Security of IIS 7.5 impersonation?

Question

I posted this question here before: https://security.stackexchange.com/questions/34405/iis-7-5-impersonation-threat but I thought I would try it here as well if that's ok.

I am using IIS 7.5 and I want to impersonate users for my different applications in an intranet environnement. To do so, I am considering using the asp.net mechanism with the user/password in the web.config (encrypted), but I'm unsure about some possible threats. I'll explain it with a concept (I know my example is useless but it represents my situation so please bear with me)

Let's say that I have 2 directories:

• One empty directory (DirectoryA) that permits access to all users (ntfs permissions) and that contains a web.config that impersonates UserA

• One directory (DirectoryB) containing a web site that I want to restrict access to, which also contains a web.config that impersonates UserA (same user as DirectoryA, not a typo)

To have the impersonation going on DirectoryB, I need to give ntfs permission allowing UserA in DirectoryB.

My question is: is it possible for someone to access DirectoryA (which will impersonate him as UserA) and then somehow access the site on DirectoryB using the impersonated UserA? If it is, how?

Thanks for any insight

Answer 1

Both process don't communicate with each other, so it is not possible for DirectoryA to communicate with DirectoryB unless a programmer code it like it.

Is it possible for someone to access DirectoryA (which will impersonate him as UserA) and then somehow access the site on DirectoryB using the impersonated UserA? If it is, how?

The only way that it could be possible is if DirectoryA specifically implement a feature that access DirectoryB directly. Otherwise it is safe.

However, you should really use a different identity for each process since the DirectotyB webSite will access its resources with UserA identity. Someone could use DirectoryA webSite to access the same resources used by DirectoryB....if it is coded so.