CS795.Net Impersonation… why & How? Presented by: Vijay Reddy Mara.

Slides:



Advertisements
Similar presentations
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
Advertisements

Chapter Five Users, Groups, Profiles, and Policies.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
CS603 Active Directory February 1, 2001.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
Introduction To Windows NT ® Server And Internet Information Server.
Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Proprietary & Confidential How to enable Windows Remote Desktop Connection.
Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.
Security Aspects Of Directory Enabled Applications Praerit Garg Program Manager Windows NT Security Microsoft Corporation.
Working with Workgroups and Domains
Session 11: Security with ASP.NET
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Survey of Identity Repository Security Models JSR 351, Sep 2012.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam Microsoft® Windows® 2000 Directory Services Infrastructure Goals 
Module 10: Configuring Windows XP Professional to Operate in Microsoft Networks.
Designing Active Directory for Security
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.
1 Chapter Overview Configuring Account Policies Configuring User Rights Configuring Security Options Configuring Internet Options.
Module 9 Authenticating and Authorizing Users. Module Overview Authenticating Connections to SQL Server Authorizing Logins to Access Databases Authorization.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.
Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.
Securing Your ASP.NET Application Presented by: Rob Bagby Developer Evangelist Microsoft ( )
SECURITY ISSUES. Introduction The.NET Framework includes a comprehensive set of security tools –Low-level classes and an overall framework –Managing code.
Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.
1 Part-1 Chap 5 Configuring Accounts Definitions.
Module 2: Overview of IIS 7.0 Application Server.
NT SECURITY Introduction Security features of an operating system revolve around the principles of “Availability,” “Integrity,” and Confidentiality. For.
Turning Windows 7 into a Web Server Ch 28. Understanding Internet Information Services.
Working with Workgroups and Domains Lesson 9. Objectives Understand users and groups Create and manage local users and groups Understand the difference.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved. Impersonation in SharePoint Developers use impersonation when an application needs to.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
GUDURU PRAVEEN REDDY.NET IMPERSONATION. Contents Introduction Impersonation Enabled Impersonation Disabled Impersonation Class Libraries Impersonation.
IIS and.Net security -Vasudha Bhat. What is IIS? Why do we need IIS? Internet Information Services (IIS) is a Web server, its primary job is to accept.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Impersonation Bharat Kadia CS-795. What is Impersonation ? Dictionary-: To assume the character or appearance of someone ASP.NET-: Impersonation is the.
Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.
Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.
1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.
Configuring and Deploying Web Applications Lesson 7.
(ITI310) By Eng. BASSEM ALSAID SESSIONS 9: Dynamic Host Configuration Protocol (DHCP)
Windows Security -- Archana Galipalli. Agenda  Windows Security  Windows Security and CLR  Implementing Windows Security for IIS  Configuring Security.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Module 1: Introduction to Windows 2000 and Networking.
IS 4506 Windows NTFS and IIS Security Features.  Overview Windows NTFS Server security Internet Information Server security features Securing communication.
Nassau Community College
Agenda Introduction Security flow for a request Authentication
5: Windows Security 102 Windows Security 102
Printers.
IIS.
Introduction to .net Impersonation
Lesson 16-Windows NT Security Issues
Created by : Asst. Prof. Ashish Shah
Designing IIS Security (IIS – Internet Information Service)
Preventing Privilege Escalation
Presentation transcript:

CS795.Net Impersonation… why & How? Presented by: Vijay Reddy Mara

CS795 Introduction What is Impersonation? Why Impersonation? How Impersonation? Levels of Impersonation Advantages and Disadvantages

CS795 What is impersonation? Impersonation is the process of assigning a user account to an unknown user. Impersonation is one of the most useful mechanisms in Windows security.

CS795 Mechanism This mechanism allows a server process to run using the security credentials of the client. When the server is impersonating the client, any operations performed by the server are performed using the client's credentials. Impersonation does not allow the server to access remote resources on behalf of the client

CS795 Impersonation

CS795 Why Impersonation? The usual reason for doing this is to avoid dealing with authentication and authorization issues in the ASP.NET application code. Instead, you rely on Microsoft Internet Information Services (IIS) to authenticate the user

CS795 How to configure Impersonation? By default the impersonation is disabled at the machine level A minimal configuration file to enable impersonation is as follows

CS795 Different types of impersonation Impersonate the IIS Authenticated Account or User Impersonate a Specific User for All the Requests of an ASP.NET Application Impersonate the Authenticating User in Code

CS795 Impersonate the IIS Authenticated Account or User Impersonate a Specific User for All the Requests of an ASP.NET Application

CS795 Impersonate the Authenticating User in Code: System.Security.Principal.WindowsImpersonationContext impersonationContext; impersonationContext = ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate(); //Insert your code that runs under the security context of the authenticating user here. impersonationContext.Undo();

CS795 Impersonating by using LogonUser bool loggedOn = LogonUser( user, domain, password, LogonType.Interactive, LogonProvider.Default, out userHandle); if(!loggedOn) // Begin impersonating the user WindowsImpersonationContext impersonationContext = WindowsIdentity.Imper sonate(userHandle.Token); DoSomeWorkWhileImpersonating(); // Clean up CloseHandle(userHandle); impersonationContext.Undo();

CS795 Impersonating by using the WindowsIdentity Constructor using System.Security.Principal;... WindowsIdentity wi = new WindowsImpersonationContext ctx = null; try { ctx = wi.Impersonate(); // Thread is now impersonating } catch { // Prevent exceptions propagating. } finally { // Ensure impersonation is reverted ctx.Undo(); }

CS795 Levels of Impersonation A Server process can control to what extent a service is able to act as the client by selecting an impersonation level when it connects to the service.

CS795 Four levels of Impersonation Anonymous Identify Impersonate Delegate

CS795 Anonymous The client is anonymous to the service. The service can impersonate the client but the impersonation token does not contain any information about the client. Identify The service can get the identity of the client and use this information in its own security mechanism, but it cannot impersonate the client.

CS795 Impersonate The service can impersonate the client. If the service is on the same computer as the client process, it can access network resources as the client. Delegate The service can impersonate the client not only when it accesses resources on the service's computer but also when it accesses resources on other computers.

CS795 Advantages Auditing Auditing across tiers Granular access controls

CS795 Disadvantages Scalability Increased administration effort

CS795 References

CS795 Questions?