Solved

ASP.NET: Performing WMI Queries (Security)

Posted on 2008-06-25
5
869 Views
Last Modified: 2013-11-07
Hey guys,

I wonder if someone might advise me on what might be the best way of executing WMI queries against remote machines?

I have a few choices it seems. Which do you think would be more sensible?

1. Use a separate Application Pool configured to use an Identity with administrative access for the few pages configured to execute WMI queries.

The advantage of this one is that I can use Integrated Authentication from client to server, removing the need to attempt to secure authentication against the site (Kerberos takes care of it).

The downside is, that something running on the web server has a high level of access. Much higher than preferred. Even if that only applies to a handful of pages.

2. Use ASP.NET Impersonation (use the rights of the current user)

This one would reduce the potential for abuse perhaps.

But it means I have to provide a log on mechanism, ideally forms based, because I don't want to pass passwords in clear text (and no one will be logged on with Domain Administrative access on their client).

Hmmm...

Thanks for any suggestions :)

Chris
0
Comment
Question by:Chris Dent
  • 3
  • 2
5 Comments
 
LVL 33

Expert Comment

by:raterus
ID: 21864999
Option 1 is obviously the easiest, but like you said it has security issues, and depending on your organization may or may not be a problem.

Option 2 takes a bit more setup, but it's pretty straightforward to take the logon, impersonate that user on command, run your WMI query, then undo impersonation.  I like that option much more, you just have to do more work to get the logon, likely over a SSL connection, and only store the username/password temporarily.

Honestly, if you want secure and easy, I suggest using basic authentication over SSL.
0
 
LVL 70

Author Comment

by:Chris Dent
ID: 21865395

Hey,

Thanks for your feedback.

I'd like to do it right from the beginning, way too lazy to rewrite stuff later on :)

I take it I'd just need to switch to impersonation using the VB .NET version of this (http://msdn.microsoft.com/en-us/library/ms998351.aspx)? Then execute the WMI query before swapping back?

WindowsIdentity winId = (WindowsIdentity)HttpContext.Current.User.Identity;
WindowsImpersonationContext ctx = null;
try
{
  // Start impersonating
  ctx = winId.Impersonate();
}

Never realised you could do such a thing, I thought it was set and fixed for the entire application :)

If that's all it is it'll probably make performing updates into the database easier as I won't have to worry about that identity (the account for that is running as the main application pool identity).

Thanks,

Chris
0
 
LVL 33

Accepted Solution

by:
raterus earned 500 total points
ID: 21865460
Right, you can impersonate the current user or another user (assuming you have username/password) on command and only for the time needed to run the operation.  

That URL you posted for the code, but this one isn't, and I know the code here works because I've used it before.
http://support.microsoft.com/default.aspx?scid=kb;en-us;306158

0
 
LVL 70

Author Comment

by:Chris Dent
ID: 21865567

Ahh great :)

Thank you, very useful.

/me heads off to get an IList to bind to a GridView

Chris
0
 
LVL 70

Author Closing Comment

by:Chris Dent
ID: 31470484
Thanks :)
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

A long time ago (May 2011), I have written an article showing you how to create a DLL using Visual Studio 2005 to be hosted in SQL Server 2005. That was valid at that time and it is still valid if you are still using these versions. You can still re…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now