Solved

ASP.NET: Performing WMI Queries (Security)

Posted on 2008-06-25
5
894 Views
Last Modified: 2013-11-07
Hey guys,

I wonder if someone might advise me on what might be the best way of executing WMI queries against remote machines?

I have a few choices it seems. Which do you think would be more sensible?

1. Use a separate Application Pool configured to use an Identity with administrative access for the few pages configured to execute WMI queries.

The advantage of this one is that I can use Integrated Authentication from client to server, removing the need to attempt to secure authentication against the site (Kerberos takes care of it).

The downside is, that something running on the web server has a high level of access. Much higher than preferred. Even if that only applies to a handful of pages.

2. Use ASP.NET Impersonation (use the rights of the current user)

This one would reduce the potential for abuse perhaps.

But it means I have to provide a log on mechanism, ideally forms based, because I don't want to pass passwords in clear text (and no one will be logged on with Domain Administrative access on their client).

Hmmm...

Thanks for any suggestions :)

Chris
0
Comment
Question by:Chris Dent
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 33

Expert Comment

by:raterus
ID: 21864999
Option 1 is obviously the easiest, but like you said it has security issues, and depending on your organization may or may not be a problem.

Option 2 takes a bit more setup, but it's pretty straightforward to take the logon, impersonate that user on command, run your WMI query, then undo impersonation.  I like that option much more, you just have to do more work to get the logon, likely over a SSL connection, and only store the username/password temporarily.

Honestly, if you want secure and easy, I suggest using basic authentication over SSL.
0
 
LVL 71

Author Comment

by:Chris Dent
ID: 21865395

Hey,

Thanks for your feedback.

I'd like to do it right from the beginning, way too lazy to rewrite stuff later on :)

I take it I'd just need to switch to impersonation using the VB .NET version of this (http://msdn.microsoft.com/en-us/library/ms998351.aspx)? Then execute the WMI query before swapping back?

WindowsIdentity winId = (WindowsIdentity)HttpContext.Current.User.Identity;
WindowsImpersonationContext ctx = null;
try
{
  // Start impersonating
  ctx = winId.Impersonate();
}

Never realised you could do such a thing, I thought it was set and fixed for the entire application :)

If that's all it is it'll probably make performing updates into the database easier as I won't have to worry about that identity (the account for that is running as the main application pool identity).

Thanks,

Chris
0
 
LVL 33

Accepted Solution

by:
raterus earned 500 total points
ID: 21865460
Right, you can impersonate the current user or another user (assuming you have username/password) on command and only for the time needed to run the operation.  

That URL you posted for the code, but this one isn't, and I know the code here works because I've used it before.
http://support.microsoft.com/default.aspx?scid=kb;en-us;306158

0
 
LVL 71

Author Comment

by:Chris Dent
ID: 21865567

Ahh great :)

Thank you, very useful.

/me heads off to get an IList to bind to a GridView

Chris
0
 
LVL 71

Author Closing Comment

by:Chris Dent
ID: 31470484
Thanks :)
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question