By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
435,136 Members | 1,205 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 435,136 IT Pros & Developers. It's quick & easy.

Remote control of windows service with windows 2003 server

P: n/a
Dear all,

I built a Web Form application to start and stop a Windows Service remotely.
I successful tested the application on Windows 2000 server + IIS. I must
include the ASPNET user
to the Administration group (on server side) to have the necessary
authorization to start a Windows Service (I don't understand why "Power
User" rights are not enough to do the same thing)

Although I'm able to start a service using windows 2000 server platform, I'm
not able to do the same things in the Windows 2003 server edition where the
same Web Form application has been installed (.NET framework has been
installed by default during Windows server installation process). I know
that in Windows 2003 server the default account for a ASPNET applications is
NETWORK SERVICE, but I don't find any user with this name in the user
list/group. If I try to create this user and error message tell me that the
NETWORK SERVICE user is already defined. The problem is that it doesn't
appear in the user list (My computer-> Manage > user)

Any idea ?

Thank you
Best Regards
Nov 18 '05 #1
Share this Question
Share on Google+
5 Replies


P: n/a
Hi pberna:

It's generally a bad idea to run ASP.NET under an administrator
account, as it makes it easier for a malicious user to have admin
rights on a machine. Have you investigated impersonation?
http://msdn.microsoft.com/library/de...ersonation.asp

As for the NETWORK SERVICE account, there are two types of accounts on
the machine: user accounts and built in security principals. The built
in security principals do not appear in the list of users. You can
still add them to a group if you go to My computer -> Manage ->
Groups. You can right click a group and select Properties, then click
Add. You can type in the name you need, or click Advanced and Find Now
to select the principal from a list - you'll notice at the top of the
dialog under Object Types the dialog will search for both user objects
and built in security principal objects.

In any case, a best practice is to avoid elevating the privileges of
any of these built in accounts. Impersonation is a safer approach.

--
Scott
http://www.OdeToCode.com/blogs/scott/

On Sat, 13 Nov 2004 19:36:21 GMT, "pberna" <xx*@iol.it> wrote:
Dear all,

I built a Web Form application to start and stop a Windows Service remotely.
I successful tested the application on Windows 2000 server + IIS. I must
include the ASPNET user
to the Administration group (on server side) to have the necessary
authorization to start a Windows Service (I don't understand why "Power
User" rights are not enough to do the same thing)

Although I'm able to start a service using windows 2000 server platform, I'm
not able to do the same things in the Windows 2003 server edition where the
same Web Form application has been installed (.NET framework has been
installed by default during Windows server installation process). I know
that in Windows 2003 server the default account for a ASPNET applications is
NETWORK SERVICE, but I don't find any user with this name in the user
list/group. If I try to create this user and error message tell me that the
NETWORK SERVICE user is already defined. The problem is that it doesn't
appear in the user list (My computer-> Manage > user)

Any idea ?

Thank you
Best Regards


Nov 18 '05 #2

P: n/a
Dear Scott,

Thanks for your indications
I red the article, but I'm not sure if impersonation is applicable to the
Forms
authentication mode. What do you think ? Am I wrong ?

1) If impersonation is also active using the Forms authentication mode,
should the user name related to the token "userName"

<identity impersonate="true" userName="contoso\Jane" password="pass"/>

be equal to a Windows User name ?

2) Are there any relationship between Windows password of a Windows User and
the password of the same User indicated in the web.config file ?

3) If the ASPNET impersonate a user using the Forms authentication mode,it
means that the .NET application can access to all resource available for that
user ?

Thank you
Paolo

"Scott Allen" wrote:
Hi pberna:

It's generally a bad idea to run ASP.NET under an administrator
account, as it makes it easier for a malicious user to have admin
rights on a machine. Have you investigated impersonation?
http://msdn.microsoft.com/library/de...ersonation.asp

As for the NETWORK SERVICE account, there are two types of accounts on
the machine: user accounts and built in security principals. The built
in security principals do not appear in the list of users. You can
still add them to a group if you go to My computer -> Manage ->
Groups. You can right click a group and select Properties, then click
Add. You can type in the name you need, or click Advanced and Find Now
to select the principal from a list - you'll notice at the top of the
dialog under Object Types the dialog will search for both user objects
and built in security principal objects.

In any case, a best practice is to avoid elevating the privileges of
any of these built in accounts. Impersonation is a safer approach.

--
Scott
http://www.OdeToCode.com/blogs/scott/

On Sat, 13 Nov 2004 19:36:21 GMT, "pberna" <xx*@iol.it> wrote:
Dear all,

I built a Web Form application to start and stop a Windows Service remotely.
I successful tested the application on Windows 2000 server + IIS. I must
include the ASPNET user
to the Administration group (on server side) to have the necessary
authorization to start a Windows Service (I don't understand why "Power
User" rights are not enough to do the same thing)

Although I'm able to start a service using windows 2000 server platform, I'm
not able to do the same things in the Windows 2003 server edition where the
same Web Form application has been installed (.NET framework has been
installed by default during Windows server installation process). I know
that in Windows 2003 server the default account for a ASPNET applications is
NETWORK SERVICE, but I don't find any user with this name in the user
list/group. If I try to create this user and error message tell me that the
NETWORK SERVICE user is already defined. The problem is that it doesn't
appear in the user list (My computer-> Manage > user)

Any idea ?

Thank you
Best Regards


Nov 18 '05 #3

P: n/a
Hi pberna:

Impersonation is more difficult in forms authentication. If you use
the username and password attributes of the <identity> tag then yes,
you are passing the username and password for a windows account. Every
local resource ASP.NET touches will be done with the credentials
specified in the <identity> tag, for example, file access, service
control, connecting to a database with a trusted connection.

Is the web application soley for the purpose of controlling the
service? Is it exposed to the Internet?

--
Scott
http://www.OdeToCode.com/blogs/scott/

On Mon, 15 Nov 2004 07:10:03 -0800, pberna
<pb****@discussions.microsoft.com> wrote:
Dear Scott,

Thanks for your indications
I red the article, but I'm not sure if impersonation is applicable to the
Forms
authentication mode. What do you think ? Am I wrong ?

1) If impersonation is also active using the Forms authentication mode,
should the user name related to the token "userName"

<identity impersonate="true" userName="contoso\Jane" password="pass"/>

be equal to a Windows User name ?

2) Are there any relationship between Windows password of a Windows User and
the password of the same User indicated in the web.config file ?

3) If the ASPNET impersonate a user using the Forms authentication mode,it
means that the .NET application can access to all resource available for that
user ?

Thank you
Paolo

"Scott Allen" wrote:
Hi pberna:

It's generally a bad idea to run ASP.NET under an administrator
account, as it makes it easier for a malicious user to have admin
rights on a machine. Have you investigated impersonation?
http://msdn.microsoft.com/library/de...ersonation.asp

As for the NETWORK SERVICE account, there are two types of accounts on
the machine: user accounts and built in security principals. The built
in security principals do not appear in the list of users. You can
still add them to a group if you go to My computer -> Manage ->
Groups. You can right click a group and select Properties, then click
Add. You can type in the name you need, or click Advanced and Find Now
to select the principal from a list - you'll notice at the top of the
dialog under Object Types the dialog will search for both user objects
and built in security principal objects.

In any case, a best practice is to avoid elevating the privileges of
any of these built in accounts. Impersonation is a safer approach.

--
Scott
http://www.OdeToCode.com/blogs/scott/

On Sat, 13 Nov 2004 19:36:21 GMT, "pberna" <xx*@iol.it> wrote:
>Dear all,
>
>I built a Web Form application to start and stop a Windows Service remotely.
>I successful tested the application on Windows 2000 server + IIS. I must
>include the ASPNET user
>to the Administration group (on server side) to have the necessary
>authorization to start a Windows Service (I don't understand why "Power
>User" rights are not enough to do the same thing)
>
>Although I'm able to start a service using windows 2000 server platform, I'm
>not able to do the same things in the Windows 2003 server edition where the
>same Web Form application has been installed (.NET framework has been
>installed by default during Windows server installation process). I know
>that in Windows 2003 server the default account for a ASPNET applications is
>NETWORK SERVICE, but I don't find any user with this name in the user
>list/group. If I try to create this user and error message tell me that the
>NETWORK SERVICE user is already defined. The problem is that it doesn't
>appear in the user list (My computer-> Manage > user)
>
>Any idea ?
>
>Thank you
>Best Regards
>



Nov 18 '05 #4

P: n/a
Dear Scott,

Thank again. I'm trying to use your indication now

The application is used only to start/stop a service remotely and to
launch/terminate an application remotely. Yes, the application is exposed to
the internet.
I think that I could also use Windows Authentication instead of Web Form
authentication, but I have a company firewall between the client and the
server (under my full control), so I want to be sure that all messages are
based on http protocol. Sorry but I'm moving the first step on this
technology

Regards,
Paolo

"Scott Allen" <bitmask@[nospam].fred.net> ha scritto nel messaggio
news:pb********************************@4ax.com...
Hi pberna:

Impersonation is more difficult in forms authentication. If you use
the username and password attributes of the <identity> tag then yes,
you are passing the username and password for a windows account. Every
local resource ASP.NET touches will be done with the credentials
specified in the <identity> tag, for example, file access, service
control, connecting to a database with a trusted connection.

Is the web application soley for the purpose of controlling the
service? Is it exposed to the Internet?

--
Scott
http://www.OdeToCode.com/blogs/scott/

On Mon, 15 Nov 2004 07:10:03 -0800, pberna
<pb****@discussions.microsoft.com> wrote:
Dear Scott,

Thanks for your indications
I red the article, but I'm not sure if impersonation is applicable to the
Forms
authentication mode. What do you think ? Am I wrong ?

1) If impersonation is also active using the Forms authentication mode,
should the user name related to the token "userName"

<identity impersonate="true" userName="contoso\Jane" password="pass"/>

be equal to a Windows User name ?

2) Are there any relationship between Windows password of a Windows User
and
the password of the same User indicated in the web.config file ?

3) If the ASPNET impersonate a user using the Forms authentication mode,it
means that the .NET application can access to all resource available for
that
user ?

Thank you
Paolo

"Scott Allen" wrote:
Hi pberna:

It's generally a bad idea to run ASP.NET under an administrator
account, as it makes it easier for a malicious user to have admin
rights on a machine. Have you investigated impersonation?
http://msdn.microsoft.com/library/de...ersonation.asp

As for the NETWORK SERVICE account, there are two types of accounts on
the machine: user accounts and built in security principals. The built
in security principals do not appear in the list of users. You can
still add them to a group if you go to My computer -> Manage ->
Groups. You can right click a group and select Properties, then click
Add. You can type in the name you need, or click Advanced and Find Now
to select the principal from a list - you'll notice at the top of the
dialog under Object Types the dialog will search for both user objects
and built in security principal objects.

In any case, a best practice is to avoid elevating the privileges of
any of these built in accounts. Impersonation is a safer approach.

--
Scott
http://www.OdeToCode.com/blogs/scott/

On Sat, 13 Nov 2004 19:36:21 GMT, "pberna" <xx*@iol.it> wrote:

>Dear all,
>
>I built a Web Form application to start and stop a Windows Service
>remotely.
>I successful tested the application on Windows 2000 server + IIS. I
>must
>include the ASPNET user
>to the Administration group (on server side) to have the necessary
>authorization to start a Windows Service (I don't understand why "Power
>User" rights are not enough to do the same thing)
>
>Although I'm able to start a service using windows 2000 server
>platform, I'm
>not able to do the same things in the Windows 2003 server edition
>where the
>same Web Form application has been installed (.NET framework has been
>installed by default during Windows server installation process). I
>know
>that in Windows 2003 server the default account for a ASPNET
>applications is
>NETWORK SERVICE, but I don't find any user with this name in the user
>list/group. If I try to create this user and error message tell me that
>the
>NETWORK SERVICE user is already defined. The problem is that it doesn't
>appear in the user list (My computer-> Manage > user)
>
>Any idea ?
>
>Thank you
>Best Regards
>

Nov 18 '05 #5

P: n/a
Hi Paolo:

I understand, this is a tricky area to be in especially if it is your
first step.

--
Scott
http://www.OdeToCode.com/blogs/scott/

On Mon, 15 Nov 2004 19:06:12 GMT, "pberna" <xx*@iol.it> wrote:
Dear Scott,

Thank again. I'm trying to use your indication now

The application is used only to start/stop a service remotely and to
launch/terminate an application remotely. Yes, the application is exposed to
the internet.
I think that I could also use Windows Authentication instead of Web Form
authentication, but I have a company firewall between the client and the
server (under my full control), so I want to be sure that all messages are
based on http protocol. Sorry but I'm moving the first step on this
technology

Regards,
Paolo

"Scott Allen" <bitmask@[nospam].fred.net> ha scritto nel messaggio
news:pb********************************@4ax.com.. .
Hi pberna:

Impersonation is more difficult in forms authentication. If you use
the username and password attributes of the <identity> tag then yes,
you are passing the username and password for a windows account. Every
local resource ASP.NET touches will be done with the credentials
specified in the <identity> tag, for example, file access, service
control, connecting to a database with a trusted connection.

Is the web application soley for the purpose of controlling the
service? Is it exposed to the Internet?

--
Scott
http://www.OdeToCode.com/blogs/scott/

On Mon, 15 Nov 2004 07:10:03 -0800, pberna
<pb****@discussions.microsoft.com> wrote:
Dear Scott,

Thanks for your indications
I red the article, but I'm not sure if impersonation is applicable to the
Forms
authentication mode. What do you think ? Am I wrong ?

1) If impersonation is also active using the Forms authentication mode,
should the user name related to the token "userName"

<identity impersonate="true" userName="contoso\Jane" password="pass"/>

be equal to a Windows User name ?

2) Are there any relationship between Windows password of a Windows User
and
the password of the same User indicated in the web.config file ?

3) If the ASPNET impersonate a user using the Forms authentication mode,it
means that the .NET application can access to all resource available for
that
user ?

Thank you
Paolo

"Scott Allen" wrote:

Hi pberna:

It's generally a bad idea to run ASP.NET under an administrator
account, as it makes it easier for a malicious user to have admin
rights on a machine. Have you investigated impersonation?
http://msdn.microsoft.com/library/de...ersonation.asp

As for the NETWORK SERVICE account, there are two types of accounts on
the machine: user accounts and built in security principals. The built
in security principals do not appear in the list of users. You can
still add them to a group if you go to My computer -> Manage ->
Groups. You can right click a group and select Properties, then click
Add. You can type in the name you need, or click Advanced and Find Now
to select the principal from a list - you'll notice at the top of the
dialog under Object Types the dialog will search for both user objects
and built in security principal objects.

In any case, a best practice is to avoid elevating the privileges of
any of these built in accounts. Impersonation is a safer approach.

--
Scott
http://www.OdeToCode.com/blogs/scott/

On Sat, 13 Nov 2004 19:36:21 GMT, "pberna" <xx*@iol.it> wrote:

>Dear all,
>
>I built a Web Form application to start and stop a Windows Service
>remotely.
>I successful tested the application on Windows 2000 server + IIS. I
>must
>include the ASPNET user
>to the Administration group (on server side) to have the necessary
>authorization to start a Windows Service (I don't understand why "Power
>User" rights are not enough to do the same thing)
>
>Although I'm able to start a service using windows 2000 server
>platform, I'm
>not able to do the same things in the Windows 2003 server edition
>where the
>same Web Form application has been installed (.NET framework has been
>installed by default during Windows server installation process). I
>know
>that in Windows 2003 server the default account for a ASPNET
>applications is
>NETWORK SERVICE, but I don't find any user with this name in the user
>list/group. If I try to create this user and error message tell me that
>the
>NETWORK SERVICE user is already defined. The problem is that it doesn't
>appear in the user list (My computer-> Manage > user)
>
>Any idea ?
>
>Thank you
>Best Regards
>


Nov 18 '05 #6

This discussion thread is closed

Replies have been disabled for this discussion.