0

I have an ASP.NET Web API in which I am trying to download a ZIP file through a controller - say, DownloadZipController.

For generating this ZIP file, my controller method calls a factory method createandGetZip which launches an exe and waits for the EXE to finish its execution. When the EXE produces the ZIP it is passed to the factory method createandGetZip. This ZIP generation takes some time - around 2 minutes.

I have hosted this web api on IIS server with the AppPool identity as LOCALSYSTEM.

My question is: is this the best way to launch an EXE from my code hosted on IIS server? Or is there any other way to launch the EXE from the code without giving AppPool identity as LOCALSYSTEM as I have read that this may lead to a security breach.

Please advise me on the best possible way or just a way better than what I am currently using.

ivan_pozdeev
  • 33,874
  • 19
  • 107
  • 152
SAI BALAJI
  • 31
  • 3
  • Do you have the source code for the exe? – mason Oct 18 '16 at 15:41
  • Yes I have the source code of EXE. It was developed in house. – SAI BALAJI Oct 18 '16 at 16:32
  • Securing IIS is too broad a topic for SO. – ivan_pozdeev Oct 19 '16 at 10:38
  • What prevents you from just assigning your app another AppPool with identity other than LocalSystem? There are plenty of tutorials out there about this. – ivan_pozdeev Oct 19 '16 at 10:44
  • @ivan_pozdeev I am unable to launch my exe without assigning the identity of Localsystem to my app pool. Please advise if it can be done in some other good way. – SAI BALAJI Oct 19 '16 at 18:17
  • E.g. http://stackoverflow.com/questions/19821251/cant-run-exe-from-classic-asp-script-on-iis-7-5 and http://stackoverflow.com/questions/8991846/run-console-application-exe-from-within-asp-net-application-iis-7-5 – ivan_pozdeev Oct 19 '16 at 19:14

1 Answers1

0

I believe this is fine in practice (I do this often with DoScan.exe, the Symantec virus scanner). Try to guard against the external process spinning forever, and limit the app pool security rights on the EXE, if that matters to you.

Also, of course, make sure you know what the EXE is doing.

Kevin Le
  • 846
  • 8
  • 17
  • Thanks for very quick reply but as I have mentioned I am granting Localsystem identity to my app pool, only then I am able to start the process. So is that fine to do so. Also I didnot get what you mean by external app spinning for ever. Is it possible for you to share the details of the app pool identity and the security permissions you provide your app pool. – SAI BALAJI Oct 18 '16 at 15:45
  • I mean, if the external app does not complete (for whatever reason), it may cause your server thread to lock depending on how you implement. Just one thing to consider. – Kevin Le Oct 18 '16 at 16:38
  • ok I got it but can I know what is the App pool identity you have given to the aplication pool to launch the DoScan.Exe. – SAI BALAJI Oct 19 '16 at 06:48