[Owasp-dotnet] Act as part of the operating system

Dinis Cruz dinis at ddplus.net
Mon Oct 3 18:42:20 EDT 2005 

Does anybody here really knows what are the security implications of the
"Act as part of the operating system" privilege?

Bellow is an email that I wrote about this, and it is interesting how
little 'real' information there is about this.

My question is: What can you do with this privilege that you can't do
without?

----------------------------------

Here are my comments regarding the impact of adding the privilege "Act
as part of the operating system" to the ASP.NET account in order to
perform impersonation.

1. If your web farm is running IIS 5.0 there is no isolation between the
multiple hosted websites. Any malicious unmanaged (i.e. C++ dll) or Full
Trust Asp.Net code running in one co-hosted website will be able to gain
access to all resources allocated to all websites (files, database
access, network shares, impersonated user accounts, etc...).

2. The 'Act as part of the operating system' privilege should not be
allocated to normal user accounts (see some quotes about this at the end
of this email.)

3. I am under the impression that you only need to give this privilege
on the .NET Framework 1.0 and that privilege is not required for the
.NET Framework 1.1
(http://support.microsoft.com/default.aspx?scid=kb;EN-US;q306158) . I
also think that this is needed in Windows 2000 (windows 2003 and XP
don't need this, Although a friend as said that if automatic
impersonation is done via Web.config this will work in windows 2000
which is a bit weird)

4. Under your current setup the entire confidentiality, integrity and
availability of all hosted websites is fully dependent on:

        a) the non-existence of any vulnerability in any of the
co-hosted applications
        b) the integrity and non-malicious-intent of every person that
as direct (or indirect) access to the code uploaded to the server (and
if there are no code reviews, malicious script inserted by a malicious
developer will not be detected)

5) Taking into account points 1) and 4)  the security implications of
adding the privilege "Act as part of the operating system" to the
ASP.NET account are the following:

        a) To the main assets (files, databases, etc...) stored in the
server : The impact is low since these assets can be compromised without
this privilege.
        b) To the server (and web farm): The impact could be very high
since this privilege could be exploited to execute functions that
normally require SYSTEM privileges

6) Solutions:

        a) See if the use of the .Net Framework 1.1 will allow the
required impersonation to be executed without the use of this privilege
        b) Host critical applications (with high CIA ratings) in
separate servers
        c) Run untrusted websites in partial trust


Best regards

Dinis Cruz


Note: some quotes about the 'Act as part of the operating system' privilege:

in
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/ec4fd2bf-8f91-4122-8968-2213f96a95dc.mspx

    * "...This user right allows a process to impersonate any user
without authentication. The process can therefore gain access to the
same local resources as that user...."
    * "...Processes that require this privilege should use the
LocalSystem account, which already includes this privilege, rather than
using a separate user account with this privilege specially assigned..."
    * "...Assigning this user right can be a security risk. Only assign
this user right to trusted users. ..."


in
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000023.asp

    * " ... Impersonation-level token. If you grant your process account
the "Act as part of the operating system" user right, you get this type
of token from the WindowsIdentity constructor. With this type of token,
you can impersonate with it and access local resources.

Note   This places your process within the trusted computing base (TCB)
of the Web server, which makes your Web server process very highly
privileged. Where possible, you should avoid this approach because an
attacker who manages to inject code and compromise your Web application
will have almost unrestricted capabilities on the local computer. ...

    * "...When you use the LogonUser API for impersonation on Windows
2000 Server, you must grant the application's process account the Act as
part of the operating system privilege. You should avoid this approach
if possible to avoid raising the privileges of your Web application ."



in http://www.dotnet247.com/247reference/msgs/55/275166.aspx

    * "...The "only combined with other high-level privileges" statement
really isn't true about Act As Part of the OS. The thing about that
privilege is that it lets you bypass OS security in kernel mode, so you
can make yourself into the SYSTEM account if you know what you are
doing...."
    * "...This is something you definitely don't want, even if the
likelihood of someone being able to exploit this is extremely low. There
is still an argument to be made that by default the account is less
powerful than SYSTEM, but be clear about what it is giving you...."


in http://descriptions.securescout.com/tc/14117

    * "... The "Act as part of the operating system" privilege allows a
process to perform as a secure, trusted part of the operating system...."
    * "... In a secure installation, this privilege must be reserved
only for administrators. "...

More information about the Owasp-dotnet mailing list