Change process security context
-
I have a ISAPI extension, which I suppose run in security account of IUSR_MACHINENAME. For accessing a database located on another server, I must change the user to an account which has rights in database. Is this possible? I know is possible to "create a process as user" but I don't know about changing the user during process running. If I'm on a wrong way of thinking, which are the possibilities? Regards, Don
-
I have a ISAPI extension, which I suppose run in security account of IUSR_MACHINENAME. For accessing a database located on another server, I must change the user to an account which has rights in database. Is this possible? I know is possible to "create a process as user" but I don't know about changing the user during process running. If I'm on a wrong way of thinking, which are the possibilities? Regards, Don
It is not possible to change the security context of a running process. However, you could use impersonation to change the context of your current thread, which is actually what you want to do :-) For this you have to get a proper impersonation token from somewhere. You can get such a token via some IPC mechanisms (like NamedPipes, RPC, DCOM) or by calling LogonUser(). However, I doubt that IUSR_MACHINENAME has the necessary privileges to call LogonUser(). -- Daniel Lohmann http://www.losoft.de
-
It is not possible to change the security context of a running process. However, you could use impersonation to change the context of your current thread, which is actually what you want to do :-) For this you have to get a proper impersonation token from somewhere. You can get such a token via some IPC mechanisms (like NamedPipes, RPC, DCOM) or by calling LogonUser(). However, I doubt that IUSR_MACHINENAME has the necessary privileges to call LogonUser(). -- Daniel Lohmann http://www.losoft.de
Thanks Daniel, You give me some good ideeas, with LogonUser(). If IUSR_... has not enough ritghts, I'll include it in Administrators group, and maybe will work. The other ideea, to Daniel Lohmann wrote: get such a token via some IPC mechanisms I simply don't understand: from where to request the token?? With who shall I communicate via IPC? ... and what is this "Impersonation" means??? Thanks again.
-
Thanks Daniel, You give me some good ideeas, with LogonUser(). If IUSR_... has not enough ritghts, I'll include it in Administrators group, and maybe will work. The other ideea, to Daniel Lohmann wrote: get such a token via some IPC mechanisms I simply don't understand: from where to request the token?? With who shall I communicate via IPC? ... and what is this "Impersonation" means??? Thanks again.
Don Miguel wrote: You give me some good ideeas, with LogonUser(). If IUSR_... has not enough ritghts, I'll include it in Administrators group, and maybe will work. Uh, oh - I would double think about that. It's the sense of special IUSR_xxx accounts that they are low privileged and therefore your Inet apps do open a big security hole. I don't have much knowledge about all this IIS stuff, but maybe you could configure it to run your ISAPI in another user context than IUSR_xxx. That would be much better, because no other extensions are affected. -- Daniel Lohmann http://www.losoft.de