Impersonation

1
Impersonation

• Bharat Kadia
• CS-795

2
What is Impersonation ?

• Dictionary- To assume the character or
  appearance of someone
• ASP .NET- Impersonation is the ability of a
  process to take on the security attributes of
  another process.
• Reason - to avoid dealing with authentication
  and authorization issues in the ASP.NET
  application code.

3
Microsoft Internet Information Services (IIS)
Role

• IIS authenticates the user
• (i) pass an authenticated token(identity and
  privileges) to the ASP.NET application
  (IWAM_machinename) or,
• (ii) if unable to authenticate the user, pass
  an unauthenticated token (IUSR_MACHINENAME)
• Relies on the settings in the NTFS directories
  and files to allow it to gain access, or not.
• Impersonation requires to format the server file
  space as NTFS.

4
Implementing Impersonation

• Disabled By default
• Enable impersonation by putting a configuration
  file in the application root directory.
• It is respected by nested applications in the
  hierarchy, unless explicitly overridden. The
  default value for this setting is as follows.
• ltimpersonation enable"false"/gt
• A minimal configuration file to enable
  impersonation
• lt!-- Web.config file. --gt
• ltidentity impersonate"true"/gt

5
Contd.. (Implementation)

• There is also name support for running an
  application as a configurable identity. For
  example
• ltidentity impersonate"true" userNameTestUser"
  passwordtestpwdusr"/gt
• We can programmatically read the identity of the
  impersonated user,.
• String username System.Security.Principal.Win
  dowsIdentity.GetCurrent().Name

6
Impersonate a user on a thread in ASP.NET

• Namespaces System.Web.Security,
  System.Security.Principal, System.Runtime.InteropS
  ervices
• Impersonate the IIS authenticated account or
  user
• ltidentity impersonate"true" /gt
• Impersonate a specific user for all the
  requests of an ASP.NET application
• ltidentity impersonate"true" userName"accountname
  " password"password" /gt
• Impersonate the authenticating user in code
• Impersonate a specific user in code

7
Response.Write("I am authenticated as "
WindowsIdentity.Getcurrent().Name)

• By default, the Aspnet_wp.exe process runs under
  a computer account named ASPNET. However, this
  account does not have the required privileges to
  impersonate a specific user.

8
ltidentity Impersonate true/gt
9
ltidentity Impersonate true userName
TestUser password tempusrpwd/gt
10
(No Transcript)
11
Integrated Windows Authencation
12
Impersonate the Authenticating User in Code

• Only when you run a particular section of code,
  requires authenticating user identity type
  WindowsIdentity.
• System.Security.Principal.WindowsImpersonationCont
  ext impersonationContext impersonationContext
• ((System.Security.Principal.WindowsIdentity)Us
  er.Identity). Impersonate()
• //Insert your code that runs under the
  security context of the authenticating user here.
  
• impersonationContext.Undo()

13
Impersonate a Specific User in Code
14
Impersonation Levels

• typedef enum _SECURITY_IMPERSONATION_LEVEL
  SecurityAnonymous,
• SecurityIdentification,
• SecurityImpersonation,
• SecurityDelegation
• SECURITY_IMPERSONATION_LEVEL

15
ImpersonateSelf and RevertToSelf

• The ImpersonateSelf function obtains an access
  token that impersonates the security context of
  the calling process. The token is assigned to the
  calling thread.
• BOOL ImpersonateSelf( SECURITY_IMPERSONATION_L
  EVEL ImpersonationLevel )
• Requirements
• Client Requires Windows XP, Windows 2000
  Professional, or Windows NT Workstation 3.1 and
  later
• .Server Requires Windows Server 2003,
  Windows 2000 Server, or Windows NT Server 3.1 and
  later.Header Declared in Winbase.h include
  Windows.h.Library The RevertToSelf function
  terminates the impersonation of a client
  application.
• BOOL RevertToSelf(void)

16
Client Impersonation ( Delegation)

• The capability to call other servers while
  impersonating the original client is called
  delegation.
• A server impersonating a client can call another
  server, and can make network calls with the
  credentials of the client.
• From the perspective of the second server,
  requests coming from the first server are
  indistinguishable from requests coming from the
  client.

17
Client Impersonation
18
Cloaking (COM)

• Cloaking is a COM security capability introduced
  with the release of Microsoft Windows 2000.
• Cloaking determines what identity the client
  projects toward the server during impersonation.
• When cloaking is set, the intermediate server
  masks its own identity and presents the client's
  identity to the server that it calls on the
  client's behalf.

19
Delegation and Impersonation

• From a security standpoint, two issues arise
  regarding delegation
• What should the server be allowed to do when
  acting on the client's behalf?
• What identity is presented by the server when it
  calls other servers on behalf of a client?

20
Impersonation / Delegation Advantages/Disadvantag
es

• Advantages
• Auditing. You benefit from operating system
  auditing. This allows administrators to track
  which users have attempted to access specific
  resources.
• Auditing across tiers. The user's security
  context is maintained across the physical tiers
  of your application, which allows administrators
  to audit across tiers.
• Granular access controls. You can configure
  granular access in the database. You can restrict
  individual user accounts independently of one
  another in the database.
• Disadvantages
• Scalability. The impersonation / delegation model
  does not allow you to make efficient use of
  database connection pooling because database
  access is performed by using connections that are
  tied to the individual security contexts of the
  original callers. This significantly limits the
  application's ability to scale to large numbers
  of users.
• Increased administration effort. ACLs on back-end
  resources need to be maintained in such a way
  that each user is granted the appropriate level
  of access. When the number of back-end resources
  increases (and the number of users increases), a
  significant administration effort is required to
  manage ACLs.

21
Summary

• If impersonation is enabled in an ASP.NET
  application then If anonymous access is
  enabled in IIS, the request is made using the
  IUSR_machinename account.
• If anonymous access is disabled in IIS, the
  request is made using the account of the
  authenticated user.
• In either case, permissions for the account
  are checked in the Windows Access Control List
  (ACL) for the resource(s) that a user requests,
  and a resource is only available if the account
  they are running under is valid for that resource.

22
Summary

• If impersonation is disabled in an ASP.NET
  application then If anonymous access is
  enabled in IIS, the request is made using the
  system-level process account.
• If anonymous access is disabled in IIS, the
  request is made using the account of the
  authenticated user.
• In either case, permissions for the account are
  checked in the Windows ACL for the resource(s)
  that a user requests, and a resource is only
  available if the account they are running under
  is valid for that resource.

23
References

• Books
• Beginning Visual Web Programming in C From
  Novice to Professional
• Programming .Net Security ( OREILLY)
• Web
• MSDN Library
• Keywords Impersonation, Delegation,
• Impersonation level, Cloaking