I have an internal only Helpdesk program that has admin access to servers on the private network to pull logs, reboot hung servers, and perform other various admin tasks..
Rather than giving admin access to a significant number level 1 helpdesk users across hundreds of servers, my program runs under a single admin account, which access to this program is protected under a AD group, and launched only on a single Windows server via Citrix published app. So access to run the app is protected, but the password for the account with server access is hardcoded in the code using securestring.
I am not an expert level programmer. Just an advanced sysadmin with enough knowledge to do more things to accomplish my needs.
I know securestring is not recommended anymore, but i dont have the advanced knowledge to implement another password encryption solution without some help.
This is the code being used in my C# WPF app..
secureString pass = new NetworkCredential("", "hardcodedpassword").SecurePassword;
strCmdText = "command to be run here"
Process process = new Process();
process.StartInfo.FileName = "cmd.exe";
process.StartInfo.Arguments = strCmdText;
process.StartInfo.UserName = "Helpdesk1";
process.StartInfo.Password = pass;
process.StartInfo.Domain = "Domain1";
process.StartInfo.ErrorDialog = true;
process.StartInfo.UseShellExecute = false;
process.StartInfo.RedirectStandardError = false;
process.StartInfo.RedirectStandardOutput = false;
process.StartInfo.CreateNoWindow = true;
process.Start();
process.WaitForExit();
pass.Dispose();
I also have some users who are not very technical, but need to perform some limited tasks, like logging off stuck users from servers where you need admin access. That is why i do not want to assign Admin to these individual AD accounts. Having them access a single tool with the required access running on a single windows server solves that problem compared to giving all these users direct server admin access. So bottom line is I just want to be able to at least hide password in the code at least at the minimum, fully understanding its not the best approach. Thank you for the help!
Related
I'm writing a simple Windows form that runs some commands through cmd.exe in C#. The first code works correctly because I used the process.StartInfo.Verb = "runas" statement.
During execution I agreed to running as administrator without any password.
Now I'm modifying the code because, sometimes, the commands return a choice (like [y/n]) so I want to examine the output and, eventually, send a choice.
To do this, I need to redirect in/out flow (StandardInput/StandardOutput) and set process.StartInfo.UseShellExecute = false. This results in Windows not asking me to open as administrator. To solve this, I used the following:
process.StartInfo.Domain = "DESKTOP-2K....";
process.StartInfo.UserName = "Marco";
SecureString password = new SecureString();
process.StartInfo.Password = password;
I get information with command -> wmic useraccount list full.
Unfortunately, this doesn't work.
The curious things is that, with wmic command, I not read that "Marco" is administrator account but I read that "Administrator" is an administrator account. Therefore, Marco doesn't require a password instead Administrator requires a password.
Other curious thing is that Marco is an administrator account if I go to -> Control Panel -> Accounts -> User Accounts
Please help me.
regards
i searched for this some hours today but i only find solutions that wont work.
Maybe it is impossible but let's give it a try:
I'm in a company and I will write some code so that a user can run the software whenever he need it. The software needs administrator-permissions. For example I've wrote some code to start the cmd as admin and create a folder at c:/Windows (you'll need admin-permission for that). The credentials for the admin account are right (we use Microsoft AD) but I only get "Access denied" in the cmd.
Does anyone know whether it is possible to get admin permission with hard coded credentials?
Note: Don't talk about security risks, the cmd is not the target software but it should demonstrate the problem.
My code:
Process p = new Process();
p.StartInfo.FileName = "cmd.exe";
p.StartInfo.Arguments = #"/Kmkdir C:\Windows\_Test";
p.StartInfo.UserName = "admin";
System.Security.SecureString sPW = new System.Security.SecureString();
sPW.AppendChar('a');
sPW.AppendChar('b');
sPW.AppendChar('c');
p.StartInfo.Password = sPW;
p.StartInfo.UseShellExecute = false;
p.Start();
You are still getting an error because all admin accounts in newer windows versions (since Vista) technically are standard user accounts. The way administrative tasks are performed is through the User Account Control (UAC). It allows you to elevate permissions as administrator to perform administrative tasks. So yes, you are executing the process using an administrator account, but you did not elevate the process. To do so, add this parameter:
p.StartInfo.Verb = "runas";
p.StartInfo.UseShellExecute = true;
You can remove all other parameters regarding authentication, since all the authentication is handled by UAC. If for some reason you wish not to use UAC, then you probably will have to disable it, which is not recommended in most cases.
I'm trying to print a PDF manually through Process.Start, but it isn't working in IIS. I copied the same code in a windows form application and that worked. I already tried giving the rights to 'Network Service' user (my application pool has Network Service permission). I've also followed the steps here:
IIS7 does not start my Exe file by Process Start
string file = #"C:\test.pdf";
string printer = "TestPrinter";
string processFilename = Microsoft.Win32.Registry.LocalMachine
.OpenSubKey("Software")
.OpenSubKey("Microsoft")
.OpenSubKey("Windows")
.OpenSubKey("CurrentVersion")
.OpenSubKey("App Paths")
.OpenSubKey("AcroRd32.exe")
.GetValue(String.Empty).ToString();
var info = new ProcessStartInfo();
info.FileName = processFilename;
info.Arguments = string.Format("/h /t \"{0}\" \"{1}\"", file, printer);
info.CreateNoWindow = true;
info.WindowStyle = ProcessWindowStyle.Hidden;
info.UseShellExecute = false;
Process p = Process.Start(info);
p.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
int counter = 0;
while (!p.HasExited)
{
System.Threading.Thread.Sleep(1000);
counter += 1;
if (counter == 5) break;
}
if (!p.HasExited)
{
p.CloseMainWindow();
p.Kill();
}
Well, it took me three days and multiple ways and tools to test printing only to confirm that it's not a programming problem. It is a permission problem. When I was searching for tips, this particular problem seemed to be ongoing for more than a decade and it always happens to certain web server setups. So, here is the solution for anyone who stumbled upon the same situation as I had and save the three days of headache.
The setup:
Have a web application or service running on IIS server and you need to print some documents.
Have a network printer set up for this purpose, such as printing to a particular departmental printer within the office network.
The printing works when you are testing on localhost with your development machine.
The printing silently drops and nothing happens when deployed to the actual web server.
The reason is that a network printer is accessed in the form of \networkserver\printername and the web application account, IIS_IUSER, is not a domain account and, therefore, doesn’t have access to any network server.
Solutions:
Add the IIS_IUSER account to the domain BUT this is a very bad idea because you would need to give Internet users of your web app to have access to some network drive. Therefore, this is a no-no.
Add the printer using TCP/IP instead of setting it up as a network drive. By IP address, all local users, including the IIS_IUSER account will have access to the printer by default.
With an IP printer, no matter you use ProcessStartInfo or a third-party tool to print, it will work. Happy programming!
I am running an executable process from my ASP.NET application when a user clicks a button. This process creates several files and serves them up to the end-user. I can't really see what the process is or isn't doing, but it didn't work until I specified the admin user as the application pool identity on the server. I am using IIS7.
using (var proc = new Process())
{
proc.StartInfo.FileName = Server.MapPath("~/Testing/Demo/MyExe.exe");
proc.StartInfo.Arguments = String.Format("\"{0}\"", commandFilePath);
proc.StartInfo.UseShellExecute = true;
proc.Start();
proc.WaitForExit();
}
I'm assuming that this is generally a bad thing to do. Can you give me insight into what needs to be done in order to enable this for the normal ApplicationPoolIdentity account?
Thanks!
First of all, why you need the Shell to execute it ? Isn't a console application - do you open any window ?
Second you need to redirect the input and the output.
And final, what you need to do, is to place on the directory that your script runs, permission for the user under witch your pool is run. And remove the Admin from your pool.
proc.StartInfo.UseShellExecute = false;
proc.StartInfo.CreateNoWindow = false;
proc.StartInfo.RedirectStandardError = true;
proc.StartInfo.RedirectStandardOutput = true;
proc.StartInfo.RedirectStandardInput = true;
proc.Start();
proc.StandardInput.Flush();
proc.StandardInput.Close();
proc.WaitForExit();
proc.Close();
So for example, if you add your pool to run under the UserA, then go to your directory that your program runs and add permission for the UserA to been able to execute programs on that directory. If your program also use other directories to read and write, also add permission to the UserA for that ones.
I can't really see what the process is or isn't doing
You can take a look if you use on the server the Process Explorer and see if its runs, if its close, if its stop but stay there.
It is likely a file/execution permissions issue.
Try granting execute permissions to the ApplicationPoolIdentity to ~/Testing/Dema/MyExe.exe and read permissions to commandFilePath. You mentioned that your process creates files. You will need to grant either modify or full control permissions to the ApplicationPoolIdentity on the folder where the files will be created. Here is a matrixed list of permissions.
See assign permissions to ApplicationPoolIdentity account for information on granting permissions.
The security event log should capture permission denied errors. Check there to see if you have access permission issues. The System and application logs might also contain information on the problem.
Process Explorer can also show File Access requests. Here is a technet article on troubleshooting with Process Explorer.
Whenever you run any process from an ASP.NET page, it runs under the security context of the worker process, the privilege of your app pool account. It is not like you normally running the MyExe.exe, in that case it will run using logged in account. It is because of this, your code worked when you gave Admin account to app pool.
There are many ways to solve this issue.
One of the easiest would be to change your app pool identity to Network Service and add the Network Service to permissions of the folders in which the MyExe.exe will be accessing files form.
Hope it helps.
Thank you all for your help. All I needed to do was set the StartInfo.WorkingDirectory to somewhere that I was able to write.
using (var proc = new Process())
{
proc.StartInfo.FileName = Server.MapPath("~/Testing/Demo/MyEXE.exe");
proc.StartInfo.Arguments = String.Format("\"{0}\"", commandFile);
proc.StartInfo.WorkingDirectory = savePath;
proc.Start();
proc.WaitForExit();
}
This causes the temp files to be written to a non-system folder and thus does not need any elevated permissions for the application pool.
I am working on a web application that install software on a server.
I can run the install by hand if I log in a user that is apart of a specific group then run install msi as administrator.
This specific group is apart of the local administrators group.
My app pool is running as Network_Service.
Do I impersonate then use the runAs verb? but then I need to know the u/p as user and u/p of Administrator .. I think
I am using the System.Diagnostics.Process classes.
System.Diagnostics.ProcessStartInfo oInfo = new System.Diagnostics.ProcessStartInfo(str);
oInfo.UseShellExecute = false;
oInfo.ErrorDialog = false;
oInfo.CreateNoWindow = false;
oInfo.RedirectStandardOutput = true;
Process p = System.Diagnostics.Process.Start(oInfo);
System.IO.StreamReader oReader2 = p.StandardOutput;
string sRes = oReader2.ReadToEnd();
oReader2.Close();
return sRes;
You need to set the UserName and Password properties to the login credentials of an Administrator account.
You can't change the user context of a running process later on. I suggest u use windows authentication and impersonation to be sure the web request is executed as the authenticated user and besides that you don't have to care about the user credentials.