Title: Impersonation
1Impersonation
2What is Impersonation ?
- Dictionary- To assume the character or
appearance of someone - ASP .NET- Impersonation is the ability of a
process to take on the security attributes of
another process. - Reason - to avoid dealing with authentication
and authorization issues in the ASP.NET
application code.
3Microsoft Internet Information Services (IIS)
Role
- IIS authenticates the user
- (i) pass an authenticated token(identity and
privileges) to the ASP.NET application
(IWAM_machinename) or, - (ii) if unable to authenticate the user, pass
an unauthenticated token (IUSR_MACHINENAME) - Relies on the settings in the NTFS directories
and files to allow it to gain access, or not. - Impersonation requires to format the server file
space as NTFS. -
4Implementing Impersonation
- Disabled By default
- Enable impersonation by putting a configuration
file in the application root directory. - It is respected by nested applications in the
hierarchy, unless explicitly overridden. The
default value for this setting is as follows. - ltimpersonation enable"false"/gt
- A minimal configuration file to enable
impersonation - lt!-- Web.config file. --gt
- ltidentity impersonate"true"/gt
5Contd.. (Implementation)
- There is also name support for running an
application as a configurable identity. For
example - ltidentity impersonate"true" userNameTestUser"
passwordtestpwdusr"/gt - We can programmatically read the identity of the
impersonated user,. - String username System.Security.Principal.Win
dowsIdentity.GetCurrent().Name
6Impersonate a user on a thread in ASP.NET
- Namespaces System.Web.Security,
System.Security.Principal, System.Runtime.InteropS
ervices - Impersonate the IIS authenticated account or
user - ltidentity impersonate"true" /gt
- Impersonate a specific user for all the
requests of an ASP.NET application - ltidentity impersonate"true" userName"accountname
" password"password" /gt - Impersonate the authenticating user in code
- Impersonate a specific user in code
7Response.Write("I am authenticated as "
WindowsIdentity.Getcurrent().Name)
- By default, the Aspnet_wp.exe process runs under
a computer account named ASPNET. However, this
account does not have the required privileges to
impersonate a specific user.
8ltidentity Impersonate true/gt
9ltidentity Impersonate true userName
TestUser password tempusrpwd/gt
10(No Transcript)
11Integrated Windows Authencation
12Impersonate the Authenticating User in Code
- Only when you run a particular section of code,
requires authenticating user identity type
WindowsIdentity. - System.Security.Principal.WindowsImpersonationCont
ext impersonationContext impersonationContext - ((System.Security.Principal.WindowsIdentity)Us
er.Identity). Impersonate() - //Insert your code that runs under the
security context of the authenticating user here.
- impersonationContext.Undo()
13Impersonate a Specific User in Code
14Impersonation Levels
- typedef enum _SECURITY_IMPERSONATION_LEVEL
SecurityAnonymous, - SecurityIdentification,
- SecurityImpersonation,
- SecurityDelegation
- SECURITY_IMPERSONATION_LEVEL
15ImpersonateSelf and RevertToSelf
- The ImpersonateSelf function obtains an access
token that impersonates the security context of
the calling process. The token is assigned to the
calling thread. - BOOL ImpersonateSelf( SECURITY_IMPERSONATION_L
EVEL ImpersonationLevel ) - Requirements
- Client Requires Windows XP, Windows 2000
Professional, or Windows NT Workstation 3.1 and
later - .Server Requires Windows Server 2003,
Windows 2000 Server, or Windows NT Server 3.1 and
later.Header Declared in Winbase.h include
Windows.h.Library The RevertToSelf function
terminates the impersonation of a client
application. - BOOL RevertToSelf(void)
16Client Impersonation ( Delegation)
- The capability to call other servers while
impersonating the original client is called
delegation. - A server impersonating a client can call another
server, and can make network calls with the
credentials of the client. - From the perspective of the second server,
requests coming from the first server are
indistinguishable from requests coming from the
client.
17Client Impersonation
18Cloaking (COM)
- Cloaking is a COM security capability introduced
with the release of Microsoft Windows 2000. - Cloaking determines what identity the client
projects toward the server during impersonation. - When cloaking is set, the intermediate server
masks its own identity and presents the client's
identity to the server that it calls on the
client's behalf.
19Delegation and Impersonation
- From a security standpoint, two issues arise
regarding delegation - What should the server be allowed to do when
acting on the client's behalf? - What identity is presented by the server when it
calls other servers on behalf of a client?
20Impersonation / Delegation Advantages/Disadvantag
es
- Advantages
- Auditing. You benefit from operating system
auditing. This allows administrators to track
which users have attempted to access specific
resources. - Auditing across tiers. The user's security
context is maintained across the physical tiers
of your application, which allows administrators
to audit across tiers. - Granular access controls. You can configure
granular access in the database. You can restrict
individual user accounts independently of one
another in the database. - Disadvantages
- Scalability. The impersonation / delegation model
does not allow you to make efficient use of
database connection pooling because database
access is performed by using connections that are
tied to the individual security contexts of the
original callers. This significantly limits the
application's ability to scale to large numbers
of users. - Increased administration effort. ACLs on back-end
resources need to be maintained in such a way
that each user is granted the appropriate level
of access. When the number of back-end resources
increases (and the number of users increases), a
significant administration effort is required to
manage ACLs.
21Summary
- If impersonation is enabled in an ASP.NET
application then If anonymous access is
enabled in IIS, the request is made using the
IUSR_machinename account. - If anonymous access is disabled in IIS, the
request is made using the account of the
authenticated user. - In either case, permissions for the account
are checked in the Windows Access Control List
(ACL) for the resource(s) that a user requests,
and a resource is only available if the account
they are running under is valid for that resource.
22Summary
- If impersonation is disabled in an ASP.NET
application then If anonymous access is
enabled in IIS, the request is made using the
system-level process account. - If anonymous access is disabled in IIS, the
request is made using the account of the
authenticated user. - In either case, permissions for the account are
checked in the Windows ACL for the resource(s)
that a user requests, and a resource is only
available if the account they are running under
is valid for that resource.
23References
- Books
- Beginning Visual Web Programming in C From
Novice to Professional - Programming .Net Security ( OREILLY)
- Web
- MSDN Library
- Keywords Impersonation, Delegation,
- Impersonation level, Cloaking