Welcome to MobyThreads.com!
FAQFAQ      ProfileProfile    Private MessagesPrivate Messages   Log inLog in
All support for the MobyThreads Threaded phpBB MOD can now be found on welsolutions at this forum

IUSR privileges

  
   Web Hosting and Web Master Forums (Home) -> IIS RSS
Next:  windows certificate server - trusting their certi..  
Author Message
hlozano

External


Since: Sep 29, 2003
Posts: 5



(Msg. 1) Posted: Tue Oct 07, 2003 10:58 am
Post subject: IUSR privileges
Archived from groups: microsoft>public>inetserver>iis (more info?)
Hi
I am having trouble accessing a COM+ from
my ASP pages, (COM+ object created with VB6)

I get the
Server object error 'ASP 0178 : 80070005'
Server.CreateObject Access Error

the COM+ object resides on a separate W2k server

the web server is running Windows2003 and IIS6,
and I have installed the exported app. proxy to
access the COM object

so far I have given read and execute access to the
webserver's IUSR, IWAM and INTERACTIVE account to:
- the COM dll
- the c:\program files\ directory
- the c:\program files\COMPlus application directory
and the folder which holds the COM dll

- the c:\windows and c:\windows\system32 directory
- the c:\windows\system32\inetsrv directory
- the msvbvm60.dll file

Also under DCOM I have given access, launch and modify
permission to IUSR,IWAM and INTERACTIVE to the COM object

the website is setup to accept anonymous access through
IUSR and is using integrated windows authentication

......
If I take out anonymous access, i get the: enter user/pwd
box,, and entering a user or admin account the ASP page
WORKS, so i am sure it is a privilege thing for IUSR

but I don't know what other permissions/?rights? it needs

I don't have this problem on a Win2000 web server running
the same asp/COM

I'll appreciate any help
Thanks,

 >> Stay informed about: IUSR privileges 
Back to top
Login to vote
qbernard

External


Since: Sep 05, 2003
Posts: 407



(Msg. 2) Posted: Wed Oct 08, 2003 1:26 pm
Post subject: Re: IUSR privileges [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Use Filemon (sysinternals.com) to trace for
such access related error.

Run it on server, access the page again,
then check the log file.
--
Regards,
Bernard Cheah
<a style='text-decoration: underline;' href="http://support.microsoft.com/" target="_blank">http://support.microsoft.com/</a>
Please respond to newsgroups only ...



"leo lozano" <hlozano.TakeThisOut@tamiu.edu> wrote in message
news:11a601c38ce3$6a260fd0$a401280a@phx.gbl...
 > Hi
 > I am having trouble accessing a COM+ from
 > my ASP pages, (COM+ object created with VB6)
 >
 > I get the
 > Server object error 'ASP 0178 : 80070005'
 > Server.CreateObject Access Error
 >
 > the COM+ object resides on a separate W2k server
 >
 > the web server is running Windows2003 and IIS6,
 > and I have installed the exported app. proxy to
 > access the COM object
 >
 > so far I have given read and execute access to the
 > webserver's IUSR, IWAM and INTERACTIVE account to:
 > - the COM dll
 > - the c:\program files\ directory
 > - the c:\program files\COMPlus application directory
 > and the folder which holds the COM dll
 >
 > - the c:\windows and c:\windows\system32 directory
 > - the c:\windows\system32\inetsrv directory
 > - the msvbvm60.dll file
 >
 > Also under DCOM I have given access, launch and modify
 > permission to IUSR,IWAM and INTERACTIVE to the COM object
 >
 > the website is setup to accept anonymous access through
 > IUSR and is using integrated windows authentication
 >
 > .....
 > If I take out anonymous access, i get the: enter user/pwd
 > box,, and entering a user or admin account the ASP page
 > WORKS, so i am sure it is a privilege thing for IUSR
 >
 > but I don't know what other permissions/?rights? it needs
 >
 > I don't have this problem on a Win2000 web server running
 > the same asp/COM
 >
 > I'll appreciate any help
 > Thanks,
 >
 ><!-- ~MESSAGE_AFTER~ -->

 >> Stay informed about: IUSR privileges 
Back to top
Login to vote
hlozano

External


Since: Sep 29, 2003
Posts: 5



(Msg. 3) Posted: Thu Oct 09, 2003 7:57 pm
Post subject: Re: IUSR privileges [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Thanks,
Unfortunatelly (i don't know if i used it wrong)
the only thing I could get from filemon

when i clicked on the "post" from the web page
was calls to w3svc and IE -- all of them marked SUCCESS

i changed audit policies to track failure on object and
logon but still get the same on filemon...

I GOT IT TO WORK, though, but I don't know if that
was the correct thing, I "ALLOWED WINDOWS TO HANDLE
ANONYMOUS PASSWORDS", created a second app. pool in IIS
and instructed it to act as Local Sys.

The windows reading was that it would leave me
vulnerable...

but, is there another way to do this w/o having to "lower"
the security?

I also tried to sync IUSR and IWAM passwords w/adsutil and
user manager, but it didn't work either, i still had
to "lower" the security...






 >-----Original Message-----
 >Use Filemon (sysinternals.com) to trace for
 >such access related error.
 >
 >Run it on server, access the page again,
 >then check the log file.
 >--
 >Regards,
 >Bernard Cheah
 >http://support.microsoft.com/
 >Please respond to newsgroups only ...
 >
 >
 >
 >"leo lozano" <hlozano.RemoveThis@tamiu.edu> wrote in message
 >news:11a601c38ce3$6a260fd0$a401280a@phx.gbl...
  >> Hi
  >> I am having trouble accessing a COM+ from
  >> my ASP pages, (COM+ object created with VB6)
  >>
  >> I get the
  >> Server object error 'ASP 0178 : 80070005'
  >> Server.CreateObject Access Error
  >>
  >> the COM+ object resides on a separate W2k server
  >>
  >> the web server is running Windows2003 and IIS6,
  >> and I have installed the exported app. proxy to
  >> access the COM object
  >>
  >> so far I have given read and execute access to the
  >> webserver's IUSR, IWAM and INTERACTIVE account to:
  >> - the COM dll
  >> - the c:\program files\ directory
  >> - the c:\program files\COMPlus application
directory
  >> and the folder which holds the COM dll
  >>
  >> - the c:\windows and c:\windows\system32
directory
  >> - the c:\windows\system32\inetsrv directory
  >> - the msvbvm60.dll file
  >>
  >> Also under DCOM I have given access, launch and modify
  >> permission to IUSR,IWAM and INTERACTIVE to the COM
object
  >>
  >> the website is setup to accept anonymous access through
  >> IUSR and is using integrated windows authentication
  >>
  >> .....
  >> If I take out anonymous access, i get the: enter
user/pwd
  >> box,, and entering a user or admin account the ASP page
  >> WORKS, so i am sure it is a privilege thing for IUSR
  >>
  >> but I don't know what other permissions/?rights? it
needs
  >>
  >> I don't have this problem on a Win2000 web server
running
  >> the same asp/COM
  >>
  >> I'll appreciate any help
  >> Thanks,
  >>
  >>
 >
 >
 >.
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IUSR privileges 
Back to top
Login to vote
qbernard

External


Since: Sep 05, 2003
Posts: 407



(Msg. 4) Posted: Fri Oct 10, 2003 2:59 pm
Post subject: Re: IUSR privileges [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Sorry I don't really catch you on the second part ..
"I GOT IT TO WORK........."

what was the orginal app pool user identity -
network service ?

--
Regards,
Bernard Cheah
<a style='text-decoration: underline;' href="http://support.microsoft.com/" target="_blank">http://support.microsoft.com/</a>
Please respond to newsgroups only ...



"leo lozano" <hlozano.TakeThisOut@tamiu.edu> wrote in message
news:06ef01c38ec1$0d69dda0$a401280a@phx.gbl...
 > Thanks,
 > Unfortunatelly (i don't know if i used it wrong)
 > the only thing I could get from filemon
 >
 > when i clicked on the "post" from the web page
 > was calls to w3svc and IE -- all of them marked SUCCESS
 >
 > i changed audit policies to track failure on object and
 > logon but still get the same on filemon...
 >
 > I GOT IT TO WORK, though, but I don't know if that
 > was the correct thing, I "ALLOWED WINDOWS TO HANDLE
 > ANONYMOUS PASSWORDS", created a second app. pool in IIS
 > and instructed it to act as Local Sys.
 >
 > The windows reading was that it would leave me
 > vulnerable...
 >
 > but, is there another way to do this w/o having to "lower"
 > the security?
 >
 > I also tried to sync IUSR and IWAM passwords w/adsutil and
 > user manager, but it didn't work either, i still had
 > to "lower" the security...
 >
 >
 >
 >
 >
 >
  > >-----Original Message-----
  > >Use Filemon (sysinternals.com) to trace for
  > >such access related error.
  > >
  > >Run it on server, access the page again,
  > >then check the log file.
  > >--
  > >Regards,
  > >Bernard Cheah
  > >http://support.microsoft.com/
  > >Please respond to newsgroups only ...
  > >
  > >
  > >
  > >"leo lozano" <hlozano.TakeThisOut@tamiu.edu> wrote in message
  > >news:11a601c38ce3$6a260fd0$a401280a@phx.gbl...
   > >> Hi
   > >> I am having trouble accessing a COM+ from
   > >> my ASP pages, (COM+ object created with VB6)
   > >>
   > >> I get the
   > >> Server object error 'ASP 0178 : 80070005'
   > >> Server.CreateObject Access Error
   > >>
   > >> the COM+ object resides on a separate W2k server
   > >>
   > >> the web server is running Windows2003 and IIS6,
   > >> and I have installed the exported app. proxy to
   > >> access the COM object
   > >>
   > >> so far I have given read and execute access to the
   > >> webserver's IUSR, IWAM and INTERACTIVE account to:
   > >> - the COM dll
   > >> - the c:\program files\ directory
   > >> - the c:\program files\COMPlus application
 > directory
   > >> and the folder which holds the COM dll
   > >>
   > >> - the c:\windows and c:\windows\system32
 > directory
   > >> - the c:\windows\system32\inetsrv directory
   > >> - the msvbvm60.dll file
   > >>
   > >> Also under DCOM I have given access, launch and modify
   > >> permission to IUSR,IWAM and INTERACTIVE to the COM
 > object
   > >>
   > >> the website is setup to accept anonymous access through
   > >> IUSR and is using integrated windows authentication
   > >>
   > >> .....
   > >> If I take out anonymous access, i get the: enter
 > user/pwd
   > >> box,, and entering a user or admin account the ASP page
   > >> WORKS, so i am sure it is a privilege thing for IUSR
   > >>
   > >> but I don't know what other permissions/?rights? it
 > needs
   > >>
   > >> I don't have this problem on a Win2000 web server
 > running
   > >> the same asp/COM
   > >>
   > >> I'll appreciate any help
   > >> Thanks,
   > >>
   > >>
  > >
  > >
  > >.
  > ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IUSR privileges 
Back to top
Login to vote
hlozano

External


Since: Sep 29, 2003
Posts: 5



(Msg. 5) Posted: Tue Oct 14, 2003 12:42 pm
Post subject: Re: IUSR privileges [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Hi Bernard

Yes, the original app. pool identity was set to network
service...

I created a new app. pool for the web site, because the one
it was using was the default app. pool

As instructed on doc. 332167, I changed the new app.
pool's user id to Local Sys...

The doc. also required to register sub-authentication
which was also done...

After following the document's instructions, access to the
COM object was obtained with out the need of a user id/pwd
(anonymous)

But the document states that my security is now lowered
and I am vulnerable because of Local Sys ID on the app.
pool..

In my previous post, I tried to explain that before
applying the instructions of the document I tried to just
sync the IUSR and IWAM account passwords to those of the
IIS metabase, but that didn't work, It was until i
registered the sub-authentication and set the app. pool to
LocalSys, that the web site functioned as it was supposed
to..


My question here is, how did Microsoft intended ('Best
Practice'?)to run this type of situation with out
resorting to what's instructed on the 332167 doc.?

Or is this the only way to access COM objects
from a web server? (with out a user id/pwd of course)

Thanks,



 >-----Original Message-----
 >Sorry I don't really catch you on the second part ..
 >"I GOT IT TO WORK........."
 >
 >what was the orginal app pool user identity -
 >network service ?
 >
 >--
 >Regards,
 >Bernard Cheah
 >http://support.microsoft.com/
 >Please respond to newsgroups only ...
 >
 >
 >
 >"leo lozano" <hlozano RemoveThis @tamiu.edu> wrote in message
 >news:06ef01c38ec1$0d69dda0$a401280a@phx.gbl...
  >> Thanks,
  >> Unfortunatelly (i don't know if i used it wrong)
  >> the only thing I could get from filemon
  >>
  >> when i clicked on the "post" from the web page
  >> was calls to w3svc and IE -- all of them marked SUCCESS
  >>
  >> i changed audit policies to track failure on object and
  >> logon but still get the same on filemon...
  >>
  >> I GOT IT TO WORK, though, but I don't know if that
  >> was the correct thing, I "ALLOWED WINDOWS TO HANDLE
  >> ANONYMOUS PASSWORDS", created a second app. pool in IIS
  >> and instructed it to act as Local Sys.
  >>
  >> The windows reading was that it would leave me
  >> vulnerable...
  >>
  >> but, is there another way to do this w/o having
to "lower"
  >> the security?
  >>
  >> I also tried to sync IUSR and IWAM passwords w/adsutil
and
  >> user manager, but it didn't work either, i still had
  >> to "lower" the security...
  >>
  >>
  >>
  >>
  >>
  >>
   >> >-----Original Message-----
   >> >Use Filemon (sysinternals.com) to trace for
   >> >such access related error.
   >> >
   >> >Run it on server, access the page again,
   >> >then check the log file.
   >> >--
   >> >Regards,
   >> >Bernard Cheah
   >> >http://support.microsoft.com/
   >> >Please respond to newsgroups only ...
   >> >
   >> >
   >> >
   >> >"leo lozano" <hlozano RemoveThis @tamiu.edu> wrote in message
   >> >news:11a601c38ce3$6a260fd0$a401280a@phx.gbl...
   >> >> Hi
   >> >> I am having trouble accessing a COM+ from
   >> >> my ASP pages, (COM+ object created with VB6)
   >> >>
   >> >> I get the
   >> >> Server object error 'ASP 0178 : 80070005'
   >> >> Server.CreateObject Access Error
   >> >>
   >> >> the COM+ object resides on a separate W2k server
   >> >>
   >> >> the web server is running Windows2003 and IIS6,
   >> >> and I have installed the exported app. proxy to
   >> >> access the COM object
   >> >>
   >> >> so far I have given read and execute access to the
   >> >> webserver's IUSR, IWAM and INTERACTIVE account to:
   >> >> - the COM dll
   >> >> - the c:\program files\ directory
   >> >> - the c:\program files\COMPlus application
  >> directory
   >> >> and the folder which holds the COM dll
   >> >>
   >> >> - the c:\windows and c:\windows\system32
  >> directory
   >> >> - the c:\windows\system32\inetsrv directory
   >> >> - the msvbvm60.dll file
   >> >>
   >> >> Also under DCOM I have given access, launch and
modify
   >> >> permission to IUSR,IWAM and INTERACTIVE to the COM
  >> object
   >> >>
   >> >> the website is setup to accept anonymous access
through
   >> >> IUSR and is using integrated windows authentication
   >> >>
   >> >> .....
   >> >> If I take out anonymous access, i get the: enter
  >> user/pwd
   >> >> box,, and entering a user or admin account the ASP
page
   >> >> WORKS, so i am sure it is a privilege thing for IUSR
   >> >>
   >> >> but I don't know what other permissions/?rights? it
  >> needs
   >> >>
   >> >> I don't have this problem on a Win2000 web server
  >> running
   >> >> the same asp/COM
   >> >>
   >> >> I'll appreciate any help
   >> >> Thanks,
   >> >>
   >> >>
   >> >
   >> >
   >> >.
   >> >
 >
 >
 >.
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IUSR privileges 
Back to top
Login to vote
qbernard

External


Since: Sep 05, 2003
Posts: 407



(Msg. 6) Posted: Wed Oct 15, 2003 3:02 pm
Post subject: Re: IUSR privileges [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Ok. Got what you mean by now.
I'm not pretty sure on how you can avoid this
for calling remotely from another server.

the sub-auth was disable for potential risk,
as if it's enabled, IIS can control the User database,
i.e. it has the right to 'reset' or sync password.

In my past, I always configure a new user a/c in both
machines (in non domain model), both account has
required permission and rights. this acc will be used
for the COM+ object identity.

Web site anonymous access, will invoke this object
to do all necessary process.

--
Regards,
Bernard Cheah
<a style='text-decoration: underline;' href="http://support.microsoft.com/" target="_blank">http://support.microsoft.com/</a>
Please respond to newsgroups only ...



"leo lozano" <hlozano.TakeThisOut@tamiu.edu> wrote in message
news:008301c39272$31f961e0$a401280a@phx.gbl...
 > Hi Bernard
 >
 > Yes, the original app. pool identity was set to network
 > service...
 >
 > I created a new app. pool for the web site, because the one
 > it was using was the default app. pool
 >
 > As instructed on doc. 332167, I changed the new app.
 > pool's user id to Local Sys...
 >
 > The doc. also required to register sub-authentication
 > which was also done...
 >
 > After following the document's instructions, access to the
 > COM object was obtained with out the need of a user id/pwd
 > (anonymous)
 >
 > But the document states that my security is now lowered
 > and I am vulnerable because of Local Sys ID on the app.
 > pool..
 >
 > In my previous post, I tried to explain that before
 > applying the instructions of the document I tried to just
 > sync the IUSR and IWAM account passwords to those of the
 > IIS metabase, but that didn't work, It was until i
 > registered the sub-authentication and set the app. pool to
 > LocalSys, that the web site functioned as it was supposed
 > to..
 >
 >
 > My question here is, how did Microsoft intended ('Best
 > Practice'?)to run this type of situation with out
 > resorting to what's instructed on the 332167 doc.?
 >
 > Or is this the only way to access COM objects
 > from a web server? (with out a user id/pwd of course)
 >
 > Thanks,
 >
 >
 >
  > >-----Original Message-----
  > >Sorry I don't really catch you on the second part ..
  > >"I GOT IT TO WORK........."
  > >
  > >what was the orginal app pool user identity -
  > >network service ?
  > >
  > >--
  > >Regards,
  > >Bernard Cheah
  > >http://support.microsoft.com/
  > >Please respond to newsgroups only ...
  > >
  > >
  > >
  > >"leo lozano" <hlozano.TakeThisOut@tamiu.edu> wrote in message
  > >news:06ef01c38ec1$0d69dda0$a401280a@phx.gbl...
   > >> Thanks,
   > >> Unfortunatelly (i don't know if i used it wrong)
   > >> the only thing I could get from filemon
   > >>
   > >> when i clicked on the "post" from the web page
   > >> was calls to w3svc and IE -- all of them marked SUCCESS
   > >>
   > >> i changed audit policies to track failure on object and
   > >> logon but still get the same on filemon...
   > >>
   > >> I GOT IT TO WORK, though, but I don't know if that
   > >> was the correct thing, I "ALLOWED WINDOWS TO HANDLE
   > >> ANONYMOUS PASSWORDS", created a second app. pool in IIS
   > >> and instructed it to act as Local Sys.
   > >>
   > >> The windows reading was that it would leave me
   > >> vulnerable...
   > >>
   > >> but, is there another way to do this w/o having
 > to "lower"
   > >> the security?
   > >>
   > >> I also tried to sync IUSR and IWAM passwords w/adsutil
 > and
   > >> user manager, but it didn't work either, i still had
   > >> to "lower" the security...
   > >>
   > >>
   > >>
   > >>
   > >>
   > >>
   > >> >-----Original Message-----
   > >> >Use Filemon (sysinternals.com) to trace for
   > >> >such access related error.
   > >> >
   > >> >Run it on server, access the page again,
   > >> >then check the log file.
   > >> >--
   > >> >Regards,
   > >> >Bernard Cheah
   > >> >http://support.microsoft.com/
   > >> >Please respond to newsgroups only ...
   > >> >
   > >> >
   > >> >
   > >> >"leo lozano" <hlozano.TakeThisOut@tamiu.edu> wrote in message
   > >> >news:11a601c38ce3$6a260fd0$a401280a@phx.gbl...
   > >> >> Hi
   > >> >> I am having trouble accessing a COM+ from
   > >> >> my ASP pages, (COM+ object created with VB6)
   > >> >>
   > >> >> I get the
   > >> >> Server object error 'ASP 0178 : 80070005'
   > >> >> Server.CreateObject Access Error
   > >> >>
   > >> >> the COM+ object resides on a separate W2k server
   > >> >>
   > >> >> the web server is running Windows2003 and IIS6,
   > >> >> and I have installed the exported app. proxy to
   > >> >> access the COM object
   > >> >>
   > >> >> so far I have given read and execute access to the
   > >> >> webserver's IUSR, IWAM and INTERACTIVE account to:
   > >> >> - the COM dll
   > >> >> - the c:\program files\ directory
   > >> >> - the c:\program files\COMPlus application
   > >> directory
   > >> >> and the folder which holds the COM dll
   > >> >>
   > >> >> - the c:\windows and c:\windows\system32
   > >> directory
   > >> >> - the c:\windows\system32\inetsrv directory
   > >> >> - the msvbvm60.dll file
   > >> >>
   > >> >> Also under DCOM I have given access, launch and
 > modify
   > >> >> permission to IUSR,IWAM and INTERACTIVE to the COM
   > >> object
   > >> >>
   > >> >> the website is setup to accept anonymous access
 > through
   > >> >> IUSR and is using integrated windows authentication
   > >> >>
   > >> >> .....
   > >> >> If I take out anonymous access, i get the: enter
   > >> user/pwd
   > >> >> box,, and entering a user or admin account the ASP
 > page
   > >> >> WORKS, so i am sure it is a privilege thing for IUSR
   > >> >>
   > >> >> but I don't know what other permissions/?rights? it
   > >> needs
   > >> >>
   > >> >> I don't have this problem on a Win2000 web server
   > >> running
   > >> >> the same asp/COM
   > >> >>
   > >> >> I'll appreciate any help
   > >> >> Thanks,
   > >> >>
   > >> >>
   > >> >
   > >> >
   > >> >.
   > >> >
  > >
  > >
  > >.
  > ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IUSR privileges 
Back to top
Login to vote
timcof

External


Since: Sep 02, 2003
Posts: 912



(Msg. 7) Posted: Thu Oct 16, 2003 10:31 am
Post subject: Re: IUSR privileges [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
You can also try here:
microsoft.public.inetserver.asp.components

Thank you. I hope this information is helpful.

Tim Coffey [MSFT]

This posting is provided “AS IS” with no warranties, and confers no rights. You assume all risk for your use. © 2001 Microsoft Corporation. All rights reserved.
--------------------
| Content-Class: urn:content-classes:message
| From: "leo lozano" <hlozano.TakeThisOut@tamiu.edu>
| Sender: "leo lozano" <hlozano.TakeThisOut@tamiu.edu>
| References: <11a601c38ce3$6a260fd0$a401280a@phx.gbl> <eDd9ROUjDHA.2160.TakeThisOut@TK2MSFTNGP10.phx.gbl> <06ef01c38ec1$0d69dda0
$a401280a@phx.gbl> <#pre2LujDHA.708@TK2MSFTNGP10.phx.gbl>
| Subject: Re: IUSR privileges
| Date: Tue, 14 Oct 2003 09:42:45 -0700
| Lines: 169
| Message-ID: <008301c39272$31f961e0$a401280a@phx.gbl>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Thread-Index: AcOScjH56lzslKqGT5qfumh+79cJMg==
| Newsgroups: microsoft.public.inetserver.iis
| Path: cpmsftngxa06.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.inetserver.iis:279526
| NNTP-Posting-Host: TK2MSFTNGXA12 10.40.1.164
| X-Tomcat-NG: microsoft.public.inetserver.iis
|
| Hi Bernard
|
| Yes, the original app. pool identity was set to network
| service...
|
| I created a new app. pool for the web site, because the one
| it was using was the default app. pool
|
| As instructed on doc. 332167, I changed the new app.
| pool's user id to Local Sys...
|
| The doc. also required to register sub-authentication
| which was also done...
|
| After following the document's instructions, access to the
| COM object was obtained with out the need of a user id/pwd
| (anonymous)
|
| But the document states that my security is now lowered
| and I am vulnerable because of Local Sys ID on the app.
| pool..
|
| In my previous post, I tried to explain that before
| applying the instructions of the document I tried to just
| sync the IUSR and IWAM account passwords to those of the
| IIS metabase, but that didn't work, It was until i
| registered the sub-authentication and set the app. pool to
| LocalSys, that the web site functioned as it was supposed
| to..
|
|
| My question here is, how did Microsoft intended ('Best
| Practice'?)to run this type of situation with out
| resorting to what's instructed on the 332167 doc.?
|
| Or is this the only way to access COM objects
| from a web server? (with out a user id/pwd of course)
|
| Thanks,
|
|
|
| >-----Original Message-----
| >Sorry I don't really catch you on the second part ..
| >"I GOT IT TO WORK........."
| >
| >what was the orginal app pool user identity -
| >network service ?
| >
| >--
| >Regards,
| >Bernard Cheah
| >http://support.microsoft.com/
| >Please respond to newsgroups only ...
| >
| >
| >
| >"leo lozano" <hlozano.TakeThisOut@tamiu.edu> wrote in message
| >news:06ef01c38ec1$0d69dda0$a401280a@phx.gbl...
| >> Thanks,
| >> Unfortunatelly (i don't know if i used it wrong)
| >> the only thing I could get from filemon
| >>
| >> when i clicked on the "post" from the web page
| >> was calls to w3svc and IE -- all of them marked SUCCESS
| >>
| >> i changed audit policies to track failure on object and
| >> logon but still get the same on filemon...
| >>
| >> I GOT IT TO WORK, though, but I don't know if that
| >> was the correct thing, I "ALLOWED WINDOWS TO HANDLE
| >> ANONYMOUS PASSWORDS", created a second app. pool in IIS
| >> and instructed it to act as Local Sys.
| >>
| >> The windows reading was that it would leave me
| >> vulnerable...
| >>
| >> but, is there another way to do this w/o having
| to "lower"
| >> the security?
| >>
| >> I also tried to sync IUSR and IWAM passwords w/adsutil
| and
| >> user manager, but it didn't work either, i still had
| >> to "lower" the security...
| >>
| >>
| >>
| >>
| >>
| >>
| >> >-----Original Message-----
| >> >Use Filemon (sysinternals.com) to trace for
| >> >such access related error.
| >> >
| >> >Run it on server, access the page again,
| >> >then check the log file.
| >> >--
| >> >Regards,
| >> >Bernard Cheah
| >> >http://support.microsoft.com/
| >> >Please respond to newsgroups only ...
| >> >
| >> >
| >> >
| >> >"leo lozano" <hlozano.TakeThisOut@tamiu.edu> wrote in message
| >> >news:11a601c38ce3$6a260fd0$a401280a@phx.gbl...
| >> >> Hi
| >> >> I am having trouble accessing a COM+ from
| >> >> my ASP pages, (COM+ object created with VB6)
| >> >>
| >> >> I get the
| >> >> Server object error 'ASP 0178 : 80070005'
| >> >> Server.CreateObject Access Error
| >> >>
| >> >> the COM+ object resides on a separate W2k server
| >> >>
| >> >> the web server is running Windows2003 and IIS6,
| >> >> and I have installed the exported app. proxy to
| >> >> access the COM object
| >> >>
| >> >> so far I have given read and execute access to the
| >> >> webserver's IUSR, IWAM and INTERACTIVE account to:
| >> >> - the COM dll
| >> >> - the c:\program files\ directory
| >> >> - the c:\program files\COMPlus application
| >> directory
| >> >> and the folder which holds the COM dll
| >> >>
| >> >> - the c:\windows and c:\windows\system32
| >> directory
| >> >> - the c:\windows\system32\inetsrv directory
| >> >> - the msvbvm60.dll file
| >> >>
| >> >> Also under DCOM I have given access, launch and
| modify
| >> >> permission to IUSR,IWAM and INTERACTIVE to the COM
| >> object
| >> >>
| >> >> the website is setup to accept anonymous access
| through
| >> >> IUSR and is using integrated windows authentication
| >> >>
| >> >> .....
| >> >> If I take out anonymous access, i get the: enter
| >> user/pwd
| >> >> box,, and entering a user or admin account the ASP
| page
| >> >> WORKS, so i am sure it is a privilege thing for IUSR
| >> >>
| >> >> but I don't know what other permissions/?rights? it
| >> needs
| >> >>
| >> >> I don't have this problem on a Win2000 web server
| >> running
| >> >> the same asp/COM
| >> >>
| >> >> I'll appreciate any help
| >> >> Thanks,
| >> >>
| >> >>
| >> >
| >> >
| >> >.
| >> >
| >
| >
| >.
| >
|
 >> Stay informed about: IUSR privileges 
Back to top
Login to vote
hlozano

External


Since: Sep 29, 2003
Posts: 5



(Msg. 8) Posted: Thu Oct 16, 2003 8:16 pm
Post subject: Re: IUSR privileges [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Thanks,

So apparently the vulnerable point
resides in allowing windows to control the
passwords (sub-authenticate)

and not because of setting the app. pool's identity
to 'local sys'

I will test a set up with a specific user to handle the
com object and disable sub-authentication to see how it
works

Thanks again for taking the time to answer

Leo Lozano


 >-----Original Message-----
 >Ok. Got what you mean by now.
 >I'm not pretty sure on how you can avoid this
 >for calling remotely from another server.
 >
 >the sub-auth was disable for potential risk,
 >as if it's enabled, IIS can control the User database,
 >i.e. it has the right to 'reset' or sync password.
 >
 >In my past, I always configure a new user a/c in both
 >machines (in non domain model), both account has
 >required permission and rights. this acc will be used
 >for the COM+ object identity.
 >
 >Web site anonymous access, will invoke this object
 >to do all necessary process.
 >
 >--
 >Regards,
 >Bernard Cheah
 >http://support.microsoft.com/
 >Please respond to newsgroups only ...
 >
 >
 >
 >"leo lozano" <hlozano.TakeThisOut@tamiu.edu> wrote in message
 >news:008301c39272$31f961e0$a401280a@phx.gbl...
  >> Hi Bernard
  >>
  >> Yes, the original app. pool identity was set to network
  >> service...
  >>
  >> I created a new app. pool for the web site, because the
one
  >> it was using was the default app. pool
  >>
  >> As instructed on doc. 332167, I changed the new app.
  >> pool's user id to Local Sys...
  >>
  >> The doc. also required to register sub-authentication
  >> which was also done...
  >>
  >> After following the document's instructions, access to
the
  >> COM object was obtained with out the need of a user
id/pwd
  >> (anonymous)
  >>
  >> But the document states that my security is now lowered
  >> and I am vulnerable because of Local Sys ID on the app.
  >> pool..
  >>
  >> In my previous post, I tried to explain that before
  >> applying the instructions of the document I tried to
just
  >> sync the IUSR and IWAM account passwords to those of the
  >> IIS metabase, but that didn't work, It was until i
  >> registered the sub-authentication and set the app. pool
to
  >> LocalSys, that the web site functioned as it was
supposed
  >> to..
  >>
  >>
  >> My question here is, how did Microsoft intended ('Best
  >> Practice'?)to run this type of situation with out
  >> resorting to what's instructed on the 332167 doc.?
  >>
  >> Or is this the only way to access COM objects
  >> from a web server? (with out a user id/pwd of course)
  >>
  >> Thanks,
  >>
  >>
  >>
   >> >-----Original Message-----
   >> >Sorry I don't really catch you on the second part ..
   >> >"I GOT IT TO WORK........."
   >> >
   >> >what was the orginal app pool user identity -
   >> >network service ?
   >> >
   >> >--
   >> >Regards,
   >> >Bernard Cheah
   >> >http://support.microsoft.com/
   >> >Please respond to newsgroups only ...
   >> >
   >> >
   >> >
   >> >"leo lozano" <hlozano.TakeThisOut@tamiu.edu> wrote in message
   >> >news:06ef01c38ec1$0d69dda0$a401280a@phx.gbl...
   >> >> Thanks,
   >> >> Unfortunatelly (i don't know if i used it wrong)
   >> >> the only thing I could get from filemon
   >> >>
   >> >> when i clicked on the "post" from the web page
   >> >> was calls to w3svc and IE -- all of them marked
SUCCESS
   >> >>
   >> >> i changed audit policies to track failure on object
and
   >> >> logon but still get the same on filemon...
   >> >>
   >> >> I GOT IT TO WORK, though, but I don't know if that
   >> >> was the correct thing, I "ALLOWED WINDOWS TO HANDLE
   >> >> ANONYMOUS PASSWORDS", created a second app. pool in
IIS
   >> >> and instructed it to act as Local Sys.
   >> >>
   >> >> The windows reading was that it would leave me
   >> >> vulnerable...
   >> >>
   >> >> but, is there another way to do this w/o having
  >> to "lower"
   >> >> the security?
   >> >>
   >> >> I also tried to sync IUSR and IWAM passwords
w/adsutil
  >> and
   >> >> user manager, but it didn't work either, i still had
   >> >> to "lower" the security...
   >> >>
   >> >>
   >> >>
   >> >>
   >> >>
   >> >>
   >> >> >-----Original Message-----
   >> >> >Use Filemon (sysinternals.com) to trace for
   >> >> >such access related error.
   >> >> >
   >> >> >Run it on server, access the page again,
   >> >> >then check the log file.
   >> >> >--
   >> >> >Regards,
   >> >> >Bernard Cheah
   >> >> >http://support.microsoft.com/
   >> >> >Please respond to newsgroups only ...
   >> >> >
   >> >> >
   >> >> >
   >> >> >"leo lozano" <hlozano.TakeThisOut@tamiu.edu> wrote in message
   >> >> >news:11a601c38ce3$6a260fd0$a401280a@phx.gbl...
   >> >> >> Hi
   >> >> >> I am having trouble accessing a COM+ from
   >> >> >> my ASP pages, (COM+ object created with VB6)
   >> >> >>
   >> >> >> I get the
   >> >> >> Server object error 'ASP 0178 : 80070005'
   >> >> >> Server.CreateObject Access Error
   >> >> >>
   >> >> >> the COM+ object resides on a separate W2k server
   >> >> >>
   >> >> >> the web server is running Windows2003 and IIS6,
   >> >> >> and I have installed the exported app. proxy to
   >> >> >> access the COM object
   >> >> >>
   >> >> >> so far I have given read and execute access to the
   >> >> >> webserver's IUSR, IWAM and INTERACTIVE account to:
   >> >> >> - the COM dll
   >> >> >> - the c:\program files\ directory
   >> >> >> - the c:\program files\COMPlus application
   >> >> directory
   >> >> >> and the folder which holds the COM dll
   >> >> >>
   >> >> >> - the c:\windows and c:\windows\system32
   >> >> directory
   >> >> >> - the c:\windows\system32\inetsrv directory
   >> >> >> - the msvbvm60.dll file
   >> >> >>
   >> >> >> Also under DCOM I have given access, launch and
  >> modify
   >> >> >> permission to IUSR,IWAM and INTERACTIVE to the COM
   >> >> object
   >> >> >>
   >> >> >> the website is setup to accept anonymous access
  >> through
   >> >> >> IUSR and is using integrated windows
authentication
   >> >> >>
   >> >> >> .....
   >> >> >> If I take out anonymous access, i get the: enter
   >> >> user/pwd
   >> >> >> box,, and entering a user or admin account the ASP
  >> page
   >> >> >> WORKS, so i am sure it is a privilege thing for
IUSR
   >> >> >>
   >> >> >> but I don't know what other permissions/?rights?
it
   >> >> needs
   >> >> >>
   >> >> >> I don't have this problem on a Win2000 web server
   >> >> running
   >> >> >> the same asp/COM
   >> >> >>
   >> >> >> I'll appreciate any help
   >> >> >> Thanks,
   >> >> >>
   >> >> >>
   >> >> >
   >> >> >
   >> >> >.
   >> >> >
   >> >
   >> >
   >> >.
   >> >
 >
 >
 >.
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IUSR privileges 
Back to top
Login to vote
Display posts from previous:   
Related Topics:
API to set execute privileges on IIS virtual directories? - Hi All, I'm writing an application that, amoung other things, should create IIS virtual directories and set execute privileges on them. Is there a C++/VB/whatever API to do it? Regards, Dmitry

SMTP and IUSR - Something strange just happened on our W2k3/IIS6 test server. After installing SMTP, the ISUR account cannot authenticate to the sites hosted on server, eventhough anonymous access is enabled. I have checked the NTFS permissions and they appear to....

IUSR & IWANusers - If the name is different than the current server name, does it affect anything? A Windows 2000 server, sp3, initially installed as HARRY and subsequently renamed to FRED. The IIS usernames are IUSR_HARRY & IWAN_HARRY in local User Accounts. Thank...

IUSR Permissions - We have a web based system that generates print output on the server which is sent to the user over the HTTP connection. Sometimes, the user is creating a print job that requires a custom form. Or problem is that we can not find the premission..

deleting IUSR and IWAM accounts.. regenerated? - Hi all: I've been having oodles of trouble lately with my IWAM and IUSR account not having the proper permissions to run out-of-process applications, and have painstakingly followed all relevant Microsoft Knowledge Base articles and advice from people i...
   Web Hosting and Web Master Forums (Home) -> IIS All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]