Remote control of windows service with windows 2003 server

  • Thread starter Thread starter pberna
  • Start date Start date
P

pberna

Dear all,

I built a Web Form application to start and stop a Windows Service remotely.
I successful tested the application on Windows 2000 server + IIS. I must
include the ASPNET user
to the Administration group (on server side) to have the necessary
authorization to start a Windows Service (I don't understand why "Power
User" rights are not enough to do the same thing)

Although I'm able to start a service using windows 2000 server platform, I'm
not able to do the same things in the Windows 2003 server edition where the
same Web Form application has been installed (.NET framework has been
installed by default during Windows server installation process). I know
that in Windows 2003 server the default account for a ASPNET applications is
NETWORK SERVICE, but I don't find any user with this name in the user
list/group. If I try to create this user and error message tell me that the
NETWORK SERVICE user is already defined. The problem is that it doesn't
appear in the user list (My computer-> Manage > user)

Any idea ?

Thank you
Best Regards
 
Hi pberna:

It's generally a bad idea to run ASP.NET under an administrator
account, as it makes it easier for a malicious user to have admin
rights on a machine. Have you investigated impersonation?
http://msdn.microsoft.com/library/d...-us/cpguide/html/cpconaspnetimpersonation.asp

As for the NETWORK SERVICE account, there are two types of accounts on
the machine: user accounts and built in security principals. The built
in security principals do not appear in the list of users. You can
still add them to a group if you go to My computer -> Manage ->
Groups. You can right click a group and select Properties, then click
Add. You can type in the name you need, or click Advanced and Find Now
to select the principal from a list - you'll notice at the top of the
dialog under Object Types the dialog will search for both user objects
and built in security principal objects.

In any case, a best practice is to avoid elevating the privileges of
any of these built in accounts. Impersonation is a safer approach.
 
Dear Scott,

Thanks for your indications
I red the article, but I'm not sure if impersonation is applicable to the
Forms
authentication mode. What do you think ? Am I wrong ?

1) If impersonation is also active using the Forms authentication mode,
should the user name related to the token "userName"

<identity impersonate="true" userName="contoso\Jane" password="pass"/>

be equal to a Windows User name ?

2) Are there any relationship between Windows password of a Windows User and
the password of the same User indicated in the web.config file ?

3) If the ASPNET impersonate a user using the Forms authentication mode,it
means that the .NET application can access to all resource available for that
user ?

Thank you
Paolo
 
Hi pberna:

Impersonation is more difficult in forms authentication. If you use
the username and password attributes of the <identity> tag then yes,
you are passing the username and password for a windows account. Every
local resource ASP.NET touches will be done with the credentials
specified in the <identity> tag, for example, file access, service
control, connecting to a database with a trusted connection.

Is the web application soley for the purpose of controlling the
service? Is it exposed to the Internet?
 
Back
Top