我们正在尝试通过 Web 管理控制台在服务器上运行一组管理任务。控制台以模拟当前登录用户的身份运行,并且只允许本地计算机上的管理员登录。目前它适用于大多数情况,但在 UAC 下运行时我们遇到了问题。
第一个问题是一个拦截器:管理员似乎没有获得“BUILTIN\Administrators”角色,即使他们是本地机器上的管理员。这甚至可以阻止他们进入管理控制台,因为我们使用 web.config
表示法来指定安全性。我怀疑这里唯一的解决方案是要么以 SYSTEM 身份运行 ASP.NET 应用程序,要么允许更多用户并在代码中进行更细粒度的权限检查。还有其他想法吗?有什么方法可以将提升请求注入到内置 ASP.NET 权限检查中吗?
另一个问题是我们想要运行一些需要管理员访问权限的命令。访问该站点的用户是管理员,并且被正确模拟,但是当我们生成进程时,由于缺乏管理员权限而失败。明确的答案是在该命令执行期间提升。有一些解决方案可以让我通过模拟特定的用户名和密码来暂时提升权限,但我不想向已经验证的用户询问他的密码。有什么提升当前用户的技巧吗?
(我可以理解为什么 ASP.NET 团队可能会尝试让这一点变得困难,以便网页无法利用管理员访问网站的无形优势......但肯定必须有某种方法以编程方式声明您的代码需要完整的管理员权限,适当地警告 IIS 管理员其意图?)
对于 Windows 窗体应用程序有一系列答案,例如:
如何仅在需要时提升权限?
和 File.Exists 从网络共享返回 false
但我希望找到一个可以与 ASP.NET 一起使用的...
谢谢
史蒂夫
We're trying to run a set of administrative tasks on the server via a web administration console. The console runs with impersonation as the currently logged-in user, and only administrators on the local machine are allowed to log in. Right now it works for most cases but we're having trouble when running under UAC.
The first issue is a blocker: it seems like admins do not get the "BUILTIN\Administrators" role even if they are an admin on the local box. This can prevent them from even getting into the admin console, since we're using the web.config <allow roles="BUILTIN\Administrators">
notation to specify security. I suspect that the only solutions here are to either run the ASP.NET app as SYSTEM, or to allow more users and do a more granular permissions check in code. Any other ideas? Is there any way to inject an elevation request into the built-in ASP.NET permissions check?
The other problem is that we want to run some commands that require administrator access. The user visiting the site is an administrator, and is correctly impersonated, but when we spawn a process it fails due to lack of administrator privileges. The clear answer is to elevate for the duration of that command. There are solutions that will let me temporarily elevate by impersonating a specific username and password, but I'd prefer not to have to ask the already-validated user for his password. Are there any tricks for elevating the current user?
(I can understand why the ASP.NET team might try to make this hard, so that web pages can't take invisible advantage of an administrator visiting the web site... but surely there must be some way to pro grammatically declare that your code needs full Administrator rights, appropriately warning the IIS admin of its intentions?)
There are a series of answers for Windows Forms apps, such as:
How to elevate privileges only when required?
and File.Exists returning false from a network share
but I'm hoping to find one that will work with ASP.NET...
Thanks
Steve
发布评论
评论(1)
通过在 Active Directory 中启用服务器委派,我们能够从当前访问网站的用户获得“更高”的模拟级别。根据 Microsoft 的说法,
您可以将委派视为一种更强大的模拟形式,因为它可以跨网络进行模拟。
您可能不需要跨网络,但它可以解决您的安全问题。以下是关于设置授权的一些资源,希望对您有所帮助。
We were able to achieve a "higher" impersonation level from the user currently accessing the website by enabling the server for delegation in Active Directory. Per Microsoft,
You can think of delegation as a more powerful form of impersonation, as it enables impersonation across a network.
You may not need to go across the network, but it may resolve your security issues.Here are a few resources on setting up delegation, hopefully this will help you.