473,550 Members | 2,406 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Remote control of windows service with windows 2003 server

Dear all,

I built a Web Form application to start and stop a Windows Service remotely.
I successful tested the application on Windows 2000 server + IIS. I must
include the ASPNET user
to the Administration group (on server side) to have the necessary
authorization to start a Windows Service (I don't understand why "Power
User" rights are not enough to do the same thing)

Although I'm able to start a service using windows 2000 server platform, I'm
not able to do the same things in the Windows 2003 server edition where the
same Web Form application has been installed (.NET framework has been
installed by default during Windows server installation process). I know
that in Windows 2003 server the default account for a ASPNET applications is
NETWORK SERVICE, but I don't find any user with this name in the user
list/group. If I try to create this user and error message tell me that the
NETWORK SERVICE user is already defined. The problem is that it doesn't
appear in the user list (My computer-> Manage > user)

Any idea ?

Thank you
Best Regards
Nov 18 '05 #1
5 2677
Hi pberna:

It's generally a bad idea to run ASP.NET under an administrator
account, as it makes it easier for a malicious user to have admin
rights on a machine. Have you investigated impersonation?
http://msdn.microsoft.com/library/de...ersonation.asp

As for the NETWORK SERVICE account, there are two types of accounts on
the machine: user accounts and built in security principals. The built
in security principals do not appear in the list of users. You can
still add them to a group if you go to My computer -> Manage ->
Groups. You can right click a group and select Properties, then click
Add. You can type in the name you need, or click Advanced and Find Now
to select the principal from a list - you'll notice at the top of the
dialog under Object Types the dialog will search for both user objects
and built in security principal objects.

In any case, a best practice is to avoid elevating the privileges of
any of these built in accounts. Impersonation is a safer approach.

--
Scott
http://www.OdeToCode.com/blogs/scott/

On Sat, 13 Nov 2004 19:36:21 GMT, "pberna" <xx*@iol.it> wrote:
Dear all,

I built a Web Form application to start and stop a Windows Service remotely.
I successful tested the application on Windows 2000 server + IIS. I must
include the ASPNET user
to the Administration group (on server side) to have the necessary
authorizatio n to start a Windows Service (I don't understand why "Power
User" rights are not enough to do the same thing)

Although I'm able to start a service using windows 2000 server platform, I'm
not able to do the same things in the Windows 2003 server edition where the
same Web Form application has been installed (.NET framework has been
installed by default during Windows server installation process). I know
that in Windows 2003 server the default account for a ASPNET applications is
NETWORK SERVICE, but I don't find any user with this name in the user
list/group. If I try to create this user and error message tell me that the
NETWORK SERVICE user is already defined. The problem is that it doesn't
appear in the user list (My computer-> Manage > user)

Any idea ?

Thank you
Best Regards


Nov 18 '05 #2
Dear Scott,

Thanks for your indications
I red the article, but I'm not sure if impersonation is applicable to the
Forms
authentication mode. What do you think ? Am I wrong ?

1) If impersonation is also active using the Forms authentication mode,
should the user name related to the token "userName"

<identity impersonate="tr ue" userName="conto so\Jane" password="pass"/>

be equal to a Windows User name ?

2) Are there any relationship between Windows password of a Windows User and
the password of the same User indicated in the web.config file ?

3) If the ASPNET impersonate a user using the Forms authentication mode,it
means that the .NET application can access to all resource available for that
user ?

Thank you
Paolo

"Scott Allen" wrote:
Hi pberna:

It's generally a bad idea to run ASP.NET under an administrator
account, as it makes it easier for a malicious user to have admin
rights on a machine. Have you investigated impersonation?
http://msdn.microsoft.com/library/de...ersonation.asp

As for the NETWORK SERVICE account, there are two types of accounts on
the machine: user accounts and built in security principals. The built
in security principals do not appear in the list of users. You can
still add them to a group if you go to My computer -> Manage ->
Groups. You can right click a group and select Properties, then click
Add. You can type in the name you need, or click Advanced and Find Now
to select the principal from a list - you'll notice at the top of the
dialog under Object Types the dialog will search for both user objects
and built in security principal objects.

In any case, a best practice is to avoid elevating the privileges of
any of these built in accounts. Impersonation is a safer approach.

--
Scott
http://www.OdeToCode.com/blogs/scott/

On Sat, 13 Nov 2004 19:36:21 GMT, "pberna" <xx*@iol.it> wrote:
Dear all,

I built a Web Form application to start and stop a Windows Service remotely.
I successful tested the application on Windows 2000 server + IIS. I must
include the ASPNET user
to the Administration group (on server side) to have the necessary
authorizatio n to start a Windows Service (I don't understand why "Power
User" rights are not enough to do the same thing)

Although I'm able to start a service using windows 2000 server platform, I'm
not able to do the same things in the Windows 2003 server edition where the
same Web Form application has been installed (.NET framework has been
installed by default during Windows server installation process). I know
that in Windows 2003 server the default account for a ASPNET applications is
NETWORK SERVICE, but I don't find any user with this name in the user
list/group. If I try to create this user and error message tell me that the
NETWORK SERVICE user is already defined. The problem is that it doesn't
appear in the user list (My computer-> Manage > user)

Any idea ?

Thank you
Best Regards


Nov 18 '05 #3
Hi pberna:

Impersonation is more difficult in forms authentication. If you use
the username and password attributes of the <identity> tag then yes,
you are passing the username and password for a windows account. Every
local resource ASP.NET touches will be done with the credentials
specified in the <identity> tag, for example, file access, service
control, connecting to a database with a trusted connection.

Is the web application soley for the purpose of controlling the
service? Is it exposed to the Internet?

--
Scott
http://www.OdeToCode.com/blogs/scott/

On Mon, 15 Nov 2004 07:10:03 -0800, pberna
<pb****@discuss ions.microsoft. com> wrote:
Dear Scott,

Thanks for your indications
I red the article, but I'm not sure if impersonation is applicable to the
Forms
authenticati on mode. What do you think ? Am I wrong ?

1) If impersonation is also active using the Forms authentication mode,
should the user name related to the token "userName"

<identity impersonate="tr ue" userName="conto so\Jane" password="pass"/>

be equal to a Windows User name ?

2) Are there any relationship between Windows password of a Windows User and
the password of the same User indicated in the web.config file ?

3) If the ASPNET impersonate a user using the Forms authentication mode,it
means that the .NET application can access to all resource available for that
user ?

Thank you
Paolo

"Scott Allen" wrote:
Hi pberna:

It's generally a bad idea to run ASP.NET under an administrator
account, as it makes it easier for a malicious user to have admin
rights on a machine. Have you investigated impersonation?
http://msdn.microsoft.com/library/de...ersonation.asp

As for the NETWORK SERVICE account, there are two types of accounts on
the machine: user accounts and built in security principals. The built
in security principals do not appear in the list of users. You can
still add them to a group if you go to My computer -> Manage ->
Groups. You can right click a group and select Properties, then click
Add. You can type in the name you need, or click Advanced and Find Now
to select the principal from a list - you'll notice at the top of the
dialog under Object Types the dialog will search for both user objects
and built in security principal objects.

In any case, a best practice is to avoid elevating the privileges of
any of these built in accounts. Impersonation is a safer approach.

--
Scott
http://www.OdeToCode.com/blogs/scott/

On Sat, 13 Nov 2004 19:36:21 GMT, "pberna" <xx*@iol.it> wrote:
>Dear all,
>
>I built a Web Form application to start and stop a Windows Service remotely.
>I successful tested the application on Windows 2000 server + IIS. I must
>include the ASPNET user
>to the Administration group (on server side) to have the necessary
>authorizatio n to start a Windows Service (I don't understand why "Power
>User" rights are not enough to do the same thing)
>
>Although I'm able to start a service using windows 2000 server platform, I'm
>not able to do the same things in the Windows 2003 server edition where the
>same Web Form application has been installed (.NET framework has been
>installed by default during Windows server installation process). I know
>that in Windows 2003 server the default account for a ASPNET applications is
>NETWORK SERVICE, but I don't find any user with this name in the user
>list/group. If I try to create this user and error message tell me that the
>NETWORK SERVICE user is already defined. The problem is that it doesn't
>appear in the user list (My computer-> Manage > user)
>
>Any idea ?
>
>Thank you
>Best Regards
>



Nov 18 '05 #4
Dear Scott,

Thank again. I'm trying to use your indication now

The application is used only to start/stop a service remotely and to
launch/terminate an application remotely. Yes, the application is exposed to
the internet.
I think that I could also use Windows Authentication instead of Web Form
authentication, but I have a company firewall between the client and the
server (under my full control), so I want to be sure that all messages are
based on http protocol. Sorry but I'm moving the first step on this
technology

Regards,
Paolo

"Scott Allen" <bitmask@[nospam].fred.net> ha scritto nel messaggio
news:pb******** *************** *********@4ax.c om...
Hi pberna:

Impersonation is more difficult in forms authentication. If you use
the username and password attributes of the <identity> tag then yes,
you are passing the username and password for a windows account. Every
local resource ASP.NET touches will be done with the credentials
specified in the <identity> tag, for example, file access, service
control, connecting to a database with a trusted connection.

Is the web application soley for the purpose of controlling the
service? Is it exposed to the Internet?

--
Scott
http://www.OdeToCode.com/blogs/scott/

On Mon, 15 Nov 2004 07:10:03 -0800, pberna
<pb****@discuss ions.microsoft. com> wrote:
Dear Scott,

Thanks for your indications
I red the article, but I'm not sure if impersonation is applicable to the
Forms
authenticatio n mode. What do you think ? Am I wrong ?

1) If impersonation is also active using the Forms authentication mode,
should the user name related to the token "userName"

<identity impersonate="tr ue" userName="conto so\Jane" password="pass"/>

be equal to a Windows User name ?

2) Are there any relationship between Windows password of a Windows User
and
the password of the same User indicated in the web.config file ?

3) If the ASPNET impersonate a user using the Forms authentication mode,it
means that the .NET application can access to all resource available for
that
user ?

Thank you
Paolo

"Scott Allen" wrote:
Hi pberna:

It's generally a bad idea to run ASP.NET under an administrator
account, as it makes it easier for a malicious user to have admin
rights on a machine. Have you investigated impersonation?
http://msdn.microsoft.com/library/de...ersonation.asp

As for the NETWORK SERVICE account, there are two types of accounts on
the machine: user accounts and built in security principals. The built
in security principals do not appear in the list of users. You can
still add them to a group if you go to My computer -> Manage ->
Groups. You can right click a group and select Properties, then click
Add. You can type in the name you need, or click Advanced and Find Now
to select the principal from a list - you'll notice at the top of the
dialog under Object Types the dialog will search for both user objects
and built in security principal objects.

In any case, a best practice is to avoid elevating the privileges of
any of these built in accounts. Impersonation is a safer approach.

--
Scott
http://www.OdeToCode.com/blogs/scott/

On Sat, 13 Nov 2004 19:36:21 GMT, "pberna" <xx*@iol.it> wrote:

>Dear all,
>
>I built a Web Form application to start and stop a Windows Service
>remotely.
>I successful tested the application on Windows 2000 server + IIS. I
>must
>include the ASPNET user
>to the Administration group (on server side) to have the necessary
>authorizatio n to start a Windows Service (I don't understand why "Power
>User" rights are not enough to do the same thing)
>
>Although I'm able to start a service using windows 2000 server
>platform, I'm
>not able to do the same things in the Windows 2003 server edition
>where the
>same Web Form application has been installed (.NET framework has been
>installed by default during Windows server installation process). I
>know
>that in Windows 2003 server the default account for a ASPNET
>applications is
>NETWORK SERVICE, but I don't find any user with this name in the user
>list/group. If I try to create this user and error message tell me that
>the
>NETWORK SERVICE user is already defined. The problem is that it doesn't
>appear in the user list (My computer-> Manage > user)
>
>Any idea ?
>
>Thank you
>Best Regards
>

Nov 18 '05 #5
Hi Paolo:

I understand, this is a tricky area to be in especially if it is your
first step.

--
Scott
http://www.OdeToCode.com/blogs/scott/

On Mon, 15 Nov 2004 19:06:12 GMT, "pberna" <xx*@iol.it> wrote:
Dear Scott,

Thank again. I'm trying to use your indication now

The application is used only to start/stop a service remotely and to
launch/terminate an application remotely. Yes, the application is exposed to
the internet.
I think that I could also use Windows Authentication instead of Web Form
authentication , but I have a company firewall between the client and the
server (under my full control), so I want to be sure that all messages are
based on http protocol. Sorry but I'm moving the first step on this
technology

Regards,
Paolo

"Scott Allen" <bitmask@[nospam].fred.net> ha scritto nel messaggio
news:pb******* *************** **********@4ax. com...
Hi pberna:

Impersonation is more difficult in forms authentication. If you use
the username and password attributes of the <identity> tag then yes,
you are passing the username and password for a windows account. Every
local resource ASP.NET touches will be done with the credentials
specified in the <identity> tag, for example, file access, service
control, connecting to a database with a trusted connection.

Is the web application soley for the purpose of controlling the
service? Is it exposed to the Internet?

--
Scott
http://www.OdeToCode.com/blogs/scott/

On Mon, 15 Nov 2004 07:10:03 -0800, pberna
<pb****@discuss ions.microsoft. com> wrote:
Dear Scott,

Thanks for your indications
I red the article, but I'm not sure if impersonation is applicable to the
Forms
authenticati on mode. What do you think ? Am I wrong ?

1) If impersonation is also active using the Forms authentication mode,
should the user name related to the token "userName"

<identity impersonate="tr ue" userName="conto so\Jane" password="pass"/>

be equal to a Windows User name ?

2) Are there any relationship between Windows password of a Windows User
and
the password of the same User indicated in the web.config file ?

3) If the ASPNET impersonate a user using the Forms authentication mode,it
means that the .NET application can access to all resource available for
that
user ?

Thank you
Paolo

"Scott Allen" wrote:

Hi pberna:

It's generally a bad idea to run ASP.NET under an administrator
account, as it makes it easier for a malicious user to have admin
rights on a machine. Have you investigated impersonation?
http://msdn.microsoft.com/library/de...ersonation.asp

As for the NETWORK SERVICE account, there are two types of accounts on
the machine: user accounts and built in security principals. The built
in security principals do not appear in the list of users. You can
still add them to a group if you go to My computer -> Manage ->
Groups. You can right click a group and select Properties, then click
Add. You can type in the name you need, or click Advanced and Find Now
to select the principal from a list - you'll notice at the top of the
dialog under Object Types the dialog will search for both user objects
and built in security principal objects.

In any case, a best practice is to avoid elevating the privileges of
any of these built in accounts. Impersonation is a safer approach.

--
Scott
http://www.OdeToCode.com/blogs/scott/

On Sat, 13 Nov 2004 19:36:21 GMT, "pberna" <xx*@iol.it> wrote:

>Dear all,
>
>I built a Web Form application to start and stop a Windows Service
>remotely.
>I successful tested the application on Windows 2000 server + IIS. I
>must
>include the ASPNET user
>to the Administration group (on server side) to have the necessary
>authorizatio n to start a Windows Service (I don't understand why "Power
>User" rights are not enough to do the same thing)
>
>Although I'm able to start a service using windows 2000 server
>platform, I'm
>not able to do the same things in the Windows 2003 server edition
>where the
>same Web Form application has been installed (.NET framework has been
>installed by default during Windows server installation process). I
>know
>that in Windows 2003 server the default account for a ASPNET
>applications is
>NETWORK SERVICE, but I don't find any user with this name in the user
>list/group. If I try to create this user and error message tell me that
>the
>NETWORK SERVICE user is already defined. The problem is that it doesn't
>appear in the user list (My computer-> Manage > user)
>
>Any idea ?
>
>Thank you
>Best Regards
>


Nov 18 '05 #6

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
2379
by: Tom wilson | last post by:
I've been through everything with this error and cannot get the debugger to work remotely. The only thing I can trace it down to is that RPC is not communicating between servers. So after many, many hours of searching I found the RPCPing utilitty. We have 8 servers, 2 Exchange 2003 servers. RPCPing pings nothing from anywhere on all...
6
1809
by: Dan V. | last post by:
Is there a way to query a remote xml file periodically by not using web services? For Windows and Unix platforms. Is there a cheap software product that I can install on each client and my Windows 2000 server and have 'secure' network access? I would love to use VS.NET to access both windows and Unix/Linux xml files.
2
1367
by: Craig | last post by:
Hope this is the right group, first timer - Just got back from holiday to find our Dev Server (Standard 2003, All hotfixes up to date) has been patched with KB 867460 (.NET Framework 1.1 Service Pack 1 (SP1)), and now when I try to debug remotely from Visual Studio 2003 (Local PC (XP-SP2)) has this service pack as well and on the same domain...
7
2061
by: WhiskRomeo | last post by:
I have a WIN .NET application that calls a web service to retrieve data. I deployed the application to a server and configured the webservice. The webservice and SQL Server 2000 database are on the same server. I installed the application on the server and everything runs fine. It simply opens a form and populates it with data via the...
4
7023
by: Daniel P. | last post by:
I'm using C#: Stream s = File.Open( @"\remotemachine\share\MyFile.txt" , FileMode.Open , FileAccess.Read , FileShare.Read ); I'm getting the following exception: "The referenced account is currently locked out and may
0
1800
by: Ken Allen | last post by:
The MSDN documentation on remote debugging is a bit sparse, to say the least, and there is almost no information available on the 'best' way to configure this. I should note that my development system is Windows XP Pro and the test machine is Windows 2003, both running the latest upgrades; Visual Studio 2005 is installed on the development...
1
1549
by: JLuis Estrada | last post by:
Hi there. Id tried to find information about how to set up the remote debugging on win2003. I have a PC with winxpsp2 with VS2003 installed. And I developed an winservice app that runs on the server. This servers is fara way from here. Buts its visible over internet.
0
1258
by: jpegny | last post by:
Hello all, I'm in the middle of setting up a windows 2003 server for asp.net (with vb.net 2003) remote development/deployment. The problem is that as soon as I install service pack 1 on windows 2003 I can no longer remotely develop asp.net apps with vs.net 2003. I have set-up servers with all the patches except service pack 1 and they...
15
7053
by: =?Utf-8?B?TVNU?= | last post by:
To demonstrate my problem, I have a very simple VB Windows application. It has a text box that is used to display a counter, a button to reset the counter, and a timer that increments the counter every second. I remote desktop to the computer hosting this application and run the application. It starts up and displays the counter...
0
7563
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
0
7765
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. ...
0
8001
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
1
7520
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
0
6104
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
1
5404
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes...
0
3533
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in...
1
1980
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
0
802
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.