Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1642
  • Last Modified:

Starting a "cmd.exe" process from ASP.NET permissions problem

I have to start a "cmd.exe" process from ASP.NET application running on the Windows 2003 server, and I have to use the Windows authentication only.

I use the following code:

ProcessStartInfo psi = new ProcessStartInfo("cmd.exe");
psi.UseShellExecute = false;
psi.RedirectStandardInput = true;
psi.RedirectStandardError = true;
psi.RedirectStandardOutput = true;

// Start the process
Process proc = Process.Start(psi);

This code works fine if (and only IF) a user that is accessing the application has Adminidtrators rights on the server.
I have these rights, I it worked fine for me.  But the application should be used by the limited number of other users.

In the web.config file for the application these users are listed in the <authorization> section:
 <allow users="username1,username2,username3,username4" />

In the <authentication> section mode is set to "Windows" /> and  <identity impersonate="true" />

However, if such a user try to run the application, it throws the Win32Exception "Access is denied" at the "Process.Start(psi);" line.   Somehow the application's catch block can't catch this exception (although it catches other exceptions;  I use several catch blocks here: catch (Win32Exception exc) { }, then catch (Exception exc) { }, then empty catch { } ), and the exception is displayed as unhandled.  This is the second problem: why the code does not catch the Process.Start exception.

And the first problem is to allow a limited group of domain users to run the application.
I tried to solve the problem by creating a Power Users group that has these users included.  I gave this group the full rights to all directories that I think are somehow related to the job:  current application directory, Windows and System32 directories, Program Files directory - it did not help.  I even added ASPNET account to this Power Users group - it did not help.

The program works OK on the Windows XP server, but I need it to run on 2003.

What else can I do???

Thank you in advance for your help.
  • 2
1 Solution
Hi pavelmed,

have you remove the anonymous access of the virtual directory/web site ?
this can be done by IIS console->Properties on the virtual directory/web site->Directory Security->Edit button within the Authentication and access control-> uncheck the check box for enabling anonimous access

pavelmedAuthor Commented:
Hi mmarinov,

Yes, the anonymous access is removed.  Only Integrated Windows Authentication is checked.
Also please note that although this 2003 server has IIS 6.0, it runs in the 5.x isolation mode, so the application pooling is not enabled.
And I can't change the setting because it may interfere with other applications.

My point is: if it runs OK when the user who requests the site has administrators rights to the server, how can I substitute these rights by a custom Power Users group that may have full rights to any directory?  As I wrote, I tried this approach and assigned the Power Users rights to the current application directory, Windows and System32 directories, and Program Files directory, and it did not help.

Almost all code in the application is commented out, only the Process starting code from above is left.

Thank you.
pavelmedAuthor Commented:
Because of thorough security restrictions I have decide to abandon the idea of using cmd.exe process and running batch file statements in order to create and use network drive maps.

Instead, I will be using the ideas from the following article: http://dotnetjunkies.com/WebLog/bsblog/archive/2004/09/24/26730.aspx

It works well.

I am asking this question to be closed.

Thank you
Question author has answered his onw problem, this question will now go into PAQ, with points refunded.

Thank you,

Wes Lennon
Experts Exchange

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now