Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / Security / June 2004

Tip: Looking for answers? Try searching our database.

Windows Forms security - Impersonation / Service / Something else?

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Justin - 25 Jun 2004 17:19 GMT
Hi,

I have inherited a windows forms app, which automates software updates. It
is reasonably close, in pattern, to the Updater Application block from
Microsoft.

The app needs to register / un-register COM components on the client
machine, as part of the software update process. The logged on user will not
be an administrator on the local machine. What would be the best way of
implementing some form of 'run as...' or windows identity impersonation for
either the whole app or the COM registration functionality.

I have looked at using a service, but the existing app architecture does not
lend itself to this. Either as moving the higher security requirement
functions out to the service, or using the service to launch the app.

Any guidance gratefully appreciated.

Thanks

Justin
Reply to this Message
Joe Kaplan \(MVP - ADSI\) - 25 Jun 2004 19:38 GMT
You can p/invoke the LogonUser API to create a more privileged token and
impersonate that.  You'll need to figure out how to securely store or
transport the privileged credentials, but doing that should work.

However, if your clients aren't all on WinXP (or 2K3 server), then calling
LogonUser will give you trouble since Win2K requires you to be SYSTEM (or
have the "act as part of operating system" privilege, which essentially
makes you SYSTEM) to call LogonUser.

The other problem is that if you are going to use the Process class to call
out to regsrv32, that doesn't inherit impersonation tokens and will use the
process token instead.  Therefore, you may need to p/invoke
CreateProcessAsUser instead.  Same Win2K restrictions apply as with
LogonUser.

HTH,

Joe K.

> Hi,
>
[quoted text clipped - 17 lines]
>
> Justin
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.