Impersonation Bharat Kadia CS-795. What is Impersonation ? Dictionary-: To assume the character or appearance of someone ASP.NET-: Impersonation is the.

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Chapter Five Users, Groups, Profiles, and Policies.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Token Kidnapping's Revenge Cesar Cerrudo Argeniss.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
Introduction To Windows NT ® Server And Internet Information Server.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Understanding Active Directory
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.
Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Working with Workgroups and Domains
Session 11: Security with ASP.NET
Sharing Resources Lesson 6. Objectives Manage NTFS and share permissions Determine effective permissions Configure Windows printing.
Author: Bill Buchanan. Work Schedule Author: Bill Buchanan.
Survey of Identity Repository Security Models JSR 351, Sep 2012.
Module 10: Configuring Windows XP Professional to Operate in Microsoft Networks.
Designing Active Directory for Security
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
Managing Groups, Folders, Files and Security Local Domain local Global Universal Objects Folders Permissions Inheritance Access Control List NTFS Permissions.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.
Active Directory Harikrishnan V G 18 March Presentation titlePage 2 Agenda ► Introduction – Active Directory ► Directory Service ► Benefits of Active.
Chapter 9: SHARING FILE SYSTEM RESOURCES1 CHAPTER OVERVIEW  Create and manage file system shares and work with share permissions.  Use NTFS file system.
Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.
1 Administering Shared Folders Understanding Shared Folders Planning Shared Folders Sharing Folders Combining Shared Folder Permissions and NTFS Permissions.
Securing Your ASP.NET Application Presented by: Rob Bagby Developer Evangelist Microsoft ( )
SECURITY ISSUES. Introduction The.NET Framework includes a comprehensive set of security tools –Low-level classes and an overall framework –Managing code.
Module 11: Securing a Microsoft ASP.NET Web Application.
Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.
NT SECURITY Introduction Security features of an operating system revolve around the principles of “Availability,” “Integrity,” and Confidentiality. For.
CS795.Net Impersonation… why & How? Presented by: Vijay Reddy Mara.
Working with Workgroups and Domains Lesson 9. Objectives Understand users and groups Create and manage local users and groups Understand the difference.
Chapter 8 Configuring and Managing Shared Folder Security.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 11: Managing Access to File System Resources.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved. Impersonation in SharePoint Developers use impersonation when an application needs to.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.
GUDURU PRAVEEN REDDY.NET IMPERSONATION. Contents Introduction Impersonation Enabled Impersonation Disabled Impersonation Class Libraries Impersonation.
IIS and.Net security -Vasudha Bhat. What is IIS? Why do we need IIS? Internet Information Services (IIS) is a Web server, its primary job is to accept.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Web Services Security Patterns Alex Mackman CM Group Ltd
Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.
1 Objectives Discuss File Services in Windows Server 2008 Install the Distributed File System in Windows Server 2008 Discuss and create shared file resources.
(ITI310) By Eng. BASSEM ALSAID SESSIONS 10: Internet Information Services (IIS)
Module 1: Introduction to Windows 2000 and Networking.
Token Kidnapping's Revenge Cesar Cerrudo Argeniss.
Agenda Introduction Security flow for a request Authentication
Network Services.
Introduction to .net Impersonation
Created by : Asst. Prof. Ashish Shah
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

Impersonation Bharat Kadia CS-795

What is Impersonation ? Dictionary-: To assume the character or appearance of someone ASP.NET-: Impersonation is the ability of a process to take on the security attributes of another process. Reason -: to avoid dealing with authentication and authorization issues in the ASP.NET application code.

Microsoft Internet Information Services (IIS) Role IIS authenticates the user – (i) pass an authenticated token(identity and privileges) to the ASP.NET application (IWAM_machinename) or, (ii) if unable to authenticate the user, pass an unauthenticated token (IUSR_MACHINENAME) Relies on the settings in the NTFS directories and files to allow it to gain access, or not. Impersonation requires to format the server file space as NTFS.

Implementing Impersonation Disabled By default Enable impersonation by putting a configuration file in the application root directory. It is respected by nested applications in the hierarchy, unless explicitly overridden. The default value for this setting is as follows. A minimal configuration file to enable impersonation

Contd.. (Implementation) There is also name support for running an application as a configurable identity. For example: We can programmatically read the identity of the impersonated user,. String username = System.Security.Principal.WindowsIdentity.GetCurrent().Name;

Impersonate a user on a thread in ASP.NET Namespaces: System.Web.Security, System.Security.Principal, System.Runtime.InteropServices Impersonate the IIS authenticated account or user Impersonate a specific user for all the requests of an ASP.NET application Impersonate the authenticating user in code Impersonate a specific user in code

Response.Write("I am authenticated as: " + WindowsIdentity.Getcurrent().Name); } By default, the Aspnet_wp.exe process runs under a computer account named ASPNET. However, this account does not have the required privileges to impersonate a specific user.

Integrated Windows Authencation

Impersonate the Authenticating User in Code Only when you run a particular section of code, requires authenticating user identity type WindowsIdentity. System.Security.Principal.WindowsImpersonationContext impersonationContext; impersonationContext = ((System.Security.Principal.WindowsIdentity)User.Identity). Impersonate(); //Insert your code that runs under the security context of the authenticating user here. impersonationContext.Undo();

Impersonate a Specific User in Code

Impersonation Levels typedef enum _SECURITY_IMPERSONATION_LEVEL { SecurityAnonymous, SecurityIdentification, SecurityImpersonation, SecurityDelegation }SECURITY_IMPERSONATION_LEVEL;

ImpersonateSelf and RevertToSelf The ImpersonateSelf function obtains an access token that impersonates the security context of the calling process. The token is assigned to the calling thread. BOOL ImpersonateSelf( SECURITY_IMPERSONATION_LEVEL ImpersonationLevel ); Requirements Client Requires: Windows XP, Windows 2000 Professional, or Windows NT Workstation 3.1 and later.Server Requires: Windows Server 2003, Windows 2000 Server, or Windows NT Server 3.1 and later.Header Declared in Winbase.h; include Windows.h.Library The RevertToSelf function terminates the impersonation of a client application. BOOL RevertToSelf(void);

Client Impersonation ( Delegation) The capability to call other servers while impersonating the original client is called delegation. A server impersonating a client can call another server, and can make network calls with the credentials of the client. From the perspective of the second server, requests coming from the first server are indistinguishable from requests coming from the client.

Client Impersonation

Cloaking (COM) Cloaking is a COM security capability introduced with the release of Microsoft Windows Cloaking determines what identity the client projects toward the server during impersonation. When cloaking is set, the intermediate server masks its own identity and presents the client's identity to the server that it calls on the client's behalf.

Delegation and Impersonation From a security standpoint, two issues arise regarding delegation: What should the server be allowed to do when acting on the client's behalf? What identity is presented by the server when it calls other servers on behalf of a client?

Impersonation / Delegation Advantages/Disadvantages Advantages: Auditing. You benefit from operating system auditing. This allows administrators to track which users have attempted to access specific resources. Auditing across tiers. The user's security context is maintained across the physical tiers of your application, which allows administrators to audit across tiers. Granular access controls. You can configure granular access in the database. You can restrict individual user accounts independently of one another in the database. Disadvantages: Scalability. The impersonation / delegation model does not allow you to make efficient use of database connection pooling because database access is performed by using connections that are tied to the individual security contexts of the original callers. This significantly limits the application's ability to scale to large numbers of users. Increased administration effort. ACLs on back-end resources need to be maintained in such a way that each user is granted the appropriate level of access. When the number of back-end resources increases (and the number of users increases), a significant administration effort is required to manage ACLs.

Summary If impersonation is enabled in an ASP.NET application then: If anonymous access is enabled in IIS, the request is made using the IUSR_machinename account. If anonymous access is disabled in IIS, the request is made using the account of the authenticated user. In either case, permissions for the account are checked in the Windows Access Control List (ACL) for the resource(s) that a user requests, and a resource is only available if the account they are running under is valid for that resource.

Summary If impersonation is disabled in an ASP.NET application then: If anonymous access is enabled in IIS, the request is made using the system-level process account. If anonymous access is disabled in IIS, the request is made using the account of the authenticated user. In either case, permissions for the account are checked in the Windows ACL for the resource(s) that a user requests, and a resource is only available if the account they are running under is valid for that resource.

References Books Beginning Visual Web Programming in C#: From Novice to Professional Programming.Net Security ( O’REILLY) Web: MSDN Library Keywords: Impersonation, Delegation, Impersonation level, Cloaking