Setting IPGrant on a folder from a WebMethod

[DAve]

I want to be able to limit access to a folder in IIS by IP address. I
am trying to add IP addresses from a WebMethod to the IPGrant property.
Here's my code:

DirectoryEntry defaultRoot = new
DirectoryEntry("IIS://SERVERNAME/w3svc/1/root/examplefolder",username,password,
AuthenticationTypes.Secure);
defaultRoot.RefreshCache();
object oIPSecurity = defaultRoot.Invoke("Get", new
string[]{"IPSecurity"});
Type t = oIPSecurity.GetType();
//Get the list of granted IPs
Array IPs = (Array)t.InvokeMember("IPGrant", BindingFlags.GetProperty,
null, oIPSecurity, null);
//create a new Array of IPs
object[] newIPs = new object[IPs.Length+1];
//copy the existing IPs to the new Array
IPs.CopyTo(newIPs,0);
//add a new value
newIPs.SetValue("192.168.0.21",IPs.Length);
//Set the new IPlist
t.InvokeMember("IPGrant", BindingFlags.SetProperty, null, oIPSecurity,
new object[]{newIPs});
defaultRoot.Invoke("Put", new object[]{"IPSecurity", oIPSecurity});
defaultRoot.CommitChanges();

When executed, I get this error:

System.UnauthorizedAccessException: Access is denied. at
System.DirectoryServices.Interop.IAds.SetInfo() at
System.DirectoryServices.DirectoryEntry.CommitChanges()

From the research I've done, I'm concerned that the solution to this

problem is going to be a security threat. Any thoughts or alternative
ideas to accomplish this?

Thanks,

David

 

[Joe Kaplan \(MVP - ADSI\)]

The IIS provider for ADSI doesn't use alternate credentials. It only works
based on the security context of the current thread. The credentials you
pass in are simply ignored.

In order to get this to work, you need to make the current security context
have the correct rights to perform the action.

Joe K.

I want to be able to limit access to a folder in IIS by IP address. I
am trying to add IP addresses from a WebMethod to the IPGrant property.
Here's my code:

DirectoryEntry defaultRoot = new
DirectoryEntry("IIS://SERVERNAME/w3svc/1/root/examplefolder",username,password,
AuthenticationTypes.Secure);
defaultRoot.RefreshCache();
object oIPSecurity = defaultRoot.Invoke("Get", new
string[]{"IPSecurity"});
Type t = oIPSecurity.GetType();
//Get the list of granted IPs
Array IPs = (Array)t.InvokeMember("IPGrant", BindingFlags.GetProperty,
null, oIPSecurity, null);
//create a new Array of IPs
object[] newIPs = new object[IPs.Length+1];
//copy the existing IPs to the new Array
IPs.CopyTo(newIPs,0);
//add a new value
newIPs.SetValue("192.168.0.21",IPs.Length);
//Set the new IPlist
t.InvokeMember("IPGrant", BindingFlags.SetProperty, null, oIPSecurity,
new object[]{newIPs});
defaultRoot.Invoke("Put", new object[]{"IPSecurity", oIPSecurity});
defaultRoot.CommitChanges();

When executed, I get this error:

System.UnauthorizedAccessException: Access is denied. at
System.DirectoryServices.Interop.IAds.SetInfo() at
System.DirectoryServices.DirectoryEntry.CommitChanges()

From the research I've done, I'm concerned that the solution to this

problem is going to be a security threat. Any thoughts or alternative
ideas to accomplish this?

Thanks,

David

 

[David Salonius]

To change the current security context - would I accomplish this in my
web.config or machine.config files? Or would I need to use the
impersonate method?

Thanks for your help,

David

 

[David Salonius]

My web service is running under NT AUTHORITY\NETWORK SERVICE. I've then
given full control under folder security to that user. Under Advanced
Security Settings, I've verified that NETWORK SERVICE has full control
to all permissions. The error still persists. Is this what you're
referring to?

Thanks,

David

 

[Joe Kaplan \(MVP - ADSI\)]

My guess is that you need to be an administrator in order to change the IIS
metabase. That is normally required.

Did you consider changing the Application Pool identity to an administrator
account? That should accomplish your goal, at least for testing purposes.

However, you may not wish to solve the problem that way. Running your app
pool as administrator opens you up to some significant security risks. You
may wish to put the IIS ADSI code in a COM+ component and run that under a
separate identity with admin privileges. This would allow your main web
application process to continue running with least privileges (as NETWORK
SERVICE).

Joe K.

 

[IPGrunt]

My web service is running under NT AUTHORITY\NETWORK SERVICE. I've then
given full control under folder security to that user. Under Advanced
Security Settings, I've verified that NETWORK SERVICE has full control
to all permissions. The error still persists. Is this what you're
referring to?

Thanks,

David

Use IIS to manage this for you, buy assigning a new application pool
for this site that impersonates administrator (using LocalSystem as
Identity). (I use one called AdmininstrationPool that I keep reserved
for roles where I need this level access).

Remember, This IS a security hole, so be careful who has access.

-- ipgrunt

 

[David Salonius]

Setting the user in the Application Pool identity to an administrator
account solved the problem. From what I can tell, as long as my web
methods folder is locked down to where no one can upload code, this
should be safe. Is that a fair assessment?

Thanks,

David

 

[Joe Kaplan \(MVP - ADSI\)]

I'd make sure you don't use that app pool for any other websites or
applications on the same server. Always use a different app pool with lower
privileges for other sites. That will help restrict it as well.

Other than that, it is up to you to consider whether you need to go to COM+
or not for additional security. As long as you don't have any other entry
points into this site and you are comfortable with the security you are
providing, then I think it can be secure. Just be careful and spend some
time doing some threat modeling to make sure you don't miss anything.

Joe K.