I have a web application that executes IIS 7 provisions (using Microsoft.Web.Administration.dll) to create our web and ftp sites. When I run this using the administrator account, it works ok.
I want to create a Windows user account for impersonation that will only execute these web provisioning procedures without being identical to a server s administrator roles.
How can I achieve this?
You should split your application into three parts:
Windows Service
This would host a WCF or Remoting application. You want to put the code that requires privileged access to your system in here. For example creating and deleting websites. Run this service under an account that has enough rights to perform operations using Microsoft.Web.Administration.
Trusted Wrapper or Proxy Assembly
This is just a signed wrapper assembly that is installed in the GAC. Its role is to pass on calls from your low trust web application to perform privileged actions in the code running in the service above. Mark the assembly with the AllowPartiallyTrustedCallers attribute (if your server is configured for partial trust) and mark any classes that require access to the remoting service with [PermissionSet(SecurityAction.Assert, Unrestricted=true)].
Front End Application(or Web Service)
This is the interface to your application (whether it be a web application with a GUI or a web service). Run this in its own application pool with just enough rights to execute, for example IUSR or a similar account. Ideally you should also run this under partial trust.
Your web application/service references the Trusted Wrapper assembly in the GAC which in turn has a reference to the remoting or WCF application running in the windows service.
Using this layered approach means that you are locking down by gating access to specific privileged operations which only run in your windows service.
This approach is covered quite well in Appendix C of Dominick Baier s Developing More-Secure Microsoft ASP.NET 2.0 Applications . I thoroughly recommend getting a copy.
I am using Tomcat to host JSP and using IIS 7.0 to host aspx (C# + .Net 3.5 + VSTS 2008), and I have some session transfer issue from JSP page to ASPX page. JSP page is in one domain and all other ...
I m developing an ASP.NET MVC site that utilizes forms authentication for part of the application. During development, I need to be able to give external parties access to a development server hosting ...
I m trying to use APPCMD to set debug=false in web.config, per the documentation. The specific syntax I am using is: APPCMD SET CONFIG "SITE/VDIR" section:compilation /debug:False /commit:APP ...
I have asp.net site with custom 404.htm. It is configured with customErrors section to handle aspx. <customErrors mode="On" defaultRedirect="404.htm"> <error statusCode="403"...
I have a web application that executes IIS 7 provisions (using Microsoft.Web.Administration.dll) to create our web and ftp sites. When I run this using the administrator account, it works ok. I want ...
The following line of PowerShell works with IIS 6 installed: $service = New-Object System.DirectoryServices.DirectoryEntry("IIS://localhost/W3SVC") However, with IIS 7 it throws the following error ...
My web-site is working under ASP.NET 3.5, IIS7, Integrated pipiline mode. My HttpModule is getting request to all resources, including URLs like this: http://my-site.com/address And I would support *...
I am using VSTS 2008 + C# + .Net 3.5 + IIS 7.0 to develop an ASP.Net web site. I want to develop an Http module, which could inspect whether incoming request has some specific http header (e.g. ...
