|
Home > Archive > IIS Server Security > June 2006 > Run IIS as admin to write to Active Directory - security risk?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Run IIS as admin to write to Active Directory - security risk?
|
|
| Jason Shuck 2006-06-06, 1:23 pm |
| I'm looking for opinions on a particular situation. We're exploring a web
app that will allow public users to create their own user accounts, on the
fly, in Active Directory. The only way I know how to do this is to allow the
IIS process to run as local admin. Even considering that option is really
making me cringe. Does anyone have any docs from Microsoft or other
authorities on the subject that highlights this issue?
| |
| Roger Abell [MVP] 2006-06-07, 1:23 am |
| Meaning no disrespect, but that is plain crazy !
First, running IIS with local admin will not accomplish anything
toward ability to create accounts is AD (unless the IIS is on DC).
Second, running IIS as local admin is not a good idea in itself.
Third, any AD account can be delegated the ability to define new
accounts in AD.
Finally, why would you want a public user to have an account in
your AD, or to self-define it? It sounds like an environment with
which I could have some fun <g> if my inclination was on that side.
"Jason Shuck" <Jason Shuck@discussions.microsoft.com> wrote in message
news:9E9BE1B3-A1B7-4D45-A2F2-B0C3A400F0B2@microsoft.com...
> I'm looking for opinions on a particular situation. We're exploring a web
> app that will allow public users to create their own user accounts, on the
> fly, in Active Directory. The only way I know how to do this is to allow
> the
> IIS process to run as local admin. Even considering that option is really
> making me cringe. Does anyone have any docs from Microsoft or other
> authorities on the subject that highlights this issue?
| |
| Roger Abell [MVP] 2006-06-08, 7:25 am |
| Jason, as PS. , to get at what seem your objectives . . .
Please reconsider using ADAM with IIS (better yet on R2 also w/. ADFS).
This can be done on standalone or member of domain, w/. or w/o identity
relationships to AD principals.
www.microsoft.com/adam
but for www microsoft.com/adfs one now still needs use links like
http://www.microsoft.com/WindowsSer...whitepaper.mspx
http://msdn.microsoft.com/theshow/e...047/default.asp
Roger
"Jason Shuck" <Jason Shuck@discussions.microsoft.com> wrote in message
news:9E9BE1B3-A1B7-4D45-A2F2-B0C3A400F0B2@microsoft.com...
> I'm looking for opinions on a particular situation. We're exploring a web
> app that will allow public users to create their own user accounts, on the
> fly, in Active Directory. The only way I know how to do this is to allow
> the
> IIS process to run as local admin. Even considering that option is really
> making me cringe. Does anyone have any docs from Microsoft or other
> authorities on the subject that highlights this issue?
|
|
|
|
|