3

I used to impersonate in ASP.NET to run the web application as system administrator to let the application work with system methods like creating subdomains by command below in web.config:

<identity impersonate="true" userName="administrator" password="MyPassword" />

Since I switched the app to the ASP.NET Core 3.1 and seems it doesn't support impersonate command as in ASP.NET classic, how I can do this? I have read that the way is to give NETWORK USER permission to iis settings folder to let the app edit the iis settings - and it worked perfectly - but I am so worried about security because now each website in this server can do the same WITHOUT knowing system administrator account and can change the iis settings and remove the other websites easily.

let me know if any other solution to give this specific website the permission like this not all the websites.

ProgrammingLlama
  • 36,677
  • 7
  • 67
  • 86
Mertez
  • 1,061
  • 3
  • 14
  • 38
  • That's not how you use the `identity` **tag**. It's not a command. It tells ASP.NET to impersonate either the client or (rather rare) a specific user. It's rarely used to impersonate someone using usename/password as it's far easier and *safer* to use the application pool account. It should never be used to allow hackers full access to a web server, which is what trying to run as system administrator does – Panagiotis Kanavos Mar 23 '21 at 07:00
  • To put it another way, that's a career-limiting set of credentials. `I am so worried about security` it can't get any worse than what you already did. Giving the executing account proper permissions is the *safe* way. If you want to access other machines, use a domain account. What are you trying to do? Why run as admin? There are infinite other ways to do whatever you wanted to do without compromising security. – Panagiotis Kanavos Mar 23 '21 at 07:07
  • `can do the same WITHOUT knowing system administrator account ` but that's exactly what you did before - allowed any client to act like the system administrator. What problem are you trying to solve by giving that web site full access to the web server? – Panagiotis Kanavos Mar 23 '21 at 07:08

0 Answers0