We have an installer, running as administrator, which installs a web application, running as IUSR, and a windows service, running as Local Service (for now). The web application should be able to start/stop that windows service (and no other) when maintenance mode is enabled via the web interface (e.g. when an update is applied).
Question: Which options do I have?
The installer has a "Run as" option for the service, but it takes username AND password, which I don't have for IUSR. IUSR should be able to start/stop a service that runs as IUSR, right?
Can I give IUSR permission to start/stop that service somehow else (registry)?
Or will I have to create a second service that checks a file for changes, and acts upon these. But then I cannot replace this service in maintenance mode, ever, so this is a dirty hack.
Related
I am trying to serve static files from a file server running Windows Server 2016. I would like to use a group managed service account for the connection.
I have attempted configuring IIS on Windows Server 2012 to use the gmsa. The Test-ADServiceAccount cmdlet returns True for the gmsa I am attempting to use on the IIS host. I have gone under the basic settings option of the IIS site configuration and used the "connect as" button and set it to the gmsa account with no password. The prompt then says "Connect as 'gmsa-foo$'". However, when I attempt to press "ok", I get an error that the specified password is invalid.
Can I use a gmsa to allow access to the remotely hosted static files that I want to serve? Do I need to use a particular version of Windows Server to do so?
Make sure you added the gMSA account in the application pool identity.
It should be noted that this account may show unexpected behavior in IIS manager. For example, if you click on “Basic Settings” for an application that uses this account for its application pool, “Test Settings” may give you an error indicating “the user name or password is incorrect”. Usually, this can be ignored. Browsing any page in the application would be a better test – as long as you don’t receive a 503 response, the application pool username/password is fine.
You could get more information from the below document:
Windows Server 2012: Group Managed Service Accounts
Using the new interface for Windows Azure, how do I enable RDP? I am using a cloud service and my site is mysite.cloudapp.net. In my publish settings, I enabled RDP. Where do I find my RDP credentials? How do I enable FTP, if possible? Here are the instructions that I followed:
https://www.windowsazure.com/en-us/develop/net/common-tasks/remote-desktop/
I see no hosted services tab in the new layout.
When I try to RDP, I receive an instant failure message that I cannot connect. I am using Windows 8 and I tried Windows 7.
For RDP, assuming you've followed all the steps and the configuration is right, you need to use the management portal, click on cloud services on the left and select the service whose instance you want to RDP into, select instances in the menu at the top and then pick the instance you want to RDP into.
The bottom toolbar should include a connect option, clicking on it should download an RDP file you can open to RDP into the machine, this will prompt you for the credentials you need to provide (as provided in your project configuration).
You can actually save this RDP file and re-use it for the deployment, but it may become invalid if you re-deploy as port numbers change.
As for FTP, much has been written about it, for example this, but you really need to consider the note in this article, for example - files you upload to the role instance will disappear if the role needs to be recycled for whatever reason.
Sorry for ambiguous question title! I have an asp.net app which works with an additional third party software(burning glass- connects to web app via tcp/ip, requires - properly configured dns entry, fixed ip and minimum of 8gb ram and it is completely managed via command prompt) in a single dedicated server.
I want to convert my web form app to MVC and deploy it in azure and also move the third party software I use( with above requirements). Is it possible to achieve the above requirements in azure?
Which role should I use for burning glass?
The general rule is to install 3rd-party software in a Web or Worker role, alongside your web app if you'd like, as long as:
You can install via MSI or some other mechanism that doesn't require manual intervention
The installation time is relatively quick (maybe max. 5 minutes or so)
The installation is reliable
If any of those are not possible, you'd need to go with a VM Role to pre-install the app.
As far as managing an app via command-line: As long as you can make the command-line calls via your app, you're ok. If you need to enter commands into a console, then that's not practical in Windows Azure unless you can connect to the console remotely. Not knowing about Burning Glass, I don't have any idea whether this can be done.
While Windows Azure doesn't let you select your IP address, the assigned IP address remains in effect as long as you don't delete and redeploy your app. You can upgrade the app without redeploying, so that shouldn't be an issue for you.
I'm having problems with IIS in DEV vs QA. One thing I notices by watching task manager is that when a .exe runs on DEV it is running as the user instead of my generic iis user. Is this normal for IIS with integrated authentication or is there some other setting I need to look into?
With integrated authentication, processes are launched as the logged in user. When anonymous integration is enabled the process are launched as the iis user. It is also possible to enable both at the same time.
My web-app runs in IIS 6.0 under windows server 2003, and we all know that in this situation, user account "Network Service" is used by IIS.
I happen to have to allow certain user to perform some action on my web page, and that action requires administrator privilege.
The laziest solution to me seems to add "Network Service" to Administrators Group, and it actually works.
MY QUESTION is, how DANGEROUS this solution is, and in what way can it compromise the security of my web server?
This is generally "a bad idea". If this is a public facing server then this is a really bad idea.
What you should do, and this is how we approach problems such as this, is sandbox the specific admin tasks you need to carry out in another process such as a Windows service which has elevated rights.
We then host a Remoting Server in the Windows Service and communicate with the service either over a named pipe or TCP/IP (if machine to machine and this is over a back end private network).
For more information, please see this answer which I left for another user regarding a similar problem:
Windows User Account that executes only IIS7 Provisions
An even better approach would be to never have direct communication between the web application and the windows service, but go through an intermediary such as a job or message queue. Your low privileged application places request for the admin task to be carried out, your elevated privileged service reads these tasks from the queue and carries them out.
In both cases you should ensure that you don't overscope the responsibility of each task. i.e. ensure that if the task is to create a new Windows account on the server then don't allow that new account to gain more rights than it needs.
If I were to write some web function that required box-level admin, I would make that it's own application in its own app pool, lock down that application as tightly as I could, give that app pool a named account (a domain resource, if on an Active Directory), and then give that account admin privileges on the box. Keeping it in its own app pool effectively locks it down from your regular application.
NT Authority/Network Service interacts with a ton of stuff on your machine. I cannot come up with any good reason to get Network Service admin privileges.
Under no circumstances do this.
If you add Network Service to admin group, then all anonymous users accessing your Web app will be admins by default and the damage potential is massive.
Per your question
I happen to have to allow certain user to perform some action on my web page, and that action requires administrator privilege.
that's fine - use Windows authentication on that web page and make the user a normal Windows admin. Now they, and all other admins, can perform the tasks you have set up.