Friday, September 16, 2005

Creating New Processes in .Net and ASP.Net

Did you know that Process.Start always uses the security context of the parent ASP.NET process?
 
Need proof?  Write a simple ASP.Net application that launches "whoami.exe" and captures the result.  No matter how you configure your Web.Config file, you will always see the "ASPNET" local machine account.  You could, yes, change Machine.Config however, that will change the process owner of all spawned processes and the entire ASP.Net application framework.  Probably not what you want.
 
 
 
An alternate implementation of a method called CreateProcessAsUser() can be found in this CreateProcessAsUser blog entry on Ode to Code.
 
 
My research into this topic, for a work-related issue, led me to this Building Secure ASP.NET Applications site .  If any of the above links confuse you -- tokens or impersonation, for example -- this Microsoft Patterns & Practices chapter is very useful.  Not only does it explain a lot of the basic Win32 security concepts required for making effective use of ASP.Net impersonation and the CreateProcessAsUser() method but you can learn a fair amount related to general .Net security and secure application design.

No comments: