Solved

ASP.NET: Performing WMI Queries (Security)

Posted on 2008-06-25
5
883 Views
Last Modified: 2013-11-07
Hey guys,

I wonder if someone might advise me on what might be the best way of executing WMI queries against remote machines?

I have a few choices it seems. Which do you think would be more sensible?

1. Use a separate Application Pool configured to use an Identity with administrative access for the few pages configured to execute WMI queries.

The advantage of this one is that I can use Integrated Authentication from client to server, removing the need to attempt to secure authentication against the site (Kerberos takes care of it).

The downside is, that something running on the web server has a high level of access. Much higher than preferred. Even if that only applies to a handful of pages.

2. Use ASP.NET Impersonation (use the rights of the current user)

This one would reduce the potential for abuse perhaps.

But it means I have to provide a log on mechanism, ideally forms based, because I don't want to pass passwords in clear text (and no one will be logged on with Domain Administrative access on their client).

Hmmm...

Thanks for any suggestions :)

Chris
0
Comment
Question by:Chris Dent
  • 3
  • 2
5 Comments
 
LVL 33

Expert Comment

by:raterus
ID: 21864999
Option 1 is obviously the easiest, but like you said it has security issues, and depending on your organization may or may not be a problem.

Option 2 takes a bit more setup, but it's pretty straightforward to take the logon, impersonate that user on command, run your WMI query, then undo impersonation.  I like that option much more, you just have to do more work to get the logon, likely over a SSL connection, and only store the username/password temporarily.

Honestly, if you want secure and easy, I suggest using basic authentication over SSL.
0
 
LVL 70

Author Comment

by:Chris Dent
ID: 21865395

Hey,

Thanks for your feedback.

I'd like to do it right from the beginning, way too lazy to rewrite stuff later on :)

I take it I'd just need to switch to impersonation using the VB .NET version of this (http://msdn.microsoft.com/en-us/library/ms998351.aspx)? Then execute the WMI query before swapping back?

WindowsIdentity winId = (WindowsIdentity)HttpContext.Current.User.Identity;
WindowsImpersonationContext ctx = null;
try
{
  // Start impersonating
  ctx = winId.Impersonate();
}

Never realised you could do such a thing, I thought it was set and fixed for the entire application :)

If that's all it is it'll probably make performing updates into the database easier as I won't have to worry about that identity (the account for that is running as the main application pool identity).

Thanks,

Chris
0
 
LVL 33

Accepted Solution

by:
raterus earned 500 total points
ID: 21865460
Right, you can impersonate the current user or another user (assuming you have username/password) on command and only for the time needed to run the operation.  

That URL you posted for the code, but this one isn't, and I know the code here works because I've used it before.
http://support.microsoft.com/default.aspx?scid=kb;en-us;306158

0
 
LVL 70

Author Comment

by:Chris Dent
ID: 21865567

Ahh great :)

Thank you, very useful.

/me heads off to get an IList to bind to a GridView

Chris
0
 
LVL 70

Author Closing Comment

by:Chris Dent
ID: 31470484
Thanks :)
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
The article shows the basic steps of integrating an HTML theme template into an ASP.NET MVC project
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now