Welcome to MobyThreads.com!
FAQFAQ      ProfileProfile    Private MessagesPrivate Messages   Log inLog in
All support for the MobyThreads Threaded phpBB MOD can now be found on welsolutions at this forum

IIS 6.0 and worker process

  
   Web Hosting and Web Master Forums (Home) -> IIS RSS
Next:  can't map webdav-dir to driveletter  
Author Message
user1398

External


Since: Feb 10, 2004
Posts: 6



(Msg. 1) Posted: Mon Feb 23, 2004 8:21 am
Post subject: IIS 6.0 and worker process
Archived from groups: microsoft>public>inetserver>iis (more info?)
To connect from ASP.NET to Oracle successfully the ASPNET
account under IIS 5.0 must be member of local
administrators.

The worker process in IIS 6.0 now is running with a new
special account NTAUTHORITY\NetworkService with reduced
permissions. To connect to Oracle we need to start the
process with the ASPNET account insteed.

Can we change the account for the worker process ASP.NET
status service to the ASPNET user without any
limitations? If you want to advice us to try it anyway:
the server is in an production environment with already
running sites on it, so we can't risk any avoidable
problems.

Regards,
J. Schadler

 >> Stay informed about: IIS 6.0 and worker process 
Back to top
Login to vote
someone9

External


Since: Aug 25, 2003
Posts: 2419



(Msg. 2) Posted: Mon Feb 23, 2004 11:37 pm
Post subject: Re: IIS 6.0 and worker process [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Changing properties of user accounts that you do not create has system-wide
security ramifications. Adding ASPNET user to Local Administrators is like
adding IUSR Anonymous User to Local Administrators.

In any case, the worker process identity should not need to be Administrator
on the web server -- heck, SQL Server can be accessed with the default
Network Service identity , so we know secured SQL access can be done.
Problem is probably more on Oracle configuration or the Oracle DB connector.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Schadler Johann" <johann.schadler.TakeThisOut@telekom.at> wrote in message
news:14cb301c3fa0f$e5c03be0$a001280a@phx.gbl...
To connect from ASP.NET to Oracle successfully the ASPNET
account under IIS 5.0 must be member of local
administrators.

The worker process in IIS 6.0 now is running with a new
special account NTAUTHORITY\NetworkService with reduced
permissions. To connect to Oracle we need to start the
process with the ASPNET account insteed.

Can we change the account for the worker process ASP.NET
status service to the ASPNET user without any
limitations? If you want to advice us to try it anyway:
the server is in an production environment with already
running sites on it, so we can't risk any avoidable
problems.

Regards,
J. Schadler

 >> Stay informed about: IIS 6.0 and worker process 
Back to top
Login to vote
kenremove

External


Since: Aug 23, 2003
Posts: 2901



(Msg. 3) Posted: Tue Feb 24, 2004 3:33 am
Post subject: Re: IIS 6.0 and worker process [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Why on earth do you need the ASPNet account to be part of the administrators
group?!? That smacks of bad setup on the Oracle side of things.

a) The NT Authority\Network Service is just the process identity (what
account is used to run the w3wp.exe process, even if there are no incoming
requests)

b) If you are allowing anonymous access, then the actual request is handled
in the user context of the configured IIS anonymous user account
(IUSR_<machinename> by default). Now the IUSR account is local to the
webserver, and can't be assigned permissions to network resources. So, if
Oracle is on another machine, then you'll need to change this account to a
domain account if you are using Windows accounts to login to Oracle.

I'm not an Oracle expert, but I'm pretty sure that you don't need ASPNet
running as a local admin (or worse, a domain admin) to login to Oracle.
That's just a disaster waiting to happen.

Cheers
Ken


--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Schadler Johann" <johann.schadler.DeleteThis@telekom.at> wrote in message
news:14cb301c3fa0f$e5c03be0$a001280a@phx.gbl...
: To connect from ASP.NET to Oracle successfully the ASPNET
: account under IIS 5.0 must be member of local
: administrators.
:
: The worker process in IIS 6.0 now is running with a new
: special account NTAUTHORITY\NetworkService with reduced
: permissions. To connect to Oracle we need to start the
: process with the ASPNET account insteed.
:
: Can we change the account for the worker process ASP.NET
: status service to the ASPNET user without any
: limitations? If you want to advice us to try it anyway:
: the server is in an production environment with already
: running sites on it, so we can't risk any avoidable
: problems.
:
: Regards,
: J. Schadler
 >> Stay informed about: IIS 6.0 and worker process 
Back to top
Login to vote
user1398

External


Since: Feb 10, 2004
Posts: 6



(Msg. 4) Posted: Tue Feb 24, 2004 3:34 am
Post subject: Re: IIS 6.0 and worker process [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Hi, Ken!

Thanks for your comments first!

As we have tried out there is no chance to connect to an
Oracle server (Unix/HP-Ux) with ASP.NET without ASPNET
beeing member of local administrators. We appreciate any
advice how to work around this security hole.

Maybe we don't really unterstand the new architecture of
the IIS 6.0. On the other side we don't want to switch
the IIS into IIS 5.0 compatibilty mode. As it seems we
need to set up a separate server to try out all
possibilities.

Regards,
Johann

 >-----Original Message-----
 >Why on earth do you need the ASPNet account to be part
of the administrators
 >group?!? That smacks of bad setup on the Oracle side of
things.
 >
 >a) The NT Authority\Network Service is just the process
identity (what
 >account is used to run the w3wp.exe process, even if
there are no incoming
 >requests)
 >
 >b) If you are allowing anonymous access, then the actual
request is handled
 >in the user context of the configured IIS anonymous user
account
 >(IUSR_<machinename> by default). Now the IUSR account is
local to the
 >webserver, and can't be assigned permissions to network
resources. So, if
 >Oracle is on another machine, then you'll need to change
this account to a
 >domain account if you are using Windows accounts to
login to Oracle.
 >
 >I'm not an Oracle expert, but I'm pretty sure that you
don't need ASPNet
 >running as a local admin (or worse, a domain admin) to
login to Oracle.
 >That's just a disaster waiting to happen.
 >
 >Cheers
 >Ken
 >
 >
 >--
 >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 >"Schadler Johann" <johann.schadler RemoveThis @telekom.at> wrote in
message
 >news:14cb301c3fa0f$e5c03be0$a001280a@phx.gbl...
 >: To connect from ASP.NET to Oracle successfully the
ASPNET
 >: account under IIS 5.0 must be member of local
 >: administrators.
 >:
 >: The worker process in IIS 6.0 now is running with a new
 >: special account NTAUTHORITY\NetworkService with reduced
 >: permissions. To connect to Oracle we need to start the
 >: process with the ASPNET account insteed.
 >:
 >: Can we change the account for the worker process
ASP.NET
 >: status service to the ASPNET user without any
 >: limitations? If you want to advice us to try it anyway:
 >: the server is in an production environment with already
 >: running sites on it, so we can't risk any avoidable
 >: problems.
 >:
 >: Regards,
 >: J. Schadler
 >
 >
 >.
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IIS 6.0 and worker process 
Back to top
Login to vote
kenremove

External


Since: Aug 23, 2003
Posts: 2901



(Msg. 5) Posted: Tue Feb 24, 2004 1:56 pm
Post subject: Re: IIS 6.0 and worker process [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
"Schadler Johann" <johann.schadler RemoveThis @telekom.at> wrote in message
news:146b801c3fa1c$898c7de0$a301280a@phx.gbl...
: Hi, Ken!
:
: Thanks for your comments first!
:
: As we have tried out there is no chance to connect to an
: Oracle server (Unix/HP-Ux) with ASP.NET without ASPNET
: beeing member of local administrators. We appreciate any
: advice how to work around this security hole.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

First you need to tell us why the ASPNet user has to be part of the
Administrators group. I've never heard of this before.

Cheers
Ken


--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
: Maybe we don't really unterstand the new architecture of
: the IIS 6.0. On the other side we don't want to switch
: the IIS into IIS 5.0 compatibilty mode. As it seems we
: need to set up a separate server to try out all
: possibilities.
:
: Regards,
: Johann
:
: >-----Original Message-----
: >Why on earth do you need the ASPNet account to be part
: of the administrators
: >group?!? That smacks of bad setup on the Oracle side of
: things.
: >
: >a) The NT Authority\Network Service is just the process
: identity (what
: >account is used to run the w3wp.exe process, even if
: there are no incoming
: >requests)
: >
: >b) If you are allowing anonymous access, then the actual
: request is handled
: >in the user context of the configured IIS anonymous user
: account
: >(IUSR_<machinename> by default). Now the IUSR account is
: local to the
: >webserver, and can't be assigned permissions to network
: resources. So, if
: >Oracle is on another machine, then you'll need to change
: this account to a
: >domain account if you are using Windows accounts to
: login to Oracle.
: >
: >I'm not an Oracle expert, but I'm pretty sure that you
: don't need ASPNet
: >running as a local admin (or worse, a domain admin) to
: login to Oracle.
: >That's just a disaster waiting to happen.
: >
: >Cheers
: >Ken
: >
: >
: >--
: >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
: >"Schadler Johann" <johann.schadler RemoveThis @telekom.at> wrote in
: message
: >news:14cb301c3fa0f$e5c03be0$a001280a@phx.gbl...
: >: To connect from ASP.NET to Oracle successfully the
: ASPNET
: >: account under IIS 5.0 must be member of local
: >: administrators.
: >:
: >: The worker process in IIS 6.0 now is running with a new
: >: special account NTAUTHORITY\NetworkService with reduced
: >: permissions. To connect to Oracle we need to start the
: >: process with the ASPNET account insteed.
: >:
: >: Can we change the account for the worker process
: ASP.NET
: >: status service to the ASPNET user without any
: >: limitations? If you want to advice us to try it anyway:
: >: the server is in an production environment with already
: >: running sites on it, so we can't risk any avoidable
: >: problems.
: >:
: >: Regards,
: >: J. Schadler
: >
: >
: >.
: >
 >> Stay informed about: IIS 6.0 and worker process 
Back to top
Login to vote
mk3

External


Since: Feb 26, 2004
Posts: 1



(Msg. 6) Posted: Thu Feb 26, 2004 6:58 am
Post subject: Re: IIS 6.0 and worker process [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
The problem relates to Oracle-Metalink Article 215255.1: Oracle 9i
Release 2 (9.2.0.1.0) client software installation procedure changes the
security settings in&under ORACLE_HOME - Directory.

Reset the security settings on this folder (+ subs) to READ&EXECUTE for
all Authenticated Users, Restart IIS Admin and everything will work
without the "allmighty ASPNET"



*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
 >> Stay informed about: IIS 6.0 and worker process 
Back to top
Login to vote
user1398

External


Since: Feb 10, 2004
Posts: 6



(Msg. 7) Posted: Thu Feb 26, 2004 9:30 am
Post subject: Re: IIS 6.0 and worker process [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
 >
 >First you need to tell us why the ASPNet user has to be
part of the
 >Administrators group. I've never heard of this before.
 >
 >Cheers
 >Ken

We have solved the problem meanwhile. The reason is a bug
at installing Oracle Client 9.2.x, where aren't set NTFS
permissions properly. We found the needed work around in
an Oracle metalink note, no 215255.1. (As you may know,
you can't join that support forum without an special
account, so we were lucky to find a guy with the needed
account who searched that knowledgbase for us.)

During the installation procedure the permissions for
the 'authenticated user' are not set correctly. In that
article there is explained to set the permissions for
the 'authenticated user' manually again for the whole
Oracle directory. After that the ASPNET user (under IIS
5.0) or the IWAM user (under IIS 6.0) is no longer needed
to be member of local administrators to connect to Oracle
via OLE DB.

Thanks for your interest/help.

Regards, J. Schadler<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IIS 6.0 and worker process 
Back to top
Login to vote
Display posts from previous:   
Related Topics:
ASP worker process only running at 50% cpu - We have just set up a new server running Windows Server 2003 (IIS 6) and have an asp web app that kicks off threaded processes. The problem I'm having is that the process (running under w3wp.exe and user IWAM_MachineName which is a member of IIS_WPG...

Help: IIS6 worker process constantly crashes - O.K. After migrating the 4 most important ASP-based webs on IIS6 on High-End-Super-Duper Compaq Hardware we are rady to get crazy... (and to take Linux :-) ). IIS6 crashes at least 6 times a day. We tried eeeeeverything. Now we are using the "Resta...

Socket errors in IIS6 worker process model - I have an ASP application that works in IIS5 but not IIS6=20 worker process model (it works ok in IIS6 when it is=20 running in IIS5 Isolation mode). The application is=20 failing when at a point an in-process COM object,=20 implementing my business..

Multiple worker processes for a single application in a ap.. - Hello All, In IIS 6.0 We have a concept of worker processes and application pools. As I understand it, we can have multiple worker process per appliction pool. Each worker process is dedicated to a pool. If I assign only one application to a..

IISState - Which process? - I have IIS running a site in High Isolation mode so I've got a process for inetinfo.exe, a dllhost.exe for the particular IIS website I'm looking at, and a dllhost.exe for out-of-process components. Which of these do I run iisstate on? Do I need to run...
   Web Hosting and Web Master Forums (Home) -> IIS All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]