473,397 Members | 1,949 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > .net framework > questions > impersonating to aspnet or system identities

Join Bytes to post your question to a community of 473,397 software developers and data experts.

Impersonating to ASPNET or SYSTEM Identities

Hi all,

I am trying to write a secure application and some of you have been very
helpful on that subject.

the only question remaining open after implementing certain methodologies is
this:

from a hacker point of view, is it possible to impersonate to SYSTEM or
ASPNET windows identities on a local machine?

a simple yes or no will not do (actually a simple yes would...). I need to
base my assumptions so if you can, please provide an explaination.

Thanx,

Picho
Jul 21 '05 #1
3 1276
It is certainly possible to "get" some code run under the worker process
identity. In the case of ASP.NET, someone may be able to run some code under
the configured account of your wp (ASPNET by default or Network Service in
W2K3). If you change the wp account to SYSTEM, you are virtually giving away
the control of your machine to the code that may get this identity (this is
usually done with the "RevertToSelf" API).
So use the ASPNET account or any other "low privilege" account whenever you
can (I mean always).

Regards.
--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl
This posting is provided "AS IS" with no warranties, and confers no rights.

"Picho" <SP********@telhai.ac.il> wrote in message
news:OO**************@TK2MSFTNGP09.phx.gbl...
Hi all,

I am trying to write a secure application and some of you have been very
helpful on that subject.

the only question remaining open after implementing certain methodologies is this:

from a hacker point of view, is it possible to impersonate to SYSTEM or
ASPNET windows identities on a local machine?

a simple yes or no will not do (actually a simple yes would...). I need to
base my assumptions so if you can, please provide an explaination.

Thanx,

Picho

Jul 21 '05 #2
It is certainly possible to "get" some code run under the worker process
identity. In the case of ASP.NET, someone may be able to run some code under
the configured account of your wp (ASPNET by default or Network Service in
W2K3). If you change the wp account to SYSTEM, you are virtually giving away
the control of your machine to the code that may get this identity (this is
usually done with the "RevertToSelf" API).
So use the ASPNET account or any other "low privilege" account whenever you
can (I mean always).

Regards.
--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl
This posting is provided "AS IS" with no warranties, and confers no rights.

"Picho" <SP********@telhai.ac.il> wrote in message
news:OO**************@TK2MSFTNGP09.phx.gbl...
Hi all,

I am trying to write a secure application and some of you have been very
helpful on that subject.

the only question remaining open after implementing certain methodologies is this:

from a hacker point of view, is it possible to impersonate to SYSTEM or
ASPNET windows identities on a local machine?

a simple yes or no will not do (actually a simple yes would...). I need to
base my assumptions so if you can, please provide an explaination.

Thanx,

Picho

Jul 21 '05 #3
Hi,
Logon as system is only available for registered Windows Services. Only
administrator has rights to register service with SCM. Service running as
System could start processes that will inherit SYSTEM credentials. If you
try to impersonate SYSTEM that is calling your process by means of LPC/RPC -
you'll get guest's identity in thread's impersonation token (not SYSTEM).
Last couldn't be used as an excuse for letting SYSTEM service to call back
less trusted code, because it greatly increases possible attack surface. If
attacker manages to run code of his choice in the process that is running as
SYSTEM - you lost your system to that attacker. That means that
services/programs that are designed to run some add-hook code should never
be running as SYSTEM. Exploitable errors of service/program that is running
as SYSTEM (like f.e. buffer overruns) could be abused by malicious code for
gaining unlimited Local System access. Limiting amount of interaction
between service that is running as SYSTEM with the rest of the world helps
reducing attack surface. If service is doing a lot of IO - consider not
running it as system - reduces possibility of exploiting errors related to
handling of malformed data. Backdoors/rogue services is another possibility
of getting SYSTEM access. If attacker manages to get system access on your
DC you lost you domain to the attacker. That means that you should limit
amount of services running on your DC to bare minimum if you want to have it
secure.

-Valery.
http://www.harper.no/valery
"Picho" <SP********@telhai.ac.il> wrote in message
news:OO**************@TK2MSFTNGP09.phx.gbl...
Hi all,

I am trying to write a secure application and some of you have been very
helpful on that subject.

the only question remaining open after implementing certain methodologies
is
this:

from a hacker point of view, is it possible to impersonate to SYSTEM or
ASPNET windows identities on a local machine?

a simple yes or no will not do (actually a simple yes would...). I need to
base my assumptions so if you can, please provide an explaination.

Thanx,

Picho

Jul 21 '05 #4
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
Retaining local file system access while impersonating to access a remote drive
by: Daniel | last post by:
Is it possible to retain local file system read, write, delete access while impersonating for access to a remote drive in a different domain? I need to be able to move files from a local computer...
C# / C Sharp
1
Impersonating currently logged in user
by: sushi | last post by:
Hello, I am running a ASP.Net application. It runs by defaul in the context of ASPNET user. I want to dynamically impersonate it so as to run in the context of currently logged in user. I know it...
C# / C Sharp
7
impersonating and LogonUser
by: Jason | last post by:
I have an ASP.NET application with forms authentication. However, the login details correspond to a Windows account (I cannot use Windows authentication). If I obtain a token with LogonUser, can I...
ASP.NET
2
Impersonating to ASPNET or SYSTEM Identities
by: Picho | last post by:
Hi all, I am trying to write a secure application and some of you have been very helpful on that subject. the only question remaining open after implementing certain methodologies is this: ...
.NET Framework
2
Impersonating
by: Leonardo Arena | last post by:
We have an Index Server on Win2k Server SP4 indexing about 250.000 docs. We have written an ASP.NET serch page, setup a new virtual directory, and set to use .NET framework 2.0. On the server is...
ASP.NET
5
Impersonating doesn't work on Win2003
by: fab | last post by:
Hello, i'm trying to browse a UNC share through an ASP.NET application and i've got a problem : i've tried some examples from MSDN or other web sites (using LogonUser from Win32 API) and it...
ASP.NET
0
SSPI-Error when impersonating to a fixed server account in ASP
by: Chris | last post by:
System.Security.Cryptography.Utils._CreateCSP throws a System.Security.Cryptography.CryptographicException with the message "file not found" when we impersonate IIS5 to a fixed account from...
ASP.NET
0
Extending or Linking to ASPNET.MDF?
by: Slicks | last post by:
Is it preferable to add my web-app-related tables to ASPNET.MDF and extend the fields in the dbo.aspnet_users table or link to aspnet_users from a separate MDF as they do in the .NET Starter Kits? ...
Microsoft SQL Server
1
impersonating ASPNET account does not work for com interop?
by: esource | last post by:
Hi all, has anyone been successful in forcing impersonation of the ASPNET account that calls a component through com interop? I have tried doing it programmatically, through IIS, through the web...
ASP.NET
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!