I would like to run a bat script on one of the machines on the domain, from my asp.net application. Machine with the batch script is a temporary storage machine, and script synchronizes it with the permanent storage machine. So, what is the optimal way of doing this?
The thing I tried is to use PsExec to run a script on the remote machine. I create a process that makes a PsExec call, and it actually does it's job pretty well. However, since the ASP.NET worker thread runs under ASP.NET account that has restricted privileges, I must hard-code my domain user credentials in PsExec call, and that's something I do not like doing.
Is there a way to overcome this problem, or maybe some other approach that I could try?
Thanks...
You can use the <identity impersonate="true" /> setting in your Web.config to have the application run under the IUSR, or you can set a username/password on the identity tag to an account you'd like to use to run the BAT file.
I had previously found some details on Impersonate over at: http://www.aspdev.org/articles/web.config/
But I'm sure a quick web search will find you even more info on Impersonate.
The answer above doesn't work. New processes will be spawned by default under the ASP.NET account.
see http://support.microsoft.com/kb/889251.
"To spawn a process that runs under the context of the impersonated user, you cannot use the System.Diagnostics.Process.Start method. This is because in ASP.NET, impersonation is performed at the thread level and not at the process level. Therefore, any process that you spawn from ASP.NET will run under the context of the ASP.NET worker process and not under the impersonated context."
Related
I had some malicious javascript appended to my .js files on a website and tracked the hack in my logs to an old FCKEditor exploit.
As a relative novice, I've been reading up a bit on how this was done and how I can protect against it, but I have a few specific questions, listed below.
If it's helpful, this was Windows Server 2012, IIS 8 and SQL Server, and, I'm embarrassed to say it, but this was an old site still running Classic ASP. Here are my questions:
I had IUSR as my Anonymous User in IIS. When the hacker uploaded the .asp file to get shell access, I assumed they only had the privileges conferred to them via IUSR, correct? If the server is properly hardened, they can't escalate privileges to get more access than what IUSR has, right?
I've changed my Anonymous User to be the application pool identity. Since a hacker's grab-shell-access ASP program now won't have IUSR's privileges and will only have the application pool identity, is it safe to assume that they can't get the ability to run commands like WHOAMI or any other such commands? What rights would application pool identity (and thus any of my .asp programs that serve up web pages) have?
Last question. OK, so I clearly was giving IUSR too much power on this box, given that an anonymous user for IIS could run a .asp program and get shell access. So how do I query what privileges IUSR has across the entire computer? I know I can, for example, right click on my inetpub folder and look a security to see what IUSR can do, but is there a way to get a report across the entire server to understand the full rights and privileges for that particular user.
My focus with these questions is more about general learning than about protecting this box. I'm sure some might be inclined to say your box is probably toast and backdoored, so dump it and start with a new server, but I know that. I also know that I should have done some hardening that I didn't. Thanks for your answers to questions above, which will help me learn and improve. Much appreciated.
1.IUSR will determine what identity you are using to view your web page and also application pool identity will decide whether the application or shell can be executeed. So you need to minimize permission for both app pool identity and iusr.
2.By default application pool identity don't have permission to access something like powershell or cmd. So you don't have to afraid command like whoami will be executed.
3.I'm afraid there is no simple way to do permission traversal. But you just need to make sure you have already minizized your application pool identity permission.
This question seems to be similar to this one: IIS site not using identity specified in app pool IIS 7 +
However, there are no answers there.
There's a tl;dr at the bottom.
A thing to keep in mind is that I'm not the one who set up the server so they may have changed some settings I don't know about.
We have an ASP.NET web service running on IIS 7. The web service is set to use DefaultAppPool, and the app pool's Identity is set to a domain user (let's say it's "localdomain\user1").
The web service was unable to save to a certain network folder, so we gave localdomain\user1 read/write permissions to that folder. It still can't save there, however.
I can't remote debug, and it works fine on my own computer (probably because it's running in Visual Studio's IIS express and my user does have access), so I tried to change the web service so that the error message contains the user name it's running under.
If I use Environment.UserName to get it, the result is "IUSR". If I use System.Security.Principal.WindowsIdentity.GetCurrent().Name, it returns "NT AUTHORITY\IUSR".
Unless the above methods are not reliable, the web service seems to be running under the default user (IUSR) and not the one set in its application pool. I can't figure out why, can anyone explain?
EDIT: The Task Manager on the server, if I log in using RDP, shows that the w3wp.exe process IS being run by user1. I'm not sure which one to believe.
Thank you.
tl;dr: The web service's application pool is set to a domain user, but it seems to be running under IUSR anyway. How do I prevent that?
Impersonation was the issue. I didn't know this was a setting in the web service's web.config.
Changing <identity impersonate="true"/> to <identity impersonate="false"/> allows it to run as localdomain\user1.
I have a new Win7 workstation and I am trying to get ScrewTurn Wiki to run on the machine. My STW installation is using the file system option to store its data, and as such I need to give write permissions to the ASP.NET worker process in the folder the website is installed in.
HOWEVER, I cannot seem to be able to come up with name of the worker process in Win7 in order to add it to the permissions for the folder. In XP it was ASPNET_WP, if I remember correctly, but that is not its name in Win7.
Can someone please tell me?
Edited to add:
In response to #Dragan_Radivojevic, here's what the application pool in question looks like (named ScrewTurnWiki):
The Identity is "ApplicationPoolIdentity"
Giving write permissions to all IIS_USRS group is a bad idea from the security point of view. You dont need to do that and you can go with giving permissions only to system user running the application pool.
If you are using II7 (and I guess you do) do the following.
Open IIS7
Select Website for which you need to modify permissions
Go to Basic Settings and see which application pool you're using.
Go to Application pools and find application pool from #3
Find system account used for running this application pool (Identity column)
Navigate to your storage folder in IIS, select it and click on Edit Permissions (under Actions sub menu on the right)
Open security tab and add needed permissions only for user you identified in #3
Note #1: if you see ApplicationPoolIdentity in #3 you need to reference this system user like this IIS AppPool{application_pool_name} . For example IIS AppPool\DefaultAppPool
Note #2: when adding this user make sure to set correct locations in the Select Users or Groups dialog. This needs to be set to local machine because this is local account.
I know this is an old thread but to further expand the answer here, by default IIS 7.5 creates application pool identity accounts to run the worker process under. You can't search for these accounts like normal user accounts when adding file permissions. To add them into NTFS permission ACL you can type the entire name of the application pool identity and it will work.
It is just a slight difference in the way the application pool identity accounts are handle as they are seen to be virtual accounts.
Also the username of the application pool identity is "IIS AppPool\application pool name" so if it was the application pool DefaultAppPool the user account would be "IIS AppPool\DefaultAppPool".
These can be seen if you open computer management and look at the members of the local group IIS_IUSRS. The SID appended to the end of them is not need when adding the account into an NTFS permission ACL.
Hope that helps
My immediate solution (since I couldn't find the ASP.NET worker process) was to give write (that is, Modify) permission to IIS_IUSRS. This worked. I seem to recall that in WinXP I had to specifically given the ASP.NET worker process write permission to accomplish this. Maybe my memory is faulty, but anyway...
#DraganRadivojevic wrote that he thought this was dangerous from a security viewpoint. I do not disagree, but since this was my workstation and not a network server, it seemed relatively safe. In any case, his answer is better and is what I finally settled on after chasing down a fail-path due to not specifying the correct domain for the AppPool user.
The full command would be something like below, notice the quotes
icacls "c:\inetpub\wwwroot\tmp" /grant "IIS AppPool\DefaultAppPool:F"
What is the right approach when users (authenticated domain admins) should be able to start batch jobs (usually exe files) from an IIS (7.x) aspx (c#) page? This is an intranet site. The batch jobs have to run on the web server as Domain Admins. The website pool is executed by network service or some similar restricted account in AD.
Approaches I can think of (and their disadvantages):
1. Start exe file with System.Diagnostics.Process.Start with another account. This feature is disabled in IIS 7.x, how do I allow it?
2. Create a sheduled task and call scheduled task-api. This unmanaged dll is giving VS compiler warnings because it's unsafe to call from managed code.
3. I suppose there's a better approach, because the previous suggestions doesn't appear safe or robust.
I would suggest that you have either a Scheduled Task or Windows Service that polls a common storage repository to see if a batch job should be run - as batch jobs are typically used for long running process.
Your could persist the deatils of which batch file and arguments you want to run from your ASP.NET website into a database (MySQL, Oracle, SQL Server, etc) and then have your Windows Service / Scheduled Task poll against this database at regular intervals.
I agree with Kane. However, if you must do...
http://www.dotnetscraps.com/dotnetscraps/post/Run-a-batch-file-as-a-specific-User-(or-Administrator)-from-ASPNET.aspx
at work I am struggling a bit with the following situation:
We have a web application that runs on a WIndows Server 2008 64 bits machine. The app's ApplicationPool is running under the ApplicationPoolIdentity and configured for .net 2 and Classic pipeline mode.
This works fine up to the moment that XmlSerialization requires creation of Serializer assemblies where MEF is being used to create a collection of knowntypes.
To remedy this I was hoping that granting the ApplicationPoolIdentity rights to the ASP.Net Temporary Files directory would be enough, but alas...
What I did was the run the following command from a cmd prompt:
icacls "c:\windows\microsoft.net\framework64\v2.0.50727\Temporary ASP.NET Files" /grant "IIS AppPool\MyAppPool":(M)
Obviously this did not work, otherwise you would not be reading this :)
Strange thing is that whenever I grant the Users or even more specific, the Authenticated Users Group those permissions, it works. What's weird as well (in my eyes) is that before I started granting access the ApplicationPoolIdentity was already a member of IIS_IUSRS which does have Modify rights for the temporary asp files directory.
And now I'm left wondering why this situation requires Modify rights for the Authenticated Users group. I thought it could be because the apppool account was missing additional rights (googling for this returned some results, so I tried those), but granting the ApplicationPoolIdentity modification rights to the Windows\Temp directory and/or the application directory itself did not fix it.
For now we have a workaround, but I hate that I don't know what is exactly going on here, so I was hoping any of you guys could shed some light on this.
Thanx in advance!
If the application pool is running as AppPool Identity then things should work out-of-the box since the worker process will be injected the IIS_IUSRS SID which will have the right permissions to write.
My guess, is that the application must be using Windows authentication and impersonation is enabled in ASP.NET so that code is probably be ran as the specific user that is making the request and not necesarilly the process identity.
Am I right on the guess that the app is running Windows Authentication? and impersonation is enabled in asp.net ?
Might not be relevant to you - but if you are running the app pool as a domain user, the rules change on the automatic injection of IIS_IUSRS token into the process at startup. This caught us out recently when moving to .net 4, and not having permission on the new Temporary ASP.net Files directory.
See here for a workaround: http://www.yusufozturk.info/iis7/asp-net-write-access-error-on-iis7-5.html