Abstract:
Configuring an ASP.NET application to run with impersonated credentials might give the application unnecessary privileges.
Explanation:
The use of impersonated credentials allows an ASP.NET application to run with either the privileges of the client on whose behalf it is executing or with arbitrary privileges granted in its configuration.
Recommendations:
Carefully review the ramifications of allowing an ASP.NET application to run with impersonated credentials and ensure that the privileges under which the application runs do not introduce any security risks. Impersonation can be enabled or disabled by setting the following entry in Web.config to true or false respectively. The default value is false.
<identity impersonate="true"/>
0 comments:
Post a Comment