|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Run IIS as admin to write to Active Directory - security risk?I'm looking for opinions on a particular situation. We're exploring a web
app that will allow public users to create their own user accounts, on the fly, in Active Directory. The only way I know how to do this is to allow the IIS process to run as local admin. Even considering that option is really making me cringe. Does anyone have any docs from Microsoft or other authorities on the subject that highlights this issue? Meaning no disrespect, but that is plain crazy !
First, running IIS with local admin will not accomplish anything toward ability to create accounts is AD (unless the IIS is on DC). Second, running IIS as local admin is not a good idea in itself. Third, any AD account can be delegated the ability to define new accounts in AD. Finally, why would you want a public user to have an account in your AD, or to self-define it? It sounds like an environment with which I could have some fun <g> if my inclination was on that side. Show quoteHide quote "Jason Shuck" <Jason Sh***@discussions.microsoft.com> wrote in message news:9E9BE1B3-A1B7-4D45-A2F2-B0C3A400F0B2@microsoft.com... > I'm looking for opinions on a particular situation. We're exploring a web > app that will allow public users to create their own user accounts, on the > fly, in Active Directory. The only way I know how to do this is to allow > the > IIS process to run as local admin. Even considering that option is really > making me cringe. Does anyone have any docs from Microsoft or other > authorities on the subject that highlights this issue? Jason, as PS. , to get at what seem your objectives . . .
Please reconsider using ADAM with IIS (better yet on R2 also w/. ADFS). This can be done on standalone or member of domain, w/. or w/o identity relationships to AD principals. www.microsoft.com/adam but for www microsoft.com/adfs one now still needs use links like http://www.microsoft.com/WindowsServer2003/R2/Identity_Management/ADFSwhitepaper.mspx http://msdn.microsoft.com/theshow/episode047/default.asp Roger Show quoteHide quote "Jason Shuck" <Jason Sh***@discussions.microsoft.com> wrote in message news:9E9BE1B3-A1B7-4D45-A2F2-B0C3A400F0B2@microsoft.com... > I'm looking for opinions on a particular situation. We're exploring a web > app that will allow public users to create their own user accounts, on the > fly, in Active Directory. The only way I know how to do this is to allow > the > IIS process to run as local admin. Even considering that option is really > making me cringe. Does anyone have any docs from Microsoft or other > authorities on the subject that highlights this issue? 
Other interesting topics
Kerberos error KDC_ERR_BADOPTION
Private & Public Key storage location Help with password prompt IP Address and Domain Name Restrictions button greyed out - Help ! Access problems on "Windows Server 2003 Web Edition". using IIS 6.0 SSL problem recovering password stored with reversible encryption? SSL and Load Balanced Servers (Revocation message) Require Client Certificates and blank page Windows Certificate Server |
|||||||||||||||||||||||
