Impersonation
description
Transcript of Impersonation
![Page 1: Impersonation](https://reader035.fdocuments.us/reader035/viewer/2022081604/56815faf550346895dcea960/html5/thumbnails/1.jpg)
Impersonation
Bharat KadiaCS-795
![Page 2: Impersonation](https://reader035.fdocuments.us/reader035/viewer/2022081604/56815faf550346895dcea960/html5/thumbnails/2.jpg)
What is Impersonation ?
• Dictionary-: To assume the character or appearance of someone
• ASP .NET-: Impersonation is the ability of a process to take on the security attributes of another process.
• Reason -: to avoid dealing with authentication and authorization issues in the ASP.NET application code.
![Page 3: Impersonation](https://reader035.fdocuments.us/reader035/viewer/2022081604/56815faf550346895dcea960/html5/thumbnails/3.jpg)
Microsoft Internet Information Services (IIS) Role
• IIS authenticates the user – (i) pass an authenticated token(identity and privileges) to
the ASP.NET application (IWAM_machinename) or, (ii) if unable to authenticate the user, pass an
unauthenticated token (IUSR_MACHINENAME) • Relies on the settings in the NTFS directories and files to
allow it to gain access, or not. • Impersonation requires to format the server file space
as NTFS.
![Page 4: Impersonation](https://reader035.fdocuments.us/reader035/viewer/2022081604/56815faf550346895dcea960/html5/thumbnails/4.jpg)
Implementing Impersonation• Disabled By default• Enable impersonation by putting a configuration
file in the application root directory. • It is respected by nested applications in the
hierarchy, unless explicitly overridden. The default value for this setting is as follows.
<impersonation enable="false"/>• A minimal configuration file to enable
impersonation <!-- Web.config file. --> <identity impersonate="true"/>
![Page 5: Impersonation](https://reader035.fdocuments.us/reader035/viewer/2022081604/56815faf550346895dcea960/html5/thumbnails/5.jpg)
Contd.. (Implementation)
• There is also name support for running an application as a configurable identity. For example:
<identity impersonate="true" userName=“TestUser" password=“testpwdusr"/>
• We can programmatically read the identity of the impersonated user,.
String username = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
![Page 6: Impersonation](https://reader035.fdocuments.us/reader035/viewer/2022081604/56815faf550346895dcea960/html5/thumbnails/6.jpg)
Impersonate a user on a thread in ASP.NET
• Namespaces: System.Web.Security, System.Security.Principal, System.Runtime.InteropServices
• Impersonate the IIS authenticated account or user
<identity impersonate="true" /> • Impersonate a specific user for all the
requests of an ASP.NET application<identity impersonate="true" userName="accountname"
password="password" />
• Impersonate the authenticating user in code• Impersonate a specific user in code
![Page 7: Impersonation](https://reader035.fdocuments.us/reader035/viewer/2022081604/56815faf550346895dcea960/html5/thumbnails/7.jpg)
Response.Write("I am authenticated as: " +WindowsIdentity.Getcurrent().Name);
}
• By default, the Aspnet_wp.exe process runs under a computer account named ASPNET. However, this account does not have the
required privileges to impersonate a specific user.
![Page 8: Impersonation](https://reader035.fdocuments.us/reader035/viewer/2022081604/56815faf550346895dcea960/html5/thumbnails/8.jpg)
<identity Impersonate = “true”/>
![Page 9: Impersonation](https://reader035.fdocuments.us/reader035/viewer/2022081604/56815faf550346895dcea960/html5/thumbnails/9.jpg)
<identity Impersonate = “true” userName = “TestUser” password= “tempusrpwd”/>
![Page 10: Impersonation](https://reader035.fdocuments.us/reader035/viewer/2022081604/56815faf550346895dcea960/html5/thumbnails/10.jpg)
![Page 11: Impersonation](https://reader035.fdocuments.us/reader035/viewer/2022081604/56815faf550346895dcea960/html5/thumbnails/11.jpg)
Integrated Windows Authencation
![Page 12: Impersonation](https://reader035.fdocuments.us/reader035/viewer/2022081604/56815faf550346895dcea960/html5/thumbnails/12.jpg)
Impersonate the Authenticating User in Code
• Only when you run a particular section of code, requires authenticating user identity type WindowsIdentity.
• System.Security.Principal.WindowsImpersonationContext impersonationContext; impersonationContext =
((System.Security.Principal.WindowsIdentity)User.Identity). Impersonate(); //Insert your code that runs under the security context of the authenticating user here. impersonationContext.Undo();
![Page 13: Impersonation](https://reader035.fdocuments.us/reader035/viewer/2022081604/56815faf550346895dcea960/html5/thumbnails/13.jpg)
Impersonate a Specific User in Code
![Page 14: Impersonation](https://reader035.fdocuments.us/reader035/viewer/2022081604/56815faf550346895dcea960/html5/thumbnails/14.jpg)
Impersonation Levels
• typedef enum _SECURITY_IMPERSONATION_LEVEL { SecurityAnonymous,
• SecurityIdentification,• SecurityImpersonation,• SecurityDelegation• }SECURITY_IMPERSONATION_LEVEL;
![Page 15: Impersonation](https://reader035.fdocuments.us/reader035/viewer/2022081604/56815faf550346895dcea960/html5/thumbnails/15.jpg)
ImpersonateSelf and RevertToSelf
• The ImpersonateSelf function obtains an access token that impersonates the security context of the calling process. The token is assigned to the calling thread.
BOOL ImpersonateSelf( SECURITY_IMPERSONATION_LEVEL ImpersonationLevel );
Requirements• Client Requires: Windows XP, Windows 2000 Professional, or Windows NT
Workstation 3.1 and later• .Server Requires: Windows Server 2003, Windows 2000 Server, or Windows NT
Server 3.1 and later.Header Declared in Winbase.h; include Windows.h.Library The RevertToSelf function terminates the impersonation of a client application.
BOOL RevertToSelf(void);
![Page 16: Impersonation](https://reader035.fdocuments.us/reader035/viewer/2022081604/56815faf550346895dcea960/html5/thumbnails/16.jpg)
Client Impersonation ( Delegation)
• The capability to call other servers while impersonating the original client is called delegation.
• A server impersonating a client can call another server, and can make network calls with the credentials of the client.
• From the perspective of the second server, requests coming from the first server are indistinguishable from requests coming from the client.
![Page 17: Impersonation](https://reader035.fdocuments.us/reader035/viewer/2022081604/56815faf550346895dcea960/html5/thumbnails/17.jpg)
Client Impersonation
![Page 18: Impersonation](https://reader035.fdocuments.us/reader035/viewer/2022081604/56815faf550346895dcea960/html5/thumbnails/18.jpg)
Cloaking (COM)
• Cloaking is a COM security capability introduced with the release of Microsoft Windows 2000.
• Cloaking determines what identity the client projects toward the server during impersonation.
• When cloaking is set, the intermediate server masks its own identity and presents the client's identity to the server that it calls on the client's behalf.
![Page 19: Impersonation](https://reader035.fdocuments.us/reader035/viewer/2022081604/56815faf550346895dcea960/html5/thumbnails/19.jpg)
Delegation and Impersonation • From a security standpoint, two issues arise regarding delegation: • What should the server be allowed to do when acting on the client's behalf?
• What identity is presented by the server when it calls other servers on behalf of a client?
![Page 20: Impersonation](https://reader035.fdocuments.us/reader035/viewer/2022081604/56815faf550346895dcea960/html5/thumbnails/20.jpg)
Impersonation / Delegation Advantages/Disadvantages
Advantages: Auditing. You benefit from operating system auditing. This allows administrators to
track which users have attempted to access specific resources. • Auditing across tiers. The user's security context is maintained across the physical
tiers of your application, which allows administrators to audit across tiers. • Granular access controls. You can configure granular access in the database. You
can restrict individual user accounts independently of one another in the database.
Disadvantages:• Scalability. The impersonation / delegation model does not allow you to make
efficient use of database connection pooling because database access is performed by using connections that are tied to the individual security contexts of the original callers. This significantly limits the application's ability to scale to large numbers of users.
• Increased administration effort. ACLs on back-end resources need to be maintained in such a way that each user is granted the appropriate level of access. When the number of back-end resources increases (and the number of users increases), a significant administration effort is required to manage ACLs.
![Page 21: Impersonation](https://reader035.fdocuments.us/reader035/viewer/2022081604/56815faf550346895dcea960/html5/thumbnails/21.jpg)
Summary• If impersonation is enabled in an ASP.NET application
then:• If anonymous access is enabled in IIS, the request is made using the IUSR_machinename account.
• If anonymous access is disabled in IIS, the request is made using the account of the authenticated user.
• In either case, permissions for the account are checked in the Windows Access Control List (ACL) for the resource(s) that a user requests, and a resource is only available if the account they are running under is valid for that resource.
![Page 22: Impersonation](https://reader035.fdocuments.us/reader035/viewer/2022081604/56815faf550346895dcea960/html5/thumbnails/22.jpg)
SummaryIf impersonation is disabled in an ASP.NET application then:
• If anonymous access is enabled in IIS, the request is made using the system-level process account.
• If anonymous access is disabled in IIS, the request is made using the account of the authenticated user.
• In either case, permissions for the account are checked in the Windows ACL for the resource(s) that a user requests, and a resource is only available if the account they are running under is valid for that resource.
![Page 23: Impersonation](https://reader035.fdocuments.us/reader035/viewer/2022081604/56815faf550346895dcea960/html5/thumbnails/23.jpg)
References
Books• Beginning Visual Web Programming in C#:
From Novice to Professional• Programming .Net Security ( O’REILLY) Web:• MSDN Library• Keywords: Impersonation, Delegation, Impersonation level, Cloaking