity impersonate="true" userName="abc" password="def">

I am still a little puzzled by all this impersonate stuff ... if you do
impersonation what is the point of setting the user='SYSTEM' in
the machine.config file?

Thanks,

Terry

----- Chris Botha wrote: -----

Terry, first get the code to run in a normal Windows App, so you know that
it works.
After that, it should be a security issue, and impersonation should work,
but you also have to switch off anonymous access to the virtual directory
for impersonation to work.
To ensure that your impersonation is set up correctly, add a test call
somewhere in a form, returning the current user, and check that it is what
you expect (not the anonymous, or ASP.NET user, etc). To get the current
user, call
System.Security.Principal.WindowsIdentity.GetCurrent().Name

 

[Chris Botha]

I don't think impersonation works with forms authentication, but I may be
wrong, always some surprise somewhere (it works with Integrated Widows auth,
as well as Basic Auth).
To switch anonymous access off, run IIS Service Manager, find your Web App
under the Default Web Site, right click on it, properties, then Directory
Security, then hit the top edit button and uncheck the anonymous access.
After doing this, hitting the page with IE, if you are not an authenticated
user, you will be prompted to sign in (if you are authenticated, it won't
prompt you), and that will be the user impersonated (unless you specified a
username/password on the impersonate line in the web.config file).

Second solution, I'm not sure if it will work, but it may, write an ActiveX
dll, install it in COM+ specifying the credentials it should run under, and
call it from your aspx page. Beware that if it works, anyone hitting the
page can re-boot the computer.

I don't know what setting the "user='SYSTEM'" in the machine.config does.

 

[Sharon]

maybe this way will work:

aspx page
=========
<%@ Page Language="cs" %>
<%@ import namespace="System.Threading" %>
<%@ import namespace="test" %>

<%
string[] passArr = new string[2]{"arr val 1", "arr val 2"};

ThreadProc tp = new ThreadProc(passArr);
Thread t = new Thread(new ThreadStart(tp.ThreadProcStart));
t.Start();
%>
<html>
<head>
</head>
<body>
</body>
</html>

thread class
==========
using System.Threading;
using System.IO;

namespace test
{
public class ThreadProc
{
private string[] m_dispStrArr;

public ThreadProc(string[] inStrArr) {
m_dispStrArr = inStrArr;
}

public void ThreadProcStart() {
for (int i = 0; i < 20; i++)
{
StreamWriter fsw =
File.AppendText(System.AppDomain.CurrentDomain.BaseDirectory + "\\log.txt");
fsw.WriteLine("m_dispStr: " + m_dispStrArr[0] + " " + m_dispStrArr[1]
+ " i: " + i);
fsw.Close();
fsw = null;

Thread.Sleep(1000);
}
}
}
}

it works but, maybe you can find a flaw?

 

[Sharon]

sorry, wrong thread.

maybe this way will work:

aspx page
=========
<%@ Page Language="cs" %>
<%@ import namespace="System.Threading" %>
<%@ import namespace="test" %>

<%
string[] passArr = new string[2]{"arr val 1", "arr val 2"};

ThreadProc tp = new ThreadProc(passArr);
Thread t = new Thread(new ThreadStart(tp.ThreadProcStart));
t.Start();
%>
<html>
<head>
</head>
<body>
</body>
</html>

thread class
==========
using System.Threading;
using System.IO;

namespace test
{
public class ThreadProc
{
private string[] m_dispStrArr;

public ThreadProc(string[] inStrArr) {
m_dispStrArr = inStrArr;
}

public void ThreadProcStart() {
for (int i = 0; i < 20; i++)
{
StreamWriter fsw =
File.AppendText(System.AppDomain.CurrentDomain.BaseDirectory + "\\log.txt");
fsw.WriteLine("m_dispStr: " + m_dispStrArr[0] + " " + m_dispStrArr[1]
+ " i: " + i);
fsw.Close();
fsw = null;

Thread.Sleep(1000);
}
}
}
}

it works but, maybe you can find a flaw?

I don't think impersonation works with forms authentication, but I may be
wrong, always some surprise somewhere (it works with Integrated Widows auth,
as well as Basic Auth).
To switch anonymous access off, run IIS Service Manager, find your Web App
under the Default Web Site, right click on it, properties, then Directory
Security, then hit the top edit button and uncheck the anonymous access.
After doing this, hitting the page with IE, if you are not an authenticated
user, you will be prompted to sign in (if you are authenticated, it won't
prompt you), and that will be the user impersonated (unless you

specified

a
username/password on the impersonate line in the web.config file).

Second solution, I'm not sure if it will work, but it may, write an ActiveX
dll, install it in COM+ specifying the credentials it should run under, and
call it from your aspx page. Beware that if it works, anyone hitting the
page can re-boot the computer.

I don't know what setting the "user='SYSTEM'" in the machine.config does.

know should
work,

it

is etc
and 'System'
as I

implemented.

I twiddle
... any this