Registry access permission doesn't obey impersonated user

[Karim]

I have an asp.net application that impersonates a user. I did a test for
reading a registry key and noticed that the app can read the key even
though the user does not have access to that key. aspnet user does not have
not access either. After denying read access to the key for different
users, I found out that the INTERACTIVE user is the one that determines the
permissions.

How can I deny asp.net apps from reading the registry? Why isn't the app
following the impersonated user's registry permissions?

karim

[alexey]

Karim,

Could you give me a hint how to create such a code to impersonate from
ASPNET and read the Registry? I am working on a similar application right
now and can't make impersonation work.

Thanks

Alexey

[email]alexey@intuitivelabs.com[/email]

"Karim" <karim3411@!!yahoo!!.com> wrote in message
news:ee30ngspkbua$.1s2drqd5sknpz.dlg@40tude.net...

>
> I have an asp.net application that impersonates a user. I did a test for
> reading a registry key and noticed that the app can read the key even
> though the user does not have access to that key. aspnet user does not

have

> not access either. After denying read access to the key for different
> users, I found out that the INTERACTIVE user is the one that determines

the

> permissions.
>
> How can I deny asp.net apps from reading the registry? Why isn't the app
> following the impersonated user's registry permissions?
>
> karim

[Hernan Ochoa]

how are you imperonating? by calling LogonUser?
does your app use windows auth and impersonation?


"Karim" <karim3411@!!yahoo!!.com> wrote in message
news:ee30ngspkbua$.1s2drqd5sknpz.dlg@40tude.net...

>
> I have an asp.net application that impersonates a user. I did a test for
> reading a registry key and noticed that the app can read the key even
> though the user does not have access to that key. aspnet user does not

have

> not access either. After denying read access to the key for different
> users, I found out that the INTERACTIVE user is the one that determines

the

> permissions.
>
> How can I deny asp.net apps from reading the registry? Why isn't the app
> following the impersonated user's registry permissions?
>
> karim

[Karim]

On Wed, 3 Sep 2003 06:25:19 -0400, alexey wrote:

> Karim,
>
> Could you give me a hint how to create such a code to impersonate from
> ASPNET and read the Registry? I am working on a similar application right
> now and can't make impersonation work.
>
> Thanks
>
> Alexey
>
> [email]alexey@intuitivelabs.com[/email]
>
> "Karim" <karim3411@!!yahoo!!.com> wrote in message
> news:ee30ngspkbua$.1s2drqd5sknpz.dlg@40tude.net...

>>
>> I have an asp.net application that impersonates a user. I did a test for
>> reading a registry key and noticed that the app can read the key even
>> though the user does not have access to that key. aspnet user does not

> have

>> not access either. After denying read access to the key for different
>> users, I found out that the INTERACTIVE user is the one that determines

> the

>> permissions.
>>
>> How can I deny asp.net apps from reading the registry? Why isn't the app
>> following the impersonated user's registry permissions?
>>
>> karim

I am using the <identity impersonate=true username=.. password=.. tag in
web.config. While file access permissions are being followed correctly, the
registry permissions is not making sense to me. Let's say username is
'donald'. When I have deny read persmissions for aspnet and donald on that
registry key, my asp.net app can still read the registry key!
The user that actually determines the access is INTERACTIVE. I don't want
any asp.net to be able to read *any* registry key. If I deny INTERACTIVE
read access on the whole registry, I probably will break something on the
system?

karim

[Hernan Ochoa]

> I am using the <identity impersonate=true username=.. password=.. tag in

> web.config. While file access permissions are being followed correctly,

the

> registry permissions is not making sense to me. Let's say username is
> 'donald'. When I have deny read persmissions for aspnet and donald on that
> registry key, my asp.net app can still read the registry key!
> The user that actually determines the access is INTERACTIVE. I don't want
> any asp.net to be able to read *any* registry key. If I deny INTERACTIVE
> read access on the whole registry, I probably will break something on the
> system?
>
> karim

if you're using the <identity> tag in your web.config file, then your app is
running
under the context of the user you've specified in the <identity> tag, and
not under
the aspnet account. Maybe that's your problem.

bye!
Hernan

[Karim]

On Thu, 4 Sep 2003 00:09:33 -0300, Hernan Ochoa wrote:

>> I am using the <identity impersonate=true username=.. password=.. tag in
>> web.config. While file access permissions are being followed correctly,

> the

>> registry permissions is not making sense to me. Let's say username is
>> 'donald'. When I have deny read persmissions for aspnet and donald on that
>> registry key, my asp.net app can still read the registry key!
>> The user that actually determines the access is INTERACTIVE. I don't want
>> any asp.net to be able to read *any* registry key. If I deny INTERACTIVE
>> read access on the whole registry, I probably will break something on the
>> system?
>>
>> karim

>
> if you're using the <identity> tag in your web.config file, then your app is
> running
> under the context of the user you've specified in the <identity> tag, and
> not under
> the aspnet account. Maybe that's your problem.

Like I said, I denied the user in the identity (donald in this case) read
access to the registry key. I added aspnet user to the deny just in case
the asp.net uses the 'aspnet' user. The asp.net app was still able to read
the registry key.

Karim

[Hernan Ochoa]

Hi,

so, I tested accessing the registry from an asp.net app and everything works
fine, this is what I did:

-I created a webapp called testwebapp
-added a button and a label
-the handler for the button is:

LabelTest.Text =
Registry.LocalMachine.OpenSubKey("SOFTWARE\\mykey" ).GetValue("myvalue").ToSt
ring();


-I created the registry key and value

-I load the webapp, click the button, and the content is shown, as expected.

-now, I use regedt32, I change the permissions on the key so ASPNET is
DENIED read and full control to the key

-now, I click on the button, and as expected, the following is shown:



Server Error in '/testwebapp' Application.
----------------------------------------------------------------------------
----

Security Exception
Description: The application attempted to perform an operation not allowed
by the security policy. To grant this application the required permission
please contact your system administrator or change the application's trust
level in the configuration file.

Exception Details: System.Security.SecurityException: Requested registry
access is not allowed.

Source Error:

Line 50: private void Button1_Click(object sender, System.EventArgs e)
Line 51: {
Line 52: LabelTest.Text =
Registry.LocalMachine.OpenSubKey("SOFTWARE\\mykey" ).GetValue("myvalue").ToSt
ring();
Line 53:
Line 54: }

Source File: webform1.aspx.cs Line: 52

Stack Trace:

[SecurityException: Requested registry access is not allowed.]
Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
+440
Microsoft.Win32.RegistryKey.OpenSubKey(String name) +27
testwebapp.WebForm1.Button1_Click(Object sender, EventArgs e) in
webform1.aspx.cs:52
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +108

System.Web.UI.WebControls.Button.System.Web.UI.IPo stBackEventHandler.RaisePo
stBackEvent(String eventArgument) +58
System.Web.UI.Page.RaisePostBackEvent(IPostBackEve ntHandler
sourceControl, String eventArgument) +18
System.Web.UI.Page.RaisePostBackEvent(NameValueCol lection postData) +33
System.Web.UI.Page.ProcessRequestMain() +2075
System.Web.UI.Page.ProcessRequest() +218
System.Web.UI.Page.ProcessRequest(HttpContext context) +18

System.Web.CallHandlerExecutionStep.System.Web.Htt pApplication+IExecutionSte
p.Execute() +179
System.Web.HttpApplication.ExecuteStep(IExecutionS tep step, Boolean&
completedSynchronously) +87



----------------------------------------------------------------------------
----




I don't know, maybe you can post the exact code you're using so we can try
to see if that has something to do with the

problem you're experiencing.



bye!

[Karim]

On Thu, 4 Sep 2003 17:48:58 -0300, Hernan Ochoa wrote:

> Hi,
>
> so, I tested accessing the registry from an asp.net app and everything works
> fine, this is what I did:
>
> -I created a webapp called testwebapp
> -added a button and a label
> -the handler for the button is:
>
> LabelTest.Text =
> Registry.LocalMachine.OpenSubKey("SOFTWARE\\mykey" ).GetValue("myvalue").ToSt
> ring();
>
>
> -I created the registry key and value
>
> -I load the webapp, click the button, and the content is shown, as expected.
>
> -now, I use regedt32, I change the permissions on the key so ASPNET is
> DENIED read and full control to the key
>
> -now, I click on the button, and as expected, the following is shown:
>
>
>
> Server Error in '/testwebapp' Application.
> ----------------------------------------------------------------------------
> ----
>
> Security Exception
> Description: The application attempted to perform an operation not allowed
> by the security policy. To grant this application the required permission
> please contact your system administrator or change the application's trust
> level in the configuration file.
>
> Exception Details: System.Security.SecurityException: Requested registry
> access is not allowed.
>
> Source Error:
>
> Line 50: private void Button1_Click(object sender, System.EventArgs e)
> Line 51: {
> Line 52: LabelTest.Text =
> Registry.LocalMachine.OpenSubKey("SOFTWARE\\mykey" ).GetValue("myvalue").ToSt
> ring();
> Line 53:
> Line 54: }
>
> Source File: webform1.aspx.cs Line: 52
>
> Stack Trace:
>
> [SecurityException: Requested registry access is not allowed.]
> Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
> +440
> Microsoft.Win32.RegistryKey.OpenSubKey(String name) +27
> testwebapp.WebForm1.Button1_Click(Object sender, EventArgs e) in
> webform1.aspx.cs:52
> System.Web.UI.WebControls.Button.OnClick(EventArgs e) +108
>
> System.Web.UI.WebControls.Button.System.Web.UI.IPo stBackEventHandler.RaisePo
> stBackEvent(String eventArgument) +58
> System.Web.UI.Page.RaisePostBackEvent(IPostBackEve ntHandler
> sourceControl, String eventArgument) +18
> System.Web.UI.Page.RaisePostBackEvent(NameValueCol lection postData) +33
> System.Web.UI.Page.ProcessRequestMain() +2075
> System.Web.UI.Page.ProcessRequest() +218
> System.Web.UI.Page.ProcessRequest(HttpContext context) +18
>
> System.Web.CallHandlerExecutionStep.System.Web.Htt pApplication+IExecutionSte
> p.Execute() +179
> System.Web.HttpApplication.ExecuteStep(IExecutionS tep step, Boolean&
> completedSynchronously) +87
>
>
>
> ----------------------------------------------------------------------------
> ----
>
>
>
>
> I don't know, maybe you can post the exact code you're using so we can try
> to see if that has something to do with the
>
> problem you're experiencing.
>
>
>
> bye!

One thing I want to mention is that you didn't impersonate anyone.
I did a test on a different machine (2000 pro) and used your sample. I
found out it's the SYSTEM user that controls the access. aspnet user didn't
have any effect whether I denied read or not, the app read the key fine.

What do you have as a user in the processModel section in your
machine.config? Mine is System and Autogenerate for password.

Karim