January 17, 2017
Controlling Access by Using Impersonation
Impersonation is a security feature that enables an application to be executed with a pre-defined identity. Using trusted ASP.NET applications to run as SYSTEM, the IIS process runs with a Windows User Account/IIS Anonymous user identity. In this scenario, if the users need functional access that the Windows User Account/IIS Anonymous user identity credentials may not otherwise have access to, we can use impersonation to provide the access.
Most of the time we have a requirement to download documents or images by clicking a link or a button. Impersonation can enable the application to provide this functional access without compromising data integrity.
Our Proof of Concept
In our Proof of Concept, we will create an ASP.NET web application with impersonation and enabled users to download content from a cross-domain file server with no user specific access.
We will be using:
- Web Server - IIS 7.5
The user sends a request to download the content (document/images) from a local browser by clicking a link or button on a portlet. The request goes to the web server, which redirects the request to a controller web application (download application). The download application connects to the file server using impersonation and downloads the content. The download app then sends a response back to the web server, which relays the content back to the user’s browser.
Some notes on this process:
- Create and deploy an ASP.Net download application on your web server, which will download the files from the file server using the Impersonation methodology.
- The request is received from the local computer browser and forwarded to the download app through the web server.
- The download app downloads and reads the file from the file server using Impersonation, then writes it on the web server OS cache.
- Impersonation involves creating a local user (eg: <download_user>) in the web server and in the file server. The web server uses this user to connect to the file server, reads the file, and then writes it back to the OS cache on the web server. From here, the web server is able to send the file as a response back to the user's local machine.
- This process is required when the file server is hidden from open access, and users can’t access it without logging in to the file server machine every time.
Creating our Download Application
- Enable the ASP.NET Impersonation and Windows Authentication
- Select Classic mode in Managed Pipeline Mode using Application Pool
- Create a local user on the web server: Under Control Panel > Administrative Tools > Computer Management > Local Users and Groups > Users. Add a new user, such as <download_user>. The password you create for this never expires.
- Create a local user on the file server: Under Control Panel > Administrative Tools > Computer Management > Local Users and Groups > Users. Add a new user (same as in web server), such as <download_user>. The password you create for this never expires.
- Grant Read and Execute permission on the file server for the user on a top level shared folder.
- Grant the user Write permission on the web server.
- Add/Update the impersonation username and password in the web.config file of the deployed .Net application: <identity impersonate="true" userName="<server_name>\downloaduser"password="Abcd_123"/>
Impersonation is a powerful feature; when used with care, it can enable an application designer to design/architect a secure and easy to manage application. However, there are some pitfalls that need to be studied carefully.
With Impersonation, you will sometimes see surprising behavior because we are working with two identities controlled by our process token and thread token. For example, if Process A is trying to access the file server, but it needs Impersonation to achieve this, then a Process Token B is created with the impersonated user that runs as separate process to the Process A. So any changes to the file server will be done under impersonated user credentials.