.NET Framework is installed in IIS and it uses its Default Installation ie. everything is in inetpub/wwwroot.
Everyone worth their 2 cents will tell you that an experienced web administrator will change the default folder name of inetpub/wwwroot as the basic DOS attack is launched from there.
If the web server has its wwwroot name changed to something else other than default, asp.net will NOT work with the Default .NET Framework installation and because asp.net is designed to work with classic asp, we are not supposed to change the asp.net default configuration from the IIS MMC. We are supposed to do it with the XML-based machine.config file
Does anyone know how to change it so the ASP.NET will work on aspx pages in a web folder changed from inetpub/wwwroot ?I'm not much an admin but couldn't you just create a website in a directory other than wwwroot and delete the default all through IIS?
you should be able to create a virtual directory for your app anywhere you want... Unless I dont quite understand what you are asking.:confused:
True Cander, ASP.NET will work on any Website and any virtual directory.
"Everyone worth their 2 cents will tell you that an experienced web administrator will change the default folder name of inetpub/wwwroot as the basic DOS attack is launched from there."
SoftwareMaker, what you're saying doesn't make any sence at all. What has the name of your website or the mapping of that website to a physical location on the filesystem to do with a DOS attack, nothing !
Ok, let me explain.
A basic DOS attack comes from fooling the Server to execute a command on the server...eg.cmd.exe...(execute your command here)
In IIS 4 without any patches, an attack can be sent to the server from the browser address bar to run a command in the server, Of course, any commands have to be valid and run from a valid directory. In IIS 4, the server could not parse apart certain strings...a long story...(fool the // with %20 or so on). So technically if you can get to the root of the directory, bingo you can execute the cmd.exe command With IIS, the root is always inetpub/wwwroot
Experienced administrators with enterprises changes all the default settings of the default folder. (of couse enterprises dont use IIS for their server) to escape this form of attack. Of course, the new server software is better now BUT still ppl do change the default name of the webroot juz to be safe...
Ask around and you will see most of them do.
SoftwareMaker from the sounds of it, the method of your defense only goes to the level that you nest your home directory in. On top of it, I think that any web admin "worth their 2 cents" would actually apply any patches the second they're available.
Yep..you're right Shawn.
Anyways seems ppl take offense at my statement abt the 2cents worth...Its just a figure of speech. It is not meant to offend anyone.
A basic DOS attack comes from fooling the Server to execute a command on the server...eg.cmd.exe...(execute your command here)
SoftwareMaker, that's not true !!
What you're talking about is a know buffer overflow bug in IIS. A DOS attack is a totally different thing.
DOS attacks occur when a system is flooded with traffic to the point that it is unable to process legitimate service requests.
OK gijsj
you're right...
I have managed to solve the problem of this thread.
Thanks everyone
Showing posts with label config. Show all posts
Showing posts with label config. Show all posts
Saturday, March 31, 2012
Saturday, March 24, 2012
Web service Impersonatation?
When I set up impersonation in the web.config file and specify a user and
password I get strange results. This line of code will get me the user
account I set to impersonate:
System.Security.Principal.WindowsIdentity.GetCurrent().Name
This line of code will get me my user account ever time:
System.Threading.Thread.CurrentPrincipal.Identity.Name
What's the difference? shouldn't they both be the user I am trying to
impersonate?
Thanks
Frank Wisniewski MCSE 4.0, MCP+I, A+
f p w 2 3 @dotnet.itags.org. h o t m a i l . c o mFrank,
No, they should not. When you impersonate through the WindowsIdentity
object, it does not change the current principal on the thread. The reason
for this is that you can have different implementations of IPrincipal which
don't necessarily map to windows users and groups. To that end, having
WindowsIdentity change the current thread's principal would be wrong.
Hope this helps.
- Nicholas Paldino [.NET/C# MVP]
- mvp@.spam.guard.caspershouse.com
"Frank Wisniewski" <fpw23@.hotmail.com> wrote in message
news:41b5cf8c$1_2@.mcse.ms...
> When I set up impersonation in the web.config file and specify a user and
> password I get strange results. This line of code will get me the user
> account I set to impersonate:
> System.Security.Principal.WindowsIdentity.GetCurrent().Name
> This line of code will get me my user account ever time:
> System.Threading.Thread.CurrentPrincipal.Identity.Name
> What's the difference? shouldn't they both be the user I am trying to
> impersonate?
> Thanks
>
> Frank Wisniewski MCSE 4.0, MCP+I, A+
> f p w 2 3 @. h o t m a i l . c o m
>
Thanks Nicholas,
But how do you know which Principal is being used by your code. Lets say I
have a routine that writes a file to the local directory, how do I ensure
that code is using my impersonated users rights?
Frank Wisniewski MCSE 4.0, MCP+I, A+
f p w 2 3 @. h o t m a i l . c o m
"Nicholas Paldino [.NET/C# MVP]" <mvp@.spam.guard.caspershouse.com> wrote in
message news:%23GhWBSH3EHA.2676@.TK2MSFTNGP12.phx.gbl...
> Frank,
> No, they should not. When you impersonate through the WindowsIdentity
> object, it does not change the current principal on the thread. The
reason
> for this is that you can have different implementations of IPrincipal
which
> don't necessarily map to windows users and groups. To that end, having
> WindowsIdentity change the current thread's principal would be wrong.
> Hope this helps.
>
> --
> - Nicholas Paldino [.NET/C# MVP]
> - mvp@.spam.guard.caspershouse.com
> "Frank Wisniewski" <fpw23@.hotmail.com> wrote in message
> news:41b5cf8c$1_2@.mcse.ms...
and
>
is your server trusted for delegation?
"Frank Wisniewski" <fpw23@.hotmail.com> wrote in message
news:41b5cf8c$1_2@.mcse.ms...
> When I set up impersonation in the web.config file and specify a user and
> password I get strange results. This line of code will get me the user
> account I set to impersonate:
> System.Security.Principal.WindowsIdentity.GetCurrent().Name
> This line of code will get me my user account ever time:
> System.Threading.Thread.CurrentPrincipal.Identity.Name
> What's the difference? shouldn't they both be the user I am trying to
> impersonate?
> Thanks
>
> Frank Wisniewski MCSE 4.0, MCP+I, A+
> f p w 2 3 @. h o t m a i l . c o m
>
Frank,
The code will use the rights of whomever the thread is currently running
under. If you always want to base this on the Windows identity, you can
call the static GetCurrent method on the WindowsIdentity type, passing true
for the ifImpersonating parameter.
- Nicholas Paldino [.NET/C# MVP]
- mvp@.spam.guard.caspershouse.com
"Frank Wisniewski" <fpw23@.hotmail.com> wrote in message
news:41b5d307$1_1@.mcse.ms...
> Thanks Nicholas,
> But how do you know which Principal is being used by your code. Lets say
> I
> have a routine that writes a file to the local directory, how do I ensure
> that code is using my impersonated users rights?
> --
> Frank Wisniewski MCSE 4.0, MCP+I, A+
> f p w 2 3 @. h o t m a i l . c o m
> "Nicholas Paldino [.NET/C# MVP]" <mvp@.spam.guard.caspershouse.com> wrote
> in
> message news:%23GhWBSH3EHA.2676@.TK2MSFTNGP12.phx.gbl...
> reason
> which
> and
>
asp.net seperates the thread identity from the authenicated user identity.
when the user is authenicated (not anonymous), your have three options:
1) the thread runs as the asp.net account (default)
2) the thread impersonates the authenication account (must use windows
authenication). set impersonate=true in web config
3) the thread impersonates the account specified in the web config.
you picked the third option, so the CurrentPrincipal is the authenicated
account and WindowsIdentity is the thread identity.
note: CurrentPrincipal is a WindowsIdentity only if windows authenication is
used.
-- bruce (sqlwork.com)
"Frank Wisniewski" <fpw23@.hotmail.com> wrote in message
news:41b5cf8c$1_2@.mcse.ms...
| When I set up impersonation in the web.config file and specify a user and
| password I get strange results. This line of code will get me the user
| account I set to impersonate:
| System.Security.Principal.WindowsIdentity.GetCurrent().Name
|
| This line of code will get me my user account ever time:
|
| System.Threading.Thread.CurrentPrincipal.Identity.Name
|
| What's the difference? shouldn't they both be the user I am trying to
| impersonate?
|
| Thanks
|
|
| Frank Wisniewski MCSE 4.0, MCP+I, A+
| f p w 2 3 @. h o t m a i l . c o m
|
|
I am running it from my local machine which is part of the domain, is that
what you are asking?
Frank Wisniewski MCSE 4.0, MCP+I, A+
f p w 2 3 @. h o t m a i l . c o m
"Consultant" <consultant_mcngp@.yahoodotcom> wrote in message
news:%23KRylVH3EHA.1152@.TK2MSFTNGP14.phx.gbl...
> is your server trusted for delegation?
> "Frank Wisniewski" <fpw23@.hotmail.com> wrote in message
> news:41b5cf8c$1_2@.mcse.ms...
and
>
no, in order for impersonation to work, the server must be trusted for
delegation within active directory
"Frank Wisniewski" <fpw23@.hotmail.com> wrote in message
news:41b5f9bd_1@.mcse.ms...
>I am running it from my local machine which is part of the domain, is that
> what you are asking?
> --
> Frank Wisniewski MCSE 4.0, MCP+I, A+
> f p w 2 3 @. h o t m a i l . c o m
> "Consultant" <consultant_mcngp@.yahoodotcom> wrote in message
> news:%23KRylVH3EHA.1152@.TK2MSFTNGP14.phx.gbl...
> and
>
password I get strange results. This line of code will get me the user
account I set to impersonate:
System.Security.Principal.WindowsIdentity.GetCurrent().Name
This line of code will get me my user account ever time:
System.Threading.Thread.CurrentPrincipal.Identity.Name
What's the difference? shouldn't they both be the user I am trying to
impersonate?
Thanks
Frank Wisniewski MCSE 4.0, MCP+I, A+
f p w 2 3 @dotnet.itags.org. h o t m a i l . c o mFrank,
No, they should not. When you impersonate through the WindowsIdentity
object, it does not change the current principal on the thread. The reason
for this is that you can have different implementations of IPrincipal which
don't necessarily map to windows users and groups. To that end, having
WindowsIdentity change the current thread's principal would be wrong.
Hope this helps.
- Nicholas Paldino [.NET/C# MVP]
- mvp@.spam.guard.caspershouse.com
"Frank Wisniewski" <fpw23@.hotmail.com> wrote in message
news:41b5cf8c$1_2@.mcse.ms...
> When I set up impersonation in the web.config file and specify a user and
> password I get strange results. This line of code will get me the user
> account I set to impersonate:
> System.Security.Principal.WindowsIdentity.GetCurrent().Name
> This line of code will get me my user account ever time:
> System.Threading.Thread.CurrentPrincipal.Identity.Name
> What's the difference? shouldn't they both be the user I am trying to
> impersonate?
> Thanks
>
> Frank Wisniewski MCSE 4.0, MCP+I, A+
> f p w 2 3 @. h o t m a i l . c o m
>
Thanks Nicholas,
But how do you know which Principal is being used by your code. Lets say I
have a routine that writes a file to the local directory, how do I ensure
that code is using my impersonated users rights?
Frank Wisniewski MCSE 4.0, MCP+I, A+
f p w 2 3 @. h o t m a i l . c o m
"Nicholas Paldino [.NET/C# MVP]" <mvp@.spam.guard.caspershouse.com> wrote in
message news:%23GhWBSH3EHA.2676@.TK2MSFTNGP12.phx.gbl...
> Frank,
> No, they should not. When you impersonate through the WindowsIdentity
> object, it does not change the current principal on the thread. The
reason
> for this is that you can have different implementations of IPrincipal
which
> don't necessarily map to windows users and groups. To that end, having
> WindowsIdentity change the current thread's principal would be wrong.
> Hope this helps.
>
> --
> - Nicholas Paldino [.NET/C# MVP]
> - mvp@.spam.guard.caspershouse.com
> "Frank Wisniewski" <fpw23@.hotmail.com> wrote in message
> news:41b5cf8c$1_2@.mcse.ms...
and
>
is your server trusted for delegation?
"Frank Wisniewski" <fpw23@.hotmail.com> wrote in message
news:41b5cf8c$1_2@.mcse.ms...
> When I set up impersonation in the web.config file and specify a user and
> password I get strange results. This line of code will get me the user
> account I set to impersonate:
> System.Security.Principal.WindowsIdentity.GetCurrent().Name
> This line of code will get me my user account ever time:
> System.Threading.Thread.CurrentPrincipal.Identity.Name
> What's the difference? shouldn't they both be the user I am trying to
> impersonate?
> Thanks
>
> Frank Wisniewski MCSE 4.0, MCP+I, A+
> f p w 2 3 @. h o t m a i l . c o m
>
Frank,
The code will use the rights of whomever the thread is currently running
under. If you always want to base this on the Windows identity, you can
call the static GetCurrent method on the WindowsIdentity type, passing true
for the ifImpersonating parameter.
- Nicholas Paldino [.NET/C# MVP]
- mvp@.spam.guard.caspershouse.com
"Frank Wisniewski" <fpw23@.hotmail.com> wrote in message
news:41b5d307$1_1@.mcse.ms...
> Thanks Nicholas,
> But how do you know which Principal is being used by your code. Lets say
> I
> have a routine that writes a file to the local directory, how do I ensure
> that code is using my impersonated users rights?
> --
> Frank Wisniewski MCSE 4.0, MCP+I, A+
> f p w 2 3 @. h o t m a i l . c o m
> "Nicholas Paldino [.NET/C# MVP]" <mvp@.spam.guard.caspershouse.com> wrote
> in
> message news:%23GhWBSH3EHA.2676@.TK2MSFTNGP12.phx.gbl...
> reason
> which
> and
>
asp.net seperates the thread identity from the authenicated user identity.
when the user is authenicated (not anonymous), your have three options:
1) the thread runs as the asp.net account (default)
2) the thread impersonates the authenication account (must use windows
authenication). set impersonate=true in web config
3) the thread impersonates the account specified in the web config.
you picked the third option, so the CurrentPrincipal is the authenicated
account and WindowsIdentity is the thread identity.
note: CurrentPrincipal is a WindowsIdentity only if windows authenication is
used.
-- bruce (sqlwork.com)
"Frank Wisniewski" <fpw23@.hotmail.com> wrote in message
news:41b5cf8c$1_2@.mcse.ms...
| When I set up impersonation in the web.config file and specify a user and
| password I get strange results. This line of code will get me the user
| account I set to impersonate:
| System.Security.Principal.WindowsIdentity.GetCurrent().Name
|
| This line of code will get me my user account ever time:
|
| System.Threading.Thread.CurrentPrincipal.Identity.Name
|
| What's the difference? shouldn't they both be the user I am trying to
| impersonate?
|
| Thanks
|
|
| Frank Wisniewski MCSE 4.0, MCP+I, A+
| f p w 2 3 @. h o t m a i l . c o m
|
|
I am running it from my local machine which is part of the domain, is that
what you are asking?
Frank Wisniewski MCSE 4.0, MCP+I, A+
f p w 2 3 @. h o t m a i l . c o m
"Consultant" <consultant_mcngp@.yahoodotcom> wrote in message
news:%23KRylVH3EHA.1152@.TK2MSFTNGP14.phx.gbl...
> is your server trusted for delegation?
> "Frank Wisniewski" <fpw23@.hotmail.com> wrote in message
> news:41b5cf8c$1_2@.mcse.ms...
and
>
no, in order for impersonation to work, the server must be trusted for
delegation within active directory
"Frank Wisniewski" <fpw23@.hotmail.com> wrote in message
news:41b5f9bd_1@.mcse.ms...
>I am running it from my local machine which is part of the domain, is that
> what you are asking?
> --
> Frank Wisniewski MCSE 4.0, MCP+I, A+
> f p w 2 3 @. h o t m a i l . c o m
> "Consultant" <consultant_mcngp@.yahoodotcom> wrote in message
> news:%23KRylVH3EHA.1152@.TK2MSFTNGP14.phx.gbl...
> and
>
Subscribe to:
Posts (Atom)