• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 940
  • Last Modified:

ASP.NET: Performing WMI Queries (Security)

Hey guys,

I wonder if someone might advise me on what might be the best way of executing WMI queries against remote machines?

I have a few choices it seems. Which do you think would be more sensible?

1. Use a separate Application Pool configured to use an Identity with administrative access for the few pages configured to execute WMI queries.

The advantage of this one is that I can use Integrated Authentication from client to server, removing the need to attempt to secure authentication against the site (Kerberos takes care of it).

The downside is, that something running on the web server has a high level of access. Much higher than preferred. Even if that only applies to a handful of pages.

2. Use ASP.NET Impersonation (use the rights of the current user)

This one would reduce the potential for abuse perhaps.

But it means I have to provide a log on mechanism, ideally forms based, because I don't want to pass passwords in clear text (and no one will be logged on with Domain Administrative access on their client).

Hmmm...

Thanks for any suggestions :)

Chris
0
Chris Dent
Asked:
Chris Dent
  • 3
  • 2
1 Solution
 
raterusCommented:
Option 1 is obviously the easiest, but like you said it has security issues, and depending on your organization may or may not be a problem.

Option 2 takes a bit more setup, but it's pretty straightforward to take the logon, impersonate that user on command, run your WMI query, then undo impersonation.  I like that option much more, you just have to do more work to get the logon, likely over a SSL connection, and only store the username/password temporarily.

Honestly, if you want secure and easy, I suggest using basic authentication over SSL.
0
 
Chris DentPowerShell DeveloperAuthor Commented:

Hey,

Thanks for your feedback.

I'd like to do it right from the beginning, way too lazy to rewrite stuff later on :)

I take it I'd just need to switch to impersonation using the VB .NET version of this (http://msdn.microsoft.com/en-us/library/ms998351.aspx)? Then execute the WMI query before swapping back?

WindowsIdentity winId = (WindowsIdentity)HttpContext.Current.User.Identity;
WindowsImpersonationContext ctx = null;
try
{
  // Start impersonating
  ctx = winId.Impersonate();
}

Never realised you could do such a thing, I thought it was set and fixed for the entire application :)

If that's all it is it'll probably make performing updates into the database easier as I won't have to worry about that identity (the account for that is running as the main application pool identity).

Thanks,

Chris
0
 
raterusCommented:
Right, you can impersonate the current user or another user (assuming you have username/password) on command and only for the time needed to run the operation.  

That URL you posted for the code, but this one isn't, and I know the code here works because I've used it before.
http://support.microsoft.com/default.aspx?scid=kb;en-us;306158

0
 
Chris DentPowerShell DeveloperAuthor Commented:

Ahh great :)

Thank you, very useful.

/me heads off to get an IList to bind to a GridView

Chris
0
 
Chris DentPowerShell DeveloperAuthor Commented:
Thanks :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now