28.3.19 vjj 1 Impersonation in Windows Domain only server service account -> client account
28.3.19 vjj 2 impersonation webový server - konfigurace podniková aplikace - programování
28.3.19 vjj 3 levels of impersonation Anonymous The client is anonymous to the service. The service can impersonate the client but the impersonation token does not contain any information about the client. Identify The service can get the identity of the client and use this information in its own security mechanism, but it cannot impersonate the client. Impersonate The service can impersonate the client. If the service is on the same computer as the client process, it can access network resources as the client. If the service is on a remote computer, it can impersonate the client only when accessing resources on the service's computer. Delegate The service can impersonate the client not only when it accesses resources on the service's computer but also when it accesses resources on other computers. This level is supported only in Windows 2000 and later versions of the operating system
delegation When a service is trusted for delegation, that service can impersonate a user to use other network services Active Directory Users and Computers Domain Computers server Properties Delegation The computer account can be set to Trusted for delegation to any service or Trusted for delegation to specified services only An administrator must have the Enable computer and user accounts to be trusted for delegation privilege on the computer in order to enable delegation Security Settings Local Policies User Rights Assignment The account that the service is delegating for must not have the Account is sensitive and cannot be delegated option chosen Security Settings Local Policies User Rights Assignment guest or temporary account error: Account cannot be delegated 28.3.19 vjj 4
28.3.19 vjj 5 impersonation administrator Enable computer and user accounts to be trusted for delegation Server Trusted for delegation to any service or Trusted for delegation to specified services only impersonation user Account is sensitive and cannot be delegated Server
Impersonation 28.3.19 vjj 6
28.03.2019 vjj 7 Impersonation vlákno procesu má standardně default Access Token svého procesu může ale získat Access Token určený pro zastupování jiného uživatele
28.03.2019 vjj 8 podmínky a omezení Windows Server 2000,... proces musí mít přiděleno privilegium SE_TCB_NAME jinak GetLastError vrátí ERROR_PRIVILEGE_NOT_HELD toto privilegium musí být aktivováno pro aktivaci příslušného privilegia je nutná Integrity Level HIGH, jinak je Impersonation aktivováno pouze na úroveň Identification XP Vista, Win32 API.NET aplikace musí být spuštěna pod administrátorským účtem "Run as administrator" musí dojít k elevaci procesu lze dynamicky za běhu aplikace jen při spuštění aplikace "Run as..." účet zastupovaného uživatele musí být doménový
28.3.19 vjj 9 TCB Trusted Computing Base Group Policy : (Start Control Panel Administrative Tools Local Security Policy) Windows Security Settings Local Policies User Rights Assignment Act as part of the operating system místo přidělení tohoto privilegia konkrétnímu uživatelskému účtu je prý vhodnější spustit zastupující aplikaci pod účtem SYSTEM, který privilegium TCB standardně má
28.03.2019 vjj 10 podmínky a omezení Windows Server 2000 SP4 (2009),... proces musí mít přiděleno privilegium SeImpersonatePrivilege jinak GetLastError vrátí ERROR_PRIVILEGE_NOT_HELD local Administrators, local Service Services that are started by the Service Control Manager COM servers running under a specific account pro aktivaci privilegia je nutná Integrity Level HIGH, jinak je Impersonation aktivováno pouze na úroveň Identification účet zastupovaného uživatele musí být doménový
28.3.19 vjj 11 Group Policy Start Control Panel Administrative Tools Local Security Policy Windows Security Settings Local Policies User Rights Assignment Impersonate a client after authentication
28.3.19 vjj 12 WindowsIdentity wid; Impersonation... WindowsImpersonationContext wic = wid.impersonate();... wic.undo();
Windows Identity I. IntPtr token = IntPtr.Zero ; int ret = LogonUser (this.usernametextbox.text, this.userdomaintextbox.text, this.passwordtextbox.text, 2, 0, ref token); if (ret == 0) { MessageBox.Show ( System.Runtime.InteropServices.Marshal.... } GetLastWin32Error() ) ; WindowsIdentity wid = new WindowsIdentity (token) ; 28.3.19 vjj 13
LogonUser (P/Invoke: API ->.NET) [DllImport("advapi32.dll", SetLastError=true)] static extern int LogonUser (String UserName, String Domain, String Password, int LogonType, int LogonProvider, ref IntPtr Token) ; 28.3.19 vjj 14
28.3.19 vjj 15 Windows Identity II. (process token) [DllImport("Advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)] [return: MarshalAs(UnmanagedType.Bool)] internal static extern bool OpenProcessToken( IntPtr processhandle, uint desiredaccesss, out IntPtr tokenhandle );
28.3.19 vjj 16 Windows Identity from Process Token služba běžící pod privilegovanějším účtem redukce na účet přilogovaného uživatele
Windows Identity III. WindowsIdentity wid = new WindowsIdentity( "username" ); 28.3.19 vjj 17
28.3.19 vjj 18 Impersonation if( EnablePrivilege(SecurityEntity.SE_TCB_NAME) { using( WindowsImpersonationContext wic = wid.impersonate() ) using( StreamWriter file = new StreamWriter( "Impersonated.txt" )) { file.writeline("check the owner of this file"); file.close(); } } // wic.undo () ; // without use of "using"
28.3.19 vjj 19 EnablePrivilege public static bool EnablePrivilege(SecurityEntity securityentity) { var securityentityvalue = GetSecurityEntityValue(securityEntity); var locallyuniqueidentifier = new W32API.LUID(); W32API.LookupPrivilegeValue(null, securityentityvalue, ref locallyuniqueidentifier); var TOKEN_PRIVILEGES = new W32API.TOKEN_PRIVILEGES(); TOKEN_PRIVILEGES.PrivilegeCount = 1; TOKEN_PRIVILEGES.Attributes = NativeMethods.SE_PRIVILEGE_ENABLED; TOKEN_PRIVILEGES.Luid = locallyuniqueidentifier; } var currentprocess = W32API.GetCurrentProcess(); var tokenhandle = IntPtr.Zero; W32API.OpenProcessToken( currentprocess, W32API.TOKEN_ADJUST_PRIVILEGES W32API.TOKEN_QUERY, out tokenhandle); W32API.AdjustTokenPrivileges( tokenhandle, false, ref TOKEN_PRIVILEGES, 1024, IntPtr.Zero, IntPtr.Zero ); return true;
28.3.19 vjj 20 P/Invoke [DllImport("advapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)] [return: MarshalAs(UnmanagedType.Bool)] internal static extern bool LookupPrivilegeValue(string lpsystemname, string lpname, [MarshalAs(UnmanagedType.Struct)] ref LUID lpluid); [DllImport("advapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)] [return: MarshalAs(UnmanagedType.Bool)] internal static extern bool AdjustTokenPrivileges(IntPtr tokenhandle, [MarshalAs(UnmanagedType.Bool)] bool disableallprivileges, [MarshalAs(UnmanagedType.Struct)]ref TOKEN_PRIVILEGES newstate, uint bufferlength, IntPtr previousstate, IntPtr returnlength); [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)] internal static extern IntPtr GetCurrentProcess(); [DllImport("Advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)] [return: MarshalAs(UnmanagedType.Bool)] internal static extern bool OpenProcessToken(IntPtr processhandle, uint desiredaccesss, out IntPtr tokenhandle);
28.3.19 vjj 28 without TCB activation zastupování bez aktivace privilegia TCB slouží pouze pro identifikaci uživatele
28.3.19 vjj 29 using( WindowsIdentity wid = new WindowsIdentity( "username" ) ) { using(windowsimpersonationcontext wic = wid.impersonate( ) ) { MessageBox.Show("Impersonating: "... // exception: without TCB activation + WindowsIdentity.GetCurrent().Name + "\n\nimpersonation Level: " + newid.impersonationlevel.tostring()); // Either a required impersonation level was not provided // or the provided level is invalid } } // wic.undo ( ) ; // without use of "using"
28.3.19 vjj 30 IIS + ASP.NET sample impersonating applications
28.3.19 vjj 31 Identity server identity (IIS, SQL, ) Administrator Local System (IIS webové stránky) Local Service Network Service (ASP.NET, SQL) custom user identity (local) domain internet (anonymous)
28.03.2019 vjj 32 pro koho jsou určeny...?... IIS / ASP.NET stránky... data zpřístupňovaná těmito stránkami Internet - (podnikové) informace pro veřejnost Internet - individualizované služby pro veřejnost (e-shop, cloud,...) Intranet - vnitropodnikové služby a informace - jen pro vyvolené
28.03.2019 vjj 33 úkol identifikovat autora každé žádosti - autentizace definovat pravidla, podle kterých se rozhoduje, kdo má přístup k té které stránce,... - autorizace IIS ASP.NET autentizace a autorizace autentizace a autorizace
28.03.2019 vjj 34 IIS + ASP.NET IIS.NET Framework HTTP request (ASPX / ASMX) INETINFO.EXE ASPNET_ISAPI.DLL W3WP.EXE ( ASPNET_WP.EXE ) Application domain SQL server
28.03.2019 vjj 35 Klient není přihlášen ve stejné doméně Windows Klient je přihlášen ve stejné doméně Windows IIS Anonymous Windows integrated Impersonation IUSR_machinename user domain account ASP.NET None Form Windows IUSR_machinename web account user domain account Impersonation Default IUSR_machinename mapped account user domain account Network Service
28.03.2019 vjj 36 IIS impersonation IIS - běží pod účtem Local System (NT AUTHORITY\SYSTEM) k souborům/stránkám přistupuje pod účtem IUSR_servername - anonymní přístup (NT AUTHORITY\ANONYMOUS LOGON) domain user nastavení v MMC snap-in \windows\system32\inetsrv\iis.msc
28.03.2019 vjj 37 IIS autentizace Anonymous Authentication ASP.NET Impersonation Forms Authentication Windows Authentication
28.03.2019 vjj 38 authentication <configuration> <system.web> - web.config <authentication mode="none" /> <authentication mode="forms" /> <authentication mode="windows" /> <authentication mode="passport" /> <identity impersonate="false" /> </system.web> </configuration>
None 28.3.19 vjj 39
28.03.2019 vjj 40 Anonymní přístup IIS impersonates the IUSR_servername account before executing any code IIS checks NTFS file and directory permissions (for IUSR_servername account) before returning a page to the client
Form 28.3.19 vjj 41
28.03.2019 vjj 42 <form...> Form - mylogin.aspx 1/2 <asp:textbox ID="UserName" RunAt="server" /> <asp:textbox ID="Password" RunAt="server" /> <asp:checkbox Text="pamatovat si přihlášení" ID="Persistent" RunAt="server" /> <asp:button Text="LogIn" OnClick="OnLogIn" RunAt="server" />
28.03.2019 vjj 43 Form - web.config <configuration> <system.web> <authentication mode="forms"> <forms loginurl="mylogin.aspx" timeout="30"> </forms> </authentication> </system.web> </configuration> <credentials passwordformat="clear"> <user name="bob" password="heslo1" /> <user name="alice" password="heslo2" /> </credentials>
28.03.2019 vjj 44 Form - mylogin.aspx 2/2 <script language="c#" runat="server"> void OnLogIn( Object sender, EventArgs e ) { if( FormsAuthentication.Authenticate ( UserName.Text, Password.Text )) } else FormsAuthentication. RedirectFromLoginPage (UserName.Text, Persistent.Checked); Output.Text = "Invalid login"; </script>
28.3.19 vjj 46 requested page protected void Page_Load(object sender, EventArgs e) { if (User.Identity.IsAuthenticated) { Page.Title = "Home page for " + User.Identity.Name; } else { Page.Title = "Home page for guest user."; } }
Windows integrated 28.3.19 vjj 47
28.03.2019 vjj 48 web.config <configuration> <system.web> <authentication mode = "Windows" /> <identity impersonate = "true" > <authorization> <allow users = "win\vjj, win\admin" /> <allow roles = "admins" /> <deny users = "Alice, Bob" /> <deny users = "*" /> všichni ostatní <deny users = "?" /> neautentizovaní, anonymní </authorization> </system.web> </configuration>
28.03.2019 vjj 49 ASP.NET ASPX / ASMX aplikace.net runtime (ASPNET_WP.EXE Windows XP a 2000, W3WP.EXE Windows 2003) nejdříve ověří, zda účet, který dostal od IIS, má oprávnění požadovanou stránku číst dále pak přistupuje k souborům/stránkám pod účtem ASPNET default pro IIS 5.0 NETWORK SERVICE default pro IIS 6.0,... který dostal od IIS impersonifikace viz nastavení v souboru web.config
28.03.2019 vjj 50 ASP.NET autorizace URL - pravidla ve web.config ACL - (Access Control List) nastavení přístupových práv pro jednotlivé soubory a adresáře
28.03.2019 vjj 51 Windows integrated - web.config <configuration> <location path="prvni.aspx"> <system.web> <authorization> <allow users="bob,alice" /> <deny users="*" /> </authorization> </system.web> </location> <location path="druha.aspx"> <system.web> <authorization> <allow users="mypc\bob" /> <deny users="*" /> </authorization> </system.web> </location> </configuration>