开发者

Temporarily granting elevated administrator privileges to ASP.NET code

We're trying to run a set of administrative tasks on the server via a web administration console. The console runs with impersonation as the currently logged-in user, and only administrators on the local machine are allowed to log in. Right now it works for most cases but we're having trouble when running under UAC.

The first issue is a blocker: it seems like admins do not get the "BUILTIN\Administrators" role even if they are an admin on the local box. This can prevent them from even getting into the admin console, since we're using the web.config <allow roles="BUILTIN\Administrators"> notation to specify security. I suspect that the only solutions here are to either run the ASP.NET app as SYSTEM, or to allow more users and do a more granular permissions check in code. Any other ideas? Is there any way to inject an elevation request into the built-in ASP.NET permissions check?

The other problem is that we want to run some commands that require administrator access. The user visiting the site is an administrator, and is correctly impersonated, but when we spawn a process it fails due to lack of administrator privileges. The clear answer is to elevate for the duration of 开发者_StackOverflow社区that command. There are solutions that will let me temporarily elevate by impersonating a specific username and password, but I'd prefer not to have to ask the already-validated user for his password. Are there any tricks for elevating the current user?

(I can understand why the ASP.NET team might try to make this hard, so that web pages can't take invisible advantage of an administrator visiting the web site... but surely there must be some way to pro grammatically declare that your code needs full Administrator rights, appropriately warning the IIS admin of its intentions?)

There are a series of answers for Windows Forms apps, such as: How to elevate privileges only when required? and File.Exists returning false from a network share but I'm hoping to find one that will work with ASP.NET...

Thanks Steve


We were able to achieve a "higher" impersonation level from the user currently accessing the website by enabling the server for delegation in Active Directory. Per Microsoft, You can think of delegation as a more powerful form of impersonation, as it enables impersonation across a network. You may not need to go across the network, but it may resolve your security issues.

Here are a few resources on setting up delegation, hopefully this will help you.

  • Impersonation and Delegation
  • Impersonation and Delegation in ASP.NET
  • http://support.microsoft.com/kb/810572
  • http://msdn.microsoft.com/en-us/library/aa291350(v=vs.71).aspx (older article)
  • http://msdn.microsoft.com/en-us/library/ms998351#paght000023_delegation
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜