Had an interesting challenge over the weekend. I received a call from an individual who is running a web site written in ASP. The site started out as a simple HTML site, but slowly grew into something more and is now a form of revenue for him. I won't get into any more detail than this about the specific site - for his own protection. ;)
Again, skipping some details, the site authenticates users against a database and then sets a cookie to indicate the user is authenticated. The challenge was that a specific page in the site needed elevated rights in order to update some text files within the site - think of it as one web page writing another.
Anyway, this posed a serious problem for him. The users are not actually authenticated against the server as NT users, so everything they do is under the IUSR_MACHINE user account. In order to be able to update text files, he elevated the rights of the IUSR_MACHINE user. he then was concerned he may have granted all of his pages too much access to his machine.
So how to get around this?
In ASP.NET, it is relatively easy, but with ASP, we have a challenge.
After some digging, I found a simple way to write a DLL that does the lifting for you and allows you to temporarily act as another user.
We implemented the spiffy new DLL, lowered the rights of IUSR_MACHINE and created a separate user with the rights desired. The page now impersonates the desired user and then reverts back to IUSR_MACHINE when done.
This post will help you get started:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;248187
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment