What permissions does Network Service require on Vista / IIS7? - security

Doing some more tinkering with development on VS2008/Vista/IIS7, I'm wondering at a few things regarding the Network Service account. It had no issues running my website until I attempted to set up the Sql Role Membership Provider, which creates a local database in the App_Data folder. Somewhere in there, Network Service ran out of the permissions needed to auhenticate my client.
I solved the problem by changing the app pool to run under my admin account (and later by granting Network Service admin permissions for now), but I'm curious as to what permissions Network Service is missing as I'd ultimately like to keep it (and my sites) out of the admin group. Any ideas?
Also, where's a good place to go debug this stuff? EventLogs have nothing useful, so I'm not sure where else would be a good place to find out when an account tries to do something and is denied. Maybe I just don't have the logs configured properly?
Thanks!

Oddly enough, it looks like gving Network Service write access to the folder containing the mdb file wasn't enough. It apparently wants read access to everything under the "Documents\Visual Studio 2008 directory" as well (the site is hosted from within that directory). Seems ok now. Thanks ProcessMonitor!

Related

SQL Server Backup\Restore - Cannot access the specified path or file

I've recently changed the default BackupDirectory for a SQL Server 2008 R2 instane in the registry from I:\ to K:\ and since then whenever I try to backup or restore using SSMS I'll get an error
Cannot access the specified path or file
when I browse for the path.
It happens to the root and all folders in K:\. If I key in I:\ in the path and browse, there's no such issue. I've replicated the permission on I:\ and later added the service account for SQL and MSSQLSERVER to K:\ with Full Access. I've even tried adding Everyone with Full Access and it still shows the same error. I've googled around and find a lot of similar questions but no working solution for me. I've also tested master.sys.xp_dirtree on K:\ and no error. I've even tried procmon.exe but no indication of what went wrong
K:\ is the newly created pool in our SAN allocated for backups only. The SQL Server is part of a Windows 2008 R2 Failover Cluster. Both I:\ and K:\ is configured as SQL Server's cluster resources.
Fyi, I login to SSMS using a SQL Server account, since my machine is not part of the domain. But it was never an issue with I:\ to begin with.
EDIT: There's no error if I backup/restore with T-SQL, meaning the read/write permission for SQL Server for K:\ is correct.
I had this issue but realised that I was logging into the server (in SSMS) using SQL authentication. Once I hoped on the box as a local admin and then logged in with windows authentication to SQL server, I could see the files fine.
I has same issue and found solution on another post from SO. I moved my backup file to other directory and it worked. Solution can be found here.
I tried everything on the web, but none of them successed. Then, I installed some new feature to existing SQL Server (Data Quality and Integration Service) and finally I successed to select backup file from Restore Database menu.
It Because of no (sysadmin) Privilege for your login account to SSMS; mostly.
by this way:
Open Security > Logins > Choose your account "if Windows Administrator, use it"
right click, properties > Server Roles > then check on "sysadmin" or "dbcreator" if this account must have less or specific permissions.
"Take care" you've to use another account has "sysadmin" privileges to do this step because none allowed to give himself more privileges.
I had a similar issue, when new service account has been created for SQL server. To resolve this,Add the new service account to the local Administrator group on the back up server. This can be done by loggin into the server, then computer management->users and groups->Administrator.Double click administor and add the new service account created.

Cannot read configuration file due to insufficient permissions

I am trying to test my Web Service on an IIS instance on my local machine before I promote to a windows server 2008 environment. I get this when I attempt to browse to the service. I have created a custom application pool that this service will run under btw. So I am guessing that that application ID does not have permissions to access that folder etc... I get this little detail btw...
"This error occurs when there is a problem reading the configuration file for the Web server or Web application. In some cases, the event logs may contain more information about what caused this error."
I am thinking I need to give that application identity permissions, but I am unsure how to accomplish this.
Is there another way to get this done?
Not sure whether this is too late for you.
The IIS website is run by either USERS or IIS_IUSRS.
Try to do following:
From Windows Explorer
Right click on the folder pointed by the web
Go to security tab
Add computername\IIS_IUSRS or computername\USERS with Read permission.
1.Open IIS
2.On left side panel click on application pools
3.And go to its properties and change identity value from "ApplicationPoolIdentity" to "Local System".
I resolved the problem when i tried this.
I faced a similar issue on Windows 8.1. I fixed it by changing identity value from ApplicationPoolIdentity to Local System.
Check your sites Security -> Authentication feature. If anonymousAuthentication is enabled, click on the Edit link (in the Actions column) to see which identity is being used; if it is IUSR, make sure IUSR has FileSystem ACL privileges on the website's folder and files. If it set to 'ApplicationPoolIdentity' make sure group IIS_IUSRS has the same rights, because the 'ApplicationPoolIdentity' is dynamically added to the IIS_IUSRS group at runtime.
Modifying the application's identity setting from "ApplicationPoolIdentity" to "LocalSystem" on IIS(7) solved my issue. when adding permission to the IIS_IUSRS did not. I don't quite understand why though.
For me, I just transferred my files under c:\inetpub\wwwroot and the error is gone.
All I had to do was edit permissions for the virtual directory(application) in IIS 7.5 and add IUSR to the permissions. That fixed it.
If you chosen old version of .Net framework in application pool of IIS may sometimes cause this issue. So Try with higher .net framework version.

Which IIS Account should I grant directory access privileges to?

I've moved my codebase to a new directory and need to grant the IIS account read/write privileges on a few folders to allow access by the ASP.Net runtime. I believe NETWORKSERVICE is no longer used for this purpose (as mentioned in this earlier question:
ASP.Net which user account running Web Service on IIS 7?) but, try as I might I can't seem to be able to add the IISAppPool/IIS Worker Process the article links to.
I've found a MyDomain/IIS_WPG account but this isn't the one that is listed in Task Manager for the w3wp process. Can someone help?
UPDATE:
Even odder - the Application Pool for the website in question uses the LocalSystem identity which I thought would be able to access pretty much the entire machine. Is there something incorrect about my basic machine/Windows setup?

IIS 7 and 503 error for file copy access denied problem

I'm running Windows 7 SP 1 and have just turned on IIS 7. Just trying to access the default page it creates I get a 503 error, and the application pool stops. I look in the event log and I find the error:
Windows cannot copy file \?\C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\SQM\iesqmdata_setup0.sqm to location \?\C:\Users\TEMP.IIS APPPOOL.000\AppData\Local\Microsoft\Windows\Temporary Internet Files\SQM\iesqmdata_setup0.sqm. This error may be caused by network problems or insufficient security rights.
DETAIL - Access is denied.
I tried making the TEMP.IIS APPPOOOL.000 folder available to everyone. I tried making Users available to everyone. No luck, it still dies with the same error.
What is happening here, and how can it be fixed?
It sounds like you're having the same problem as details in this IIS.NET forums thread. You didn't mention if you have x64 Windows 7 or not. Suspect that your development machine is misconfigured somehow; sounds like the uninstallation and reinstallation of IIS7 would help/fix.
Suggested courses of action:
Open IIS and its Application Pools. Open "DefaultAppPool" and any other Application Pools in use.
Click Advanced Settings for each of these. Ensure the "Load User Profile" is set to 'False'
Also ensure that the "Set Application Pool Defaults" has the Load User Profile set to False."
I encountered the same problem in my development environment (Windows 8.1). Instead of disabling the load user profile as suggested by P.Campbell, I went ahead and changed the permission of the sqm file to allow modify accesses for IUSR, IIS_IUSRS and Network Service. In my case, the sqm file was not able to show me the file owner in which I taken over with my user account.
Basically, my problem was solved by giving the correct permission for both source and destination files/folders.
Found the answer here - http://forums.iis.net/p/1180636/1992024.aspx
Open IIS Manager
Find the App Pool that is causing the problem
Open Advanced Properties
Change 'Load User Profile' to false
Fixed!
After struggling with all these Application Pool issues in IIs, I found the problem and the solution. This may help you.
Each application pool on each website in Microsoft's Internet Information Server creates its own user account and folder under the "c:\Users" directory when the pool is created and first run. Its actually a virtual user account and should be named for the Application Pool assigned to your web application in IIs. In most development environments, its the default website or "DefaultAppPool". It uses this temporary user account to run the pool. Each website should have a named user pool account. This User folder is used by the pool and ASP.NET for caching and writing of file resources and other things used by IIs, ASP.NET, and this virtual account.
In some setups people are not seeing this folder but a "TEMP" folder (like you have) when the IIs web site is accessed and using the pool.
If you instead see a "TEMP" folder in the Users folder you have a broken application pool account in IIs and in the Registry. The pool is creating the TEMP folder as a backup for this virtual account, which might not have the right security setup. I had this exact scenario.
To fix it go to the registry under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
See if you have a SID user account with the ".bak" extension for a DefaultAppPool user account. If so delete it and restart your PC. Test your website again, making sure its actually setup to use DefaulAppPool. It should now recreate the "DefaultAppPool" folder in Users, recreate the registry entry for DefaulAppPool user, and your error should go away.
You can delete the TEMP user folder at that point under the Users folder. (Keep in mind if your web app has been storing cached information critical to users of the website, some of that might have to be inserted into the new DefaultAppPool user folder. But for most of us, just delete it.)
I also found I had to add this kooky virtual application pool account to my local database so the worker process and app pool accnt could have the rights to grab data from SQL Server: Just go into SQL Server and under logins add "IIs AppPool\DefaultAppPool" and then assign it as a user to your databases.
(btw whomever dreamed up this virtual application pool account system is nuts....its way too complicated and convoluted to sort out)
After I did this, all my stack overflow errors went away in Visual Studio for my web application, all data connections fired perfectly, all write permission to the default User profile stored properly, and all the restarting and crashing of the Application Pool in IIs ended completely. :)

How to give Website permission to create further Websites in IIS 7.5?

I'm creating a website in IIS 7.5 (with Windows 7) that needs to be able to create further websites. I've written code that uses Microsoft.Web.Administration to create the website programmatically, and this works fine when I run it as administrator.
Now I'm trying to use the same code in the context of my web application. It fails with the error
Error: Cannot read configuration file due to insufficient permissions
for the file redirection.config (which I understand is located in %WinDir%/System32/inetsrv/config).
I've tried creating a new apppool for this specific website, running under the IIS AppPool[AppPoolName] identity. I've then tried to grant that identity permission to edit the IIS config using
ManagementAuthorization.Grant(#"IIS AppPool\MyAppPool", "Default Web Site", false);
but I still get the same error.
What else should I try?
This probably isn't the wisest approach from a security viewpoint. If this site is hijacked then your attackers will be able to interfere with those files (to no good purpose) or even just delete them.
The way we approached this was to separate website creation tasks into a windows service running with the correct rights to perform these activities. In this service is a remoting end point (although these days you'd probably want to use WCF).
We then created a proxy assembly that is signed and registered in the GAC (it would also need to be marked with the APTCA attribute if you're running at less than Full Trust). This assembly passes on the relevant calls to the remoting endpoint in the windows service from the admin web app/service.
This allows us to run the admin site at least privilege and in partial trust mode. The scope of what can be done by way of site admin tasks is narrowed somewhat by whatever functionality is exposed in the windows service application.
This is a technique known as sandboxing.
I've found a way to do it, but I would very much like to hear expert opinion on whether this is a wise thing to do.
I granted Modify and Write permissions for the IIS AppPool\MyAppPool account to %WinDir%/System32/inetsrv/config and the three .config files inside it.

Resources