Windows User Account that executes only IIS7 Provisions - iis-7

I have a web application that executes IIS 7 provisions (using Microsoft.Web.Administration.dll) to create our web and ftp sites. When I run this using the administrator account, it works ok.
I want to create a Windows user account for impersonation that will only execute these web provisioning procedures without being identical to a server's administrator roles.
How can I achieve this?

You should split your application into three parts:
Windows Service
This would host a WCF or Remoting application. You want to put the code that requires privileged access to your system in here. For example creating and deleting websites. Run this service under an account that has enough rights to perform operations using Microsoft.Web.Administration.
Trusted Wrapper or Proxy Assembly
This is just a signed wrapper assembly that is installed in the GAC. Its role is to pass on calls from your low trust web application to perform privileged actions in the code running in the service above. Mark the assembly with the AllowPartiallyTrustedCallers attribute (if your server is configured for partial trust) and mark any classes that require access to the remoting service with [PermissionSet(SecurityAction.Assert, Unrestricted=true)].
Front End Application(or Web Service)
This is the interface to your application (whether it be a web application with a GUI or a web service). Run this in its own application pool with just enough rights to execute, for example IUSR or a similar account. Ideally you should also run this under partial trust.
Your web application/service references the Trusted Wrapper assembly in the GAC which in turn has a reference to the remoting or WCF application running in the windows service.
Using this layered approach means that you are locking down by gating access to specific privileged operations which only run in your windows service.
This approach is covered quite well in Appendix C of Dominick Baier's 'Developing More-Secure Microsoft ASP.NET 2.0 Applications'. I thoroughly recommend getting a copy.

Related

Asp.Net VNext Windows service

I want to try moving to VNext from Asp.Net MVC 3, I used windows service project (http://www.interworks.com/blogs/banderton/2009/10/30/long-running-tasks-aspnet) but this doesn't seem to work on VNext, because it doesn't have proper System.ServiceModel reference and I cant add dll.
Is there a way around? Would you recommend other ways to run long tasks such as big file import/calculations with VNext?
Generally, no - not because of any feature-set in ASP.NET vNext (it's been possible since .NET 1.0) but because of permissions: a process needs to run under a high-privilege security context or be able to impersonate such a user account in order to control Windows Services.
w3wp.exe (the application pool hosting process, and by extension, the application pool and the applications within it) all typically run under a least-privilege user-account (often NT AUTHORITY\NETWORK SERVICE or a custom user account with enough permissions to write to the website's root directory, a database server, and not much else (in recent versions of Windows this is further reduced to the concept of a "service account" which your worker-process and pools run under).
The easiest solution is to create a user-account with the necessary privileges to control services and run your application pool process under this user-account, but I don't recommend this.
Consider, instead, creating a new Windows Service that then controls the other service (or if it's your own service, do it in-proc) that uses some form of IPC to communicate with your ASP.NET application to shut itself down and perform other tasks. You might want to look at named-pipes, for example.
If you need to run ASP.NET in a Windows service, you can do it now using ASP.NET 5. I wrote a detailed post on how to do this here: http://taskmatics.com/blog/host-asp-net-in-a-windows-service/

In ASP.NET, under which credentials does the code run?

1) I want to know suppose we are using an ASP.NET web application in debug mode in VS, then, the code runs under which user account?
2) I also want to know, suppose we publish this to the IIS and then, set it up to use WBA/FBA, then, the username/password of logged in user is used to authenticate user to the ASP.NET site, however, the code (SQL query, etc) runs under credentials of apppool account. Further, which credential is used to access resources on server like files? What is your view on this point?
1) I want to know suppose we are using an ASP.NET web application in
debug mode in VS, then, the code runs under which user account?
This is depending on the hosting. VS provides 4 ways to host & debug a web application : VS Dev Server (VS 2012), IIS Express, Local IIS and Custom Host (VS 2013). Devs servers generally runs under your -Administrator- account, and may not be suitable to test security. Working directly with IIS as your development web server lets you work in an environment closer to that of an IIS production web server.
This is configured in the Web Tab in your web project properties.
2) I also want to know, suppose we publish this to the IIS and then,
set it up to use WBA/FBA, then, the username/password of logged in
user is used to authenticate user to the ASP.NET site, however, the
code runs under credentials of apppool account. What is your view on
this point?
Not very clear, but I think your undestanding of IIS security may not be correct. There is only one application pool per web site which runs under a specific account (by default apppool account, but it could be Network Service or Local System). When a user logs in, absolutely nothing is changed in this process. The user is just connected using an authentication provider : Windows Authentatication or Forms Authentication are 2 common providers. User identity is kept in http context, which allow you to use authorization rules later. So every code block always run under the same account (unless you enable delegation but that's another story).
I higly suggest you to read this complete introduction on asp.net security.

IIS 7.5 ASP.Net and remote share

I have an issue with our ASP.net application not being able to read files from a remote directory. Our users log into our application using Forms Authentication, so no AD accounts are used in logging them in.
I have added the machine accounts the machines to the share, as I have a local service on the machine that can write to it and a SQL server able to read/write to the share with a machine account.
However, our asp.net app, running on the same server as the service above, is is not able to do this. I have tried impersonation set to true, but this does not work unless I provide an AD account. Once provided, the share works fine.
I can't move the share to the IIS server due to size constraints.
Is there anyway to allow easy access or do I need to take the interop approach?
The account the application pool runs under needs access on the remote folder. Add that account to the security tab(not only share tab) of the remote folder.
Or, try running the apppool as the AD account you used for impersonation.

Should I use Windows Management Service or Remote Agent Service to publish to a remote server?

I have a remote web server that I have full administrator access over, and I want to deploy a website.
When I use Visual Studio's Publish tool, among other things which seem a bit less convenient (FTP etc), I have the option of using either Windows Management Service or Remote Agent Service. All the documentation says is this:
To publish remotely through Remote
Agent Service, use
http://RemoteComputerName. This option
is typically used to deploy a Web
application inside a network (in an
intranet scenario). You must have
appropriate permissions to perform the
deployment on the destination server.
To publish to a hosting site using
Windows Management Service, use the
value that is specified by the hosting
provider. You can typically use just a
server name (HostedRemoteServer) or a
complete URL that includes a server
name, a port number, and the Web
Deploy handler name
(https://HostedRemoteServer:8172/MsDeploy.axd).
The hosting provider can tell you the
name of the server and the port
number, if applicable.
This isn't enough information for me to decide, though. Yeah, I'm not publishing over a network, but I do have full access over the machine I'm deploying to. At the same time, MsDeploy is the big fancy thing that Scott Hanselman describes in his talk and that I've been convinced as being the awesome way to deploy.
So which should I do? Are there any obscure security considerations or anything?
I recommend going the Management Service route. In addition to the msdeploy features, the Management Service feature gives you the ability to remotely administer IIS 7/7.5 from your machine. With all of your IIS servers in one console, you can easily export an application on one machine and import it onto another.
It seems like the most sophisticated msdeploy implementation from a security provisioning perspective and from a configuration perspective. The IIS manager allows you to easily configure details around the endpoint (SSL certificate, port, etc.). Well.. this is true on IIS 7/7.5 on Windows 2008 and R2, but not on Windows Vista or 7. For some strange reason, there is no UI for the Web Management settings on non-server SKU's.
The agent is basically a self contained web server without any of the user-level permissions capabilities. This is why it requires that the person doing the remote deployment has admin privileges on the target machine. It's feels like a simpler, bare metal implementation. Since you've already got IIS serving up HTTP/HTTPS and since IIS' HTTP implementation has kernel-level optimizations, you're not really gaining anything by going the agent route.
If you want to remotely administer Windows 2008 or R2 from Windows Vista/7, install this on your workstation: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=32c54c37-7530-4fc0-bd20-177a3e5330b7 ... this was the icing on the cake for me.

Strange communication error in Win2008

I have a windows service that hosts the main WCF service. The clients for this service are both hosted in IIS 7, the first one is an IIS hosted WCF service and the second is a standard Asp.Net application. Both of the IIS hosted clients communicate with the windows service over named pipes.
The IIS hosted WCF service can communicate with the windows hosted WCF service perfectly, but the Asp.Net service fails with this error:
The pipe name could not be obtained from the pipe URI: Access is denied.
My first reaction is that this is a permissions issue somewhere, but I dont know where. And second, why would the IIS hosted WCF service be able to communicate without issue, but the Asp.Net application fail?
Ok, I solved it, or rather I figured out where the permission issue was.
It turns out the Anonymous Authentication setting was using some weird user created by our client (the physical person, not our WCF client), and not the NetworkService user (the identity the app pool was using).
But this almost begets another question: Why were even newly created sites defaulting to this IUSR and not the system defaults? In anycase, I just hope this gets indexed in google as, there were virtually no articles relating to it.
Check the Identity of the Application Pools that the WCF and ASP.NET services resides in.
Maybe the WCF service's AppPool has an identity that has different rights than the other AppPool?
Also, you might want to note that IUSR is the default IIS7 account for Anonymous accessors. See Understanding the Built-In User and Group Accounts in IIS 7.0 for an explanation of the default accounts.
Hope this is helpful.

Resources