I am developing an ISAPI extension. How to make ISAPI extension to recycle (restart) application pool it is running on?
To achive this I can disable Rapid-Fail Protection and call something like TerminateProcess(GetCurrentProcess(), 0);
But this leads to potential data loss.
Also I can do it by executing external program %windir%\system32\inetsrv\appcmd.exe recycle apppool /apppool.name:"name of my app pool" But this way I have to configure app pool name somewhere and pool identity has to have administrator privileges.
Also this could be done through WMI, but administrator privileges is needed for this too.
I don't want to give my application pool administrator rights.
So is there a way to give user privilege only to restart application pool but not full administrator rights? May be some setting in Local Security Policy?
Or the only solution is to create a daemon (service) that will run as administrator and wait for message from my ISAPI extension to restart it?
Related
We have an installer, running as administrator, which installs a web application, running as IUSR, and a windows service, running as Local Service (for now). The web application should be able to start/stop that windows service (and no other) when maintenance mode is enabled via the web interface (e.g. when an update is applied).
Question: Which options do I have?
The installer has a "Run as" option for the service, but it takes username AND password, which I don't have for IUSR. IUSR should be able to start/stop a service that runs as IUSR, right?
Can I give IUSR permission to start/stop that service somehow else (registry)?
Or will I have to create a second service that checks a file for changes, and acts upon these. But then I cannot replace this service in maintenance mode, ever, so this is a dirty hack.
IIS 7.5 has new inbuilt identity called ApplicationPoolIdentity. IIS takes care of authentication and avoiding interference of other process running into Network Services.
I would like to know whether ApplicationPoolIdentity has more permissions or Local Services.
As per my understanding Local System has got higher privilege, then Network Service and Local Services then minimum privileges are given to ApplicationPoolIdentity.
But then if you are running your IIS application in ApplicationPoolIdentity then it can access network resources.
Can you please clarify which is with minimum privileges??
Thanks
Keshav
Ok I'm stumped. I've configured an IIS 6 website with its own App Pool, which has its own AD domain credential. When I attempt to browse the site, I see a page that simply says "Access is denied.". There is no error code or information in Event Logs.
I am able to open Notepad with the app pool account credentials (and open the html file I'm trying to browse).
If I add the app pool's domain account to the local administrators group, the site loads. However, this is not acceptable for our environment.
I have successfully configured this site on two servers (that are supposed to be identical in a load-balanced pair). However, try as I might, I can't find any difference between these two servers' configurations.
Is your pool identity present in the local group IIS_WPG ?
This group ensure the Worker Process will have the required privileges to run correctly.
Also, your WebSite root folder must have Read permissions for IIS_WPG, which is the case if your root is in Inetpub\wwwroot.
Same for C:\WINDOWS\Microsoft.NET\Framework\vx.x.x.x\Temporary ASP.NET Files + Write, if you run ASP.NET WebSites.
FYI, in IIS 7, the group is now known as IIS_IUSRS.
Default permissions and user rights for IIS 6.0
Configuring Application Pool Identity in IIS 6.0
I reinstalled IIS 6 and the error has gone away. After reinstalling IIS, I had to reinstall .NET 4 as well.
Thank you very much for your suggestions and advice though!
I'm having problems with IIS in DEV vs QA. One thing I notices by watching task manager is that when a .exe runs on DEV it is running as the user instead of my generic iis user. Is this normal for IIS with integrated authentication or is there some other setting I need to look into?
With integrated authentication, processes are launched as the logged in user. When anonymous integration is enabled the process are launched as the iis user. It is also possible to enable both at the same time.
My web-app runs in IIS 6.0 under windows server 2003, and we all know that in this situation, user account "Network Service" is used by IIS.
I happen to have to allow certain user to perform some action on my web page, and that action requires administrator privilege.
The laziest solution to me seems to add "Network Service" to Administrators Group, and it actually works.
MY QUESTION is, how DANGEROUS this solution is, and in what way can it compromise the security of my web server?
This is generally "a bad idea". If this is a public facing server then this is a really bad idea.
What you should do, and this is how we approach problems such as this, is sandbox the specific admin tasks you need to carry out in another process such as a Windows service which has elevated rights.
We then host a Remoting Server in the Windows Service and communicate with the service either over a named pipe or TCP/IP (if machine to machine and this is over a back end private network).
For more information, please see this answer which I left for another user regarding a similar problem:
Windows User Account that executes only IIS7 Provisions
An even better approach would be to never have direct communication between the web application and the windows service, but go through an intermediary such as a job or message queue. Your low privileged application places request for the admin task to be carried out, your elevated privileged service reads these tasks from the queue and carries them out.
In both cases you should ensure that you don't overscope the responsibility of each task. i.e. ensure that if the task is to create a new Windows account on the server then don't allow that new account to gain more rights than it needs.
If I were to write some web function that required box-level admin, I would make that it's own application in its own app pool, lock down that application as tightly as I could, give that app pool a named account (a domain resource, if on an Active Directory), and then give that account admin privileges on the box. Keeping it in its own app pool effectively locks it down from your regular application.
NT Authority/Network Service interacts with a ton of stuff on your machine. I cannot come up with any good reason to get Network Service admin privileges.
Under no circumstances do this.
If you add Network Service to admin group, then all anonymous users accessing your Web app will be admins by default and the damage potential is massive.
Per your question
I happen to have to allow certain user to perform some action on my web page, and that action requires administrator privilege.
that's fine - use Windows authentication on that web page and make the user a normal Windows admin. Now they, and all other admins, can perform the tasks you have set up.