Read local file as local system, not as current user

Question

I have an ASP.NET C# application running on IIS.

Some actions require me to read files which are put locally on the system, using Directory.EnumerateFiles. This works when I call the function, because my windows user has access to those files, but it doesn't when another user calls the same page.

I checked with WindowsIdentity.GetCurrent().Name and I indeed see CompanyName\MyName as current user. The files contain sensitive data, and I prefer not to give read access to all users, even though they are on a remote system.

It seems to me that I want to give specifically my IIS application rights the read the folder, and somehow call the function Directory.EnumerateFiles from the IIS Application instead of from the current user performing the request (authorization is handled already in the application itself).

Is this feasible, and if so, how is it achieved?

Solution

I ended up using this answer: Can I turn off impersonation just in a couple instances:

using (WindowsIdentity.Impersonate(IntPtr.Zero))
{
 //Directory.EnumerateFiles(...)
 //File.ReadAllText(...)
}

Plus, I gave access to the folder for the following user: IIS APPPOOL\MyAppPoolName

So you want to always read the files with `ApplicationPoolIdentity` am i right ? — HariHaran, Dec 16 '19 at 11:06
Are the files on the local filesystem of the web server? If so, you could give read access to the IIS_IUSRS account. — Andrew Morton, Dec 16 '19 at 11:07
@AndrewMorton I just tested this, but unfortunately it does not work. Thank you though — Daniël Camps, Dec 16 '19 at 11:40
@DaniëlCamps You can check which identity is being used to try to access the filesystem by using [Process Monitor](https://learn.microsoft.com/en-us/sysinternals/downloads/procmon). — Andrew Morton, Dec 16 '19 at 11:48

Athanasios Kataras · Accepted Answer · 2019-12-17T07:37:24.730

2

You must use some kind of impersonation. You can find options here: https://support.microsoft.com/en-us/help/306158/how-to-implement-impersonation-in-an-asp-net-application

Impersonate the IIS authenticated account or user

Impersonate a specific user for all the requests of an ASP.NET application

Impersonate the authenticating user in code Impersonate a specific user in code

Example config for all requests

<identity impersonate="true" 
          userName="domain\user"  
          password="password" />

The domain user should have the required access.

If you want to go with the third option, check this answer here which uses the following to impersonate per code block:

try
{
    if (!WindowsIdentity.GetCurrent().IsSystem)
    {
        using (WindowsIdentity.Impersonate(IntPtr.Zero))
        {
          // Do stuff here
        }
    }
}
catch { }

edited Dec 17 '19 at 07:37

answered Dec 16 '19 at 11:09

Athanasios Kataras

25,191
4
32
61

1

This seems like the proper way to do it. I upvoted your answer and I till try it, I will accept it after confirming if it works. Thank you Athanasios – Daniël Camps Dec 16 '19 at 11:42
I ended up using a slightly different approach, see the answer underneath. If you add this to your answer I can accept it – Daniël Camps Dec 16 '19 at 14:06
Cheers! I updated the answer with your solution which was basically expanding on the third option – Athanasios Kataras Dec 17 '19 at 07:37

Read local file as local system, not as current user

1 Answers1