Debugging as a Non-Admin

2006-03-16 james 2 comments

Fellow plumber, Bil Simser, asks the question how the heck does someone debug SharePoint as a non-admin. Elementary, my dear Simser, elementary…

The fundamental problem that Bil is experiencing occurs with SharePoint, ASP.NET, or any app that runs under a different security context than your own. A normal user can only debug applications running under his/her own security context.* Administrators have the SeDebug privilege, which allows them to debug processes running under any security context. Granting your user the SeDebug privilege gives them tremendous power, which is exactly what you’re trying to avoid. (With SeDebug, you can open any process, including system processes with full permissions. If you can do that, you own the box. I leave it as an exercise to the reader to figure out how, given only SeDebug, to elevate your normal user to be a member of the local administrators group.) I know of a few solutions to allow debugging of server processes:

Develop server apps in an isolated virtual machine and use an admin account.
Run as admin when debugging server apps, but run as a normal user while developing them. (This can be done using MakeMeAdmin and then running devenv.)
Run the server app under your user account, though this may mean placing your username/password in clear text, which is non-ideal. (This is the strategy used by the Visual Web Developer Web Server – aka Cassini – that ships with VS 2005.)

* Note that although you don’t require any special privileges to debug a process running under your own security context, Visual Studio does enforce that you need to be a member of the Debugger Users group.

EDIT: Additional information added below related to Bil’s comment.

Bil is correct. If you run Visual Studio as a non-admin when developing server apps and you want to debug, you need to break stride and launch another copy of Visual Studio using MakeMeAdmin or runas. This is highly non-ideal. Is it a huge security risk to run Visual Studio under an admin account while the rest of your log-in session is running as a normal user? Somewhat, but it’s a lot better than running your entire log-in session as an admin.

Also remember one of the main reasons for developing apps as a non-admin – to ensure that you are running/debugging with credentials similar to what your end users will be using. (i.e. Your app isn’t writing to protected regions of the file system or registry to which normal users don’t have access.) With server apps, the story is a bit different. You want your server app to be running with different credentials – the credentials of the account that the application will be running under in production – NETWORK SERVICE or other service account. The safest solution is #1 above. Develop server apps as an admin in an isolated virtual machine. Second would be running only Visual Studio under elevated privileges using technique #2. Although technique #3 above works, you run the risk of developing your server code under unrealistic conditions – for instance, you’ll have a logged in user with a loaded HKCU hive. If you want to try option #3, you’ll have to configure your application pool and/or ASP.NET application to run as your current (non-admin) user. For the app pool identity, you can configure that using the IIS Manager MMC. For ASP.NET, you have to modify the following in machine.config:

<configuration>
  <system.web>
    <processModel username="" password=""/>
  </system.web>
</configuration>

Although you can store this in cleartext, I would recommend against it for obvious reasons. Take a look at aspnet_setreg.exe and the following KB article on how to store this information securely:

How to use the ASP.NET utility to encrypt credentials and session state connection strings

.NET General, ASP.NET, Non-admin, Security, SharePoint none

#1 | Written by Bil Simser about 18 years ago. Reply

So you haven’t really answered the question since I launch the debugger from inside the IDE (as a non-admin user, but someone who is part of VS Developers and Debugger Users) and get denied access to debug the web process. Running as an admin defeats the purpose of running as non-admin (which is the goal). Running as admin to debug (using MakeMeAdmin) would work, but it means I have to break my stride when developing and have to slip out and run the program then debug. If I have to debug often this is very unproductive. Not sure what you mean by the last option.
#2 | Written by Bil Simser about 18 years ago. Reply

Thanks for the update James, but the story with servers apps (at least as far as SharePoint is concerned) is that you do not want to be running with different credentials. You always want to be the user because you want to ensure that a) no weird challenge/response popups happen when the user does something and b) you want the underlying system know that you’re who you say you are.

With server apps you might want to run under NETWORK SERVICE or some service account, but for web apps, web parts, etc. you want to be running as the user because you don’t want that call from support that end users are getting password prompts or something after you deploy becuase you developed and tested as admin.

With option #1 you have no idea what your users are seeing and if they are seeing the right stuff on their end with their credentials. If you’re debugging a problem (like doing impersonation but trying to determine who the system thinks you are) you can’t because if you run devenv as admin, you’re defeating debugging that problem as a user. The system will see you’re Administrator (or a similar account) and it’ll be no different than option #1, running fully as an admin and you’ll never be able to track down a user problem.

James Kovacs' Weblog

Recent Posts

Browse by Tags

Archives

Categories

Debugging as a Non-Admin

Leave a Comment