tags:

views:

241

answers:

1
+1  Q: 

Windows User Account that executes only IIS7 Provisions

Hi there,

I've got a web application that executes IIS 7 provisions (using Microsoft.Web.Administration.dll) to create our web and ftp sites. When I run this using the administrator account, it works ok.

I'm thinking of creating a windows user account for impersonation that will only execute these web provisioning procedures without being identical to a server's administrator roles.

My question is, how can I achieve this? Or would this be achievable?

Thanks a million!

+1  A: 

You should split your application into three parts:

Windows Service

This would host a WCF or Remoting application. You want to put the code that requires privileged access to your system in here. For example creating and deleting websites. Run this service under an account that has enough rights to perform operations using Microsoft.Web.Administration.

Trusted Wrapper or Proxy Assembly

This is just a signed wrapper assembly that is installed in the GAC. Its role is to pass on calls from your low trust web application to perform privileged actions in the code running in the service above. Mark the assembly with the AllowPartiallyTrustedCallers attribute (if your server is configured for partial trust) and mark any classes that require access to the remoting service with [PermissionSet(SecurityAction.Assert, Unrestricted=true)].

Front End Application(or Web Service)

This is the interface to your application (whether it be a web application with a GUI or a web service). Run this in its own application pool with just enough rights to execute, for example IUSR or a similar account. Ideally you should also run this under partial trust.

Your web application/service references the Trusted Wrapper assembly in the GAC which in turn has a reference to the remoting or WCF application running in the windows service.

Using this layered approach means that you are locking down by gating access to specific privileged operations which only run in your windows service.

This approach is covered quite well in Appendix C of Dominick Baier's 'Developing More-Secure Microsoft ASP.NET 2.0 Applications'. I thoroughly recommend getting a copy.

Kev  2009-11-11 19:50:34
Thanks for this Kev... this solves my problem!
mallows98  2009-11-11 20:10:07

related questions

User Control Public Shared Variables in ASP.NET 1.1 Not Working As Expected
Best place to save user information xp and vista
Training Users In Security
User Groups Management Implemenation for Desktop Application Question (C#) ?
iPhone application : is-it possible to use a "double" slider to select a price range
Getting multiple UI threads in Windows Forms
How do you store/share online your personal documents ?
Using windows authentication to log on to site using c#
What is the best way to add users to multiple groups in a database?
Unix Proc Directory
Have you ever faced an ethical issue when creating an application?
PostgreSQL 8.3 privileges not updated - wrong usage?
Hierarchical Group Permissions Theory/Resources?
Beta Test Guidelines / Agreement
Getting user photo from SPUser using WSS Object model
Do you know a service like uservoice.com for bug reports?
Multiple permission types (roles) stored in database as single decimal
Best Way to Unit Test a Website With Multiple User Types with PHPUnit
Average User Download Speeds
Passing switches to Xcode 3.1 user scripts
How do I add a user in Ubuntu?
Enumerate Windows user group members on remote system using c#
Should menu items always be enabled? And how do you tell the user?
What do you look for from a User Group?
How to make subdomain user accounts in a webapp