如何通过Web请求以管理员身份运行ftp部署的exe?
[英]How to run ftp-deployed exe as admin from web request?
问题描述
Goal: I periodically upload new .exe file to windows server 2003 via FTP and I want to run it manually by hitting Url of a web site on same server. 
目标:我定期通过FTP将新的.exe文件上传到Windows Server 2003,我想通过点击同一服务器上网站的网址来手动运行该文件。 Exe needs to be run under an Admin account, and not the NETWORK SERVICE account. Exe需要在Admin帐户而不是NETWORK SERVICE帐户下运行。
What I achieved so far: I have been able to successfully run applications like notepad under the Admin account on the server via a web request by using any of these: 到目前为止,我取得的成就:通过使用以下任意一项,我可以通过Web请求成功在服务器上的Admin帐户下运行诸如记事本之类的应用程序:
- PsExec, PSEXEC,
-
.net process.Start()with credentials supplied toprocess.StartInfoand even.net process.Start()具有提供给process.StartInfo甚至凭据的凭据 - by impersonating admin and then using process.Start without credentials ( http://www.f4cio.com/programmatically-impersonate-in-csharp ) 通过模拟管理员然后使用process.Start无需凭据( http://www.f4cio.com/programmatically-impersonate-in-csharp )
The problem: 问题:
The above methods run my exe but Task Manager, or a call to System.Security.Principal.WindowsIdentity.GetCurrent().Name shows me that it is running under NETWORK SERVICE . 上面的方法运行我的exe,但运行任务管理器,或者调用System.Security.Principal.WindowsIdentity.GetCurrent().Name告诉我它正在NETWORK SERVICE下运行。
I suspect that this file has added security constraints because it arrived from ftp link. 我怀疑此文件增加了安全性约束,因为它来自ftp链接。 Checking run-as-administrator in properties of file is not an option because file will be replaced periodically and all needs to be automated. 不能在文件属性中检查以管理员身份运行,因为文件将定期替换,并且所有操作都需要自动化。 Also manual server configuration should be minimal or ideally non-existent. 此外,手动服务器配置应该最少或理想情况下不存在。 Code-only single-web-page solution is ideal. 仅代码的单网页解决方案是理想的。 Editing both that asp.net web page and exe is ok. 编辑该asp.net网页和exe都可以。 (I tried something with exe self-restarting). (我尝试使用exe自动重启功能)。
1 个解决方案
解决方案1
0 已采纳 2017-05-10 06:28:06
Not sure about this, but I suspect this has to do with you website running under the NETWORK SERVICE user. 对此不确定,但是我怀疑这与在NETWORK SERVICE用户下运行的网站有关。 Whatever privileges your website-user has, the same are probably granted / passed on as you try to run your executable. 无论您的网站用户具有什么特权,在尝试运行可执行文件时都可能授予/传递同样的特权。
Is this server on an internal network or protected in some other way? 该服务器是在内部网络上还是以其他方式受到保护? (I should hope so!). (我希望如此!)。 If so, you might try changing App Pool that the website is running under to an admin account (in IIS, right click the App Pool running the site, select Advanced Settings, and look for the Identity setting). 如果是这样,您可以尝试将运行网站的应用程序池更改为管理员帐户(在IIS中,右键单击运行该站点的应用程序池,选择“高级设置”,然后查找“ 标识”设置)。 If I'm right, that will allow you to run your executable as an admin too. 如果我是对的,那也将允许您以管理员身份运行可执行文件。
Be aware however, that this may increase the security risk of your setup: Allowing your site to run under an admin account means easier access to your entire server if anyone is able to penetrate whatever security measures you have in place. 但是请注意,这可能会增加设置的安全风险:如果任何人都可以采用您已采取的任何安全措施,则允许您的网站在管理员帐户下运行就意味着可以更轻松地访问整个服务器。 Make sure access to this server is tightly limited, and preferably, that it in turn does not have access to other systems, since that would in turn make them vulnerable by extension. 确保对该服务器的访问受到严格限制,并且最好不要再访问其他系统,因为这反过来会使它们容易受到扩展的影响。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.