Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

ASP.NET: Performing WMI Queries (Security)

Posted on 2008-06-25
5
887 Views
Last Modified: 2013-11-07
Hey guys,

I wonder if someone might advise me on what might be the best way of executing WMI queries against remote machines?

I have a few choices it seems. Which do you think would be more sensible?

1. Use a separate Application Pool configured to use an Identity with administrative access for the few pages configured to execute WMI queries.

The advantage of this one is that I can use Integrated Authentication from client to server, removing the need to attempt to secure authentication against the site (Kerberos takes care of it).

The downside is, that something running on the web server has a high level of access. Much higher than preferred. Even if that only applies to a handful of pages.

2. Use ASP.NET Impersonation (use the rights of the current user)

This one would reduce the potential for abuse perhaps.

But it means I have to provide a log on mechanism, ideally forms based, because I don't want to pass passwords in clear text (and no one will be logged on with Domain Administrative access on their client).

Hmmm...

Thanks for any suggestions :)

Chris
0
Comment
Question by:Chris Dent
  • 3
  • 2
5 Comments
 
LVL 33

Expert Comment

by:raterus
ID: 21864999
Option 1 is obviously the easiest, but like you said it has security issues, and depending on your organization may or may not be a problem.

Option 2 takes a bit more setup, but it's pretty straightforward to take the logon, impersonate that user on command, run your WMI query, then undo impersonation.  I like that option much more, you just have to do more work to get the logon, likely over a SSL connection, and only store the username/password temporarily.

Honestly, if you want secure and easy, I suggest using basic authentication over SSL.
0
 
LVL 70

Author Comment

by:Chris Dent
ID: 21865395

Hey,

Thanks for your feedback.

I'd like to do it right from the beginning, way too lazy to rewrite stuff later on :)

I take it I'd just need to switch to impersonation using the VB .NET version of this (http://msdn.microsoft.com/en-us/library/ms998351.aspx)? Then execute the WMI query before swapping back?

WindowsIdentity winId = (WindowsIdentity)HttpContext.Current.User.Identity;
WindowsImpersonationContext ctx = null;
try
{
  // Start impersonating
  ctx = winId.Impersonate();
}

Never realised you could do such a thing, I thought it was set and fixed for the entire application :)

If that's all it is it'll probably make performing updates into the database easier as I won't have to worry about that identity (the account for that is running as the main application pool identity).

Thanks,

Chris
0
 
LVL 33

Accepted Solution

by:
raterus earned 500 total points
ID: 21865460
Right, you can impersonate the current user or another user (assuming you have username/password) on command and only for the time needed to run the operation.  

That URL you posted for the code, but this one isn't, and I know the code here works because I've used it before.
http://support.microsoft.com/default.aspx?scid=kb;en-us;306158

0
 
LVL 70

Author Comment

by:Chris Dent
ID: 21865567

Ahh great :)

Thank you, very useful.

/me heads off to get an IList to bind to a GridView

Chris
0
 
LVL 70

Author Closing Comment

by:Chris Dent
ID: 31470484
Thanks :)
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question