Impersonating to ASPNET or SYSTEM Identities

Picho

Hi all,

I am trying to write a secure application and some of you have been very
helpful on that subject.

the only question remaining open after implementing certain methodologies is
this:

from a hacker point of view, is it possible to impersonate to SYSTEM or
ASPNET windows identities on a local machine?

a simple yes or no will not do (actually a simple yes would...). I need to
base my assumptions so if you can, please provide an explaination.

Thanx,

Picho

Jul 21 '05 #1

Subscribe Reply

1301

Hernan de Lahitte

It is certainly possible to "get" some code run under the worker process
identity. In the case of ASP.NET, someone may be able to run some code under
the configured account of your wp (ASPNET by default or Network Service in
W2K3). If you change the wp account to SYSTEM, you are virtually giving away
the control of your machine to the code that may get this identity (this is
usually done with the "RevertToSe lf" API).
So use the ASPNET account or any other "low privilege" account whenever you
can (I mean always).

Regards.
--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl
This posting is provided "AS IS" with no warranties, and confers no rights.

"Picho" <SP********@tel hai.ac.il> wrote in message
news:OO******** ******@TK2MSFTN GP09.phx.gbl...

Hi all,

I am trying to write a secure application and some of you have been very
helpful on that subject.

the only question remaining open after implementing certain methodologies is this:

from a hacker point of view, is it possible to impersonate to SYSTEM or
ASPNET windows identities on a local machine?

a simple yes or no will not do (actually a simple yes would...). I need to
base my assumptions so if you can, please provide an explaination.

Thanx,

Picho

Jul 21 '05 #2

Hernan de Lahitte

Hi all,

I am trying to write a secure application and some of you have been very
helpful on that subject.

the only question remaining open after implementing certain methodologies is this:

from a hacker point of view, is it possible to impersonate to SYSTEM or
ASPNET windows identities on a local machine?

a simple yes or no will not do (actually a simple yes would...). I need to
base my assumptions so if you can, please provide an explaination.

Thanx,

Picho

Jul 21 '05 #3

Valery Pryamikov

Hi,
Logon as system is only available for registered Windows Services. Only
administrator has rights to register service with SCM. Service running as
System could start processes that will inherit SYSTEM credentials. If you
try to impersonate SYSTEM that is calling your process by means of LPC/RPC -
you'll get guest's identity in thread's impersonation token (not SYSTEM).
Last couldn't be used as an excuse for letting SYSTEM service to call back
less trusted code, because it greatly increases possible attack surface. If
attacker manages to run code of his choice in the process that is running as
SYSTEM - you lost your system to that attacker. That means that
services/programs that are designed to run some add-hook code should never
be running as SYSTEM. Exploitable errors of service/program that is running
as SYSTEM (like f.e. buffer overruns) could be abused by malicious code for
gaining unlimited Local System access. Limiting amount of interaction
between service that is running as SYSTEM with the rest of the world helps
reducing attack surface. If service is doing a lot of IO - consider not
running it as system - reduces possibility of exploiting errors related to
handling of malformed data. Backdoors/rogue services is another possibility
of getting SYSTEM access. If attacker manages to get system access on your
DC you lost you domain to the attacker. That means that you should limit
amount of services running on your DC to bare minimum if you want to have it
secure.

-Valery.
http://www.harper.no/valery
"Picho" <SP********@tel hai.ac.il> wrote in message
news:OO******** ******@TK2MSFTN GP09.phx.gbl...

Hi all,

I am trying to write a secure application and some of you have been very
helpful on that subject.

the only question remaining open after implementing certain methodologies
is
this:

from a hacker point of view, is it possible to impersonate to SYSTEM or
ASPNET windows identities on a local machine?

a simple yes or no will not do (actually a simple yes would...). I need to
base my assumptions so if you can, please provide an explaination.

Thanx,

Picho

Jul 21 '05 #4

Similar topics

2757

Retaining local file system access while impersonating to access a remote drive

by: Daniel | last post by:

Is it possible to retain local file system read, write, delete access while impersonating for access to a remote drive in a different domain? I need to be able to move files from a local computer to a remote computer. do i have to copy them from the local computer to the remote computer then delete them fromt the local computer after undo-ing the impersonation? Or is there a way to retain access to both the local computer and the remote...

C# / C Sharp

2814

Impersonating currently logged in user

by: sushi | last post by:

Hello, I am running a ASP.Net application. It runs by defaul in the context of ASPNET user. I want to dynamically impersonate it so as to run in the context of currently logged in user. I know it is possible by specifying username, domain and password and using WindowsIdentity, WindowsImpersonationContext classes. But I wanted to know whether it is possible to achieve this by not passing username and password and system taking the same...

C# / C Sharp

2387

impersonating and LogonUser

by: Jason | last post by:

I have an ASP.NET application with forms authentication. However, the login details correspond to a Windows account (I cannot use Windows authentication). If I obtain a token with LogonUser, can I store it in a session variable and perform an impersonation on each page load? How long is that token valid? If I do an impersonation on each page load but never an Undo, will it cause problems? I think that once the response finishes, the...

ASP.NET

266

Impersonating to ASPNET or SYSTEM Identities

by: Picho | last post by:

.NET Framework

6089

Impersonating

by: Leonardo Arena | last post by:

We have an Index Server on Win2k Server SP4 indexing about 250.000 docs. We have written an ASP.NET serch page, setup a new virtual directory, and set to use .NET framework 2.0. On the server is installed also .NET framework 1.0, for the rest of the Intranet. The search page is setup to impersonate the user running the query in order to return only the documents that the user have access to. However most of the times, after a number of...

ASP.NET

2077

Impersonating doesn't work on Win2003

by: fab | last post by:

Hello, i'm trying to browse a UNC share through an ASP.NET application and i've got a problem : i've tried some examples from MSDN or other web sites (using LogonUser from Win32 API) and it works perfectly from my computer (windows XP) but it doesn't work from a windows2003 server : i've got the famous error 1326 : Logon failure: unknown user name or bad password. ERROR_LOGON_FAILUREis there a special configuration for Win2003 ? i've...

ASP.NET

803

SSPI-Error when impersonating to a fixed server account in ASP

by: Chris | last post by:

System.Security.Cryptography.Utils._CreateCSP throws a System.Security.Cryptography.CryptographicException with the message "file not found" when we impersonate IIS5 to a fixed account from web.config. If we let it run under the ASPNET user things are fine. does anyone have an idea what goes wrong here? web.config: <identity userName="server_account" password="password"/>

ASP.NET

1317

Extending or Linking to ASPNET.MDF?

by: Slicks | last post by:

Is it preferable to add my web-app-related tables to ASPNET.MDF and extend the fields in the dbo.aspnet_users table or link to aspnet_users from a separate MDF as they do in the .NET Starter Kits? The .NET login/security model is attractive but I've never worked with GUIDs before and I would prefer to use auto-incrementing Integer Identities since that's what I'm used to. My app will include a community forum with potential for...

Microsoft SQL Server

1256

impersonating ASPNET account does not work for com interop?

by: esource | last post by:

Hi all, has anyone been successful in forcing impersonation of the ASPNET account that calls a component through com interop? I have tried doing it programmatically, through IIS, through the web config file and all do not work. The ASPNET account always seems to access my com components. I have a .net web service trying to call a com+ component programmed in VB6. thanks in advance

ASP.NET

9685

What is ONU?

by: marktang | last post by:

ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...

General

9533

Changing the language in Windows 10

by: Hystou | last post by:

Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...

Windows Server

10190

The easy way to turn off automatic updates for Windows 10/11

by: Hystou | last post by:

Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...

Windows Server

9057

AI Job Threat for Devs

by: agi2029 | last post by:

Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...

Career Advice

6796

Couldn’t get equations in html when convert word .docx file to html file in C#.

by: conductexam | last post by:

I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...

C# / C Sharp

5447

Trying to create a lan-to-lan vpn between two differents networks

by: TSSRALBI | last post by:

Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...

Networking - Hardware / Configuration

5579

Windows Forms - .Net 8.0

by: adsilva | last post by:

A Windows Forms form does not have the event Unload, like VB6. What one acts like?

Visual Basic .NET

3736

How to add payments to a PHP MySQL app.

by: muto222 | last post by:

How can i add a mobile payment intergratation into php mysql website.

PHP

2928

Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy

by: bsmnconsultancy | last post by:

In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

General