NT priveleges from an ASP program


DevX Home    Today's Headlines   Articles Archive   Tip Bank   Forums   

Results 1 to 2 of 2

Thread: NT priveleges from an ASP program

  1. #1
    Matthew Solnit Guest

    NT priveleges from an ASP program

    Hi Dan, how's it going? =)

    I'm working on a project which needs to use Collaboration Data Objects from
    an ASP program. Here is the troublesome code...

    <%
    '...
    Set ExchangeSession = CreateObject("MAPI.Session")
    ExchangeSession.LogOn "", , , , , , "servername" & Chr(10) & "accountname"
    Set TgtCalendar =
    ExchangeSession.GetDefaultFolder(CdoDefaultFolderCalendar)
    %>

    I get a permissions error. Now, I'm sure you're thinking, "This is not my
    area of expertise", but give me a tick. The above code works when I run it
    on the server machine -- either as a VB program or as a VBS file. It only
    fails when I try to run it from a client machine as an ASP page.

    ASP code runs on the server, right? So my question is, what are the NT
    security differences between an ASP program running on the server and an
    "ordinary" program running on the server? If I put this code in an ActiveX
    component, and use this component from my ASP program, will I get the
    desired results? Maybe it needs to run out-of-process to get full
    permissions?

    Thanks for taking the time to answer our various questions. And please say
    hi to the Desaware staff for me =)

    -- Matthew Solnit
    msolnit@yahoo.com

    P.S. Without knowing what it does, I also tried Server.CreateObject() to
    get my session object. Not only did this fail, it messed up the entire web
    server and we had to reboot it!!

    P.P.S. Hope you're enjoying the weather in Campbell. We just had 40 cm of
    snow here in Montreal.


    Share on Google+

  2. #2
    Dan Appleman Guest

    Re: NT priveleges from an ASP program

    I thought it was you! The Email address threw me at first.

    Actually, this one is now a bit closer to my area of expertise - I've been
    doing a lot of security stuff lately. Check
    our our site for our latest product "The Desaware NT Service Toolkit". It's too
    cool for words.

    Anyway, your ASP pages run in the security context specified by IIS - typically
    something like IUSR_YOURMACHINENAME (use IIS manager properties to find the
    account being used). This is the "anonymous" user context assigned to people
    accessing your web site.
    Anything not allowed to that user will fail.
    You can prove this is the problem by making this user an administrator
    temporarily - it should allow things to work.
    Of course, you don't want your anonymous users to run as an administrator!

    Now, here's where things get tricky. Selectively increasing permission for the
    anonymous user to allow them to
    perform the operation can take a while (figuring out which directories and
    permissions they need access to). Give
    them too much permission, and you've opened a nasty window to hackers. Too
    little, and it won't work.

    One solution might actually be found in our new NT Services toolkit. You create
    a service that performs the operation
    you want. The service can run in any account you specify - easy to give it the
    necessary permission to do what you want.
    However, access to the service can be restricted (and opened to the anonymous
    account) - since you control what the service is allowed to do, you maintain
    strong security against hackers without giving the user any additional
    permissions.

    I'm less clear on the possibility of arbitrarily running out of process
    components in different user accounts. Dcomcnfg lets you specify the account in
    which a component will run - but does that apply when the component is launched
    on the local system (as would be the case here), or only when launched remotely
    via DCOM? That I don't know offhand.

    So, when will you be in town again? I gather I missed you on your last visit.
    You have to come see my new place (if I ever finish unpacking:-).

    Dan



    Matthew Solnit wrote:

    > Hi Dan, how's it going? =)
    >
    > I'm working on a project which needs to use Collaboration Data Objects from
    > an ASP program. Here is the troublesome code...
    >
    > <%
    > '...
    > Set ExchangeSession = CreateObject("MAPI.Session")
    > ExchangeSession.LogOn "", , , , , , "servername" & Chr(10) & "accountname"
    > Set TgtCalendar =
    > ExchangeSession.GetDefaultFolder(CdoDefaultFolderCalendar)
    > %>
    >
    > I get a permissions error. Now, I'm sure you're thinking, "This is not my
    > area of expertise", but give me a tick. The above code works when I run it
    > on the server machine -- either as a VB program or as a VBS file. It only
    > fails when I try to run it from a client machine as an ASP page.
    >
    > ASP code runs on the server, right? So my question is, what are the NT
    > security differences between an ASP program running on the server and an
    > "ordinary" program running on the server? If I put this code in an ActiveX
    > component, and use this component from my ASP program, will I get the
    > desired results? Maybe it needs to run out-of-process to get full
    > permissions?
    >
    > Thanks for taking the time to answer our various questions. And please say
    > hi to the Desaware staff for me =)
    >
    > -- Matthew Solnit
    > msolnit@yahoo.com
    >
    > P.S. Without knowing what it does, I also tried Server.CreateObject() to
    > get my session object. Not only did this fail, it messed up the entire web
    > server and we had to reboot it!!
    >
    > P.P.S. Hope you're enjoying the weather in Campbell. We just had 40 cm of
    > snow here in Montreal.


    Share on Google+

Similar Threads

  1. Please help with running executable vb program.
    By Gordon Reichhardt in forum VB Classic
    Replies: 2
    Last Post: 01-08-2002, 11:06 AM
  2. How can I build copy protection into my program
    By W.Pierce in forum VB Classic
    Replies: 1
    Last Post: 12-11-2001, 09:28 AM
  3. How to execute windows program in ASP!
    By Eric Rong in forum authorevents.mitchell
    Replies: 1
    Last Post: 10-18-2000, 03:11 PM
  4. get a result of an ASP !
    By thib in forum ASP.NET
    Replies: 2
    Last Post: 07-22-2000, 04:31 AM
  5. Multi-page ASP Transactions
    By Dave Kraft in forum ASP.NET
    Replies: 4
    Last Post: 06-05-2000, 06:36 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center
 
 
FAQ
Latest Articles
Java
.NET
XML
Database
Enterprise
Questions? Contact us.
C++
Web Development
Wireless
Latest Tips
Open Source


   Development Centers

   -- Android Development Center
   -- Cloud Development Project Center
   -- HTML5 Development Center
   -- Windows Mobile Development Center