Questions[iusr](server)

I was recently tasked with fixing a Windows Server 2003 server running IIS 6.0 that was giving:

HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource.

It started giving these responses after windows update patch kb2633880 was applied which seems to have changed some default permissions with the IUSR_Machine account and the .Net framework directory.

The problem is all requests for asp.net resources (e.g. .aspx) did not work while everything else did (e.g. text, html). The application is set to serve anonymous requests using the IUSR_machine account and Network Service for the application pool account.

I verified the Network Service account can access the C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727 directory just fine but the IUSR_machine account cannot. After granting the IUSR_machine account access to the C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727 directory the problem is resolved. This seems very strange to me.

My question is why isn't IIS using the account of my application pool (Network Service) to load the aspnet_isapi.dll? From the troubleshoot above it seems quite clear that it is in fact using the IUSR_machine for this, which seems like a security hole. The identity tag in web.config is not set either so that is default.

I would appreciate any advice on this one, thanks.

I am installing the latest version of PHP onto IIS 7.5 via FastCGI, and all of the instructions say that FastCGI should impersonate the calling client by setting

 fastcgi.impersonate = 1

If my website will have this configuration

• dedicated application pool
• application pool identity of ApplicationPoolIdentity
• anonymous authentication only (as IUSR)

why do I want to impersonate?

I come from an ASP.NET background, where the IUSR gets read-only permissions and the application pool identity gets any write permissions. Giving write access to the IUSR usually opens the door for WebDAV vulnerabilities. So I hesitate to let PHP run as the IUSR.

I can't find many people asking this question (1 | 2) so I think I must be missing something. Can someone clarify this for me?

I'm using IIS7 (Windows Server 2008 x64) and I have a website setup using anonymous authentication. The anon user identity is configured as IUSR. The application writes files to a folder and I'm giving the IIS_IUSRS group RW permissions to the folder. This doesn't work. I must explicitly give IUSR RW perms to allow the application to write to the folder.

It's my understanding that the application pool identity is automatically added to the IIS_IUSRS group. I assumed that IUSR (or any anonymous user identity) was also an implied member of the IIS_IUSRS group as well. It doesn't appear that this is the case.

While troubleshooting, I use Process Monitor to view access to the folder and determined that Network Service (the application pool identity) is impersonating IUSR (this is what I expected) but giving RW perms to the IIS_IUSRS group didn't allow IUSR to access the file (Access Denied).

Can anyone explain whether IUSR is or isn't a member of the IIS_IUSRS group?

I've reviewed the following documentation and found no solid answer:

Understanding Built-In User and Group Accounts in IIS 7

Application Pool Identities

My CGI application is trying to use SSPI Schannel to create a TLS connection with another server. http://www.coastrd.com/c-schannel-smtp

The handshake process begins by checking for a certificate in the "MY" certificate store http://msdn.microsoft.com/en-us/library/aa376560(VS.85).aspx

This function returns zero and GetLastError also returns zero!? I assume this is a permissions issue. How do I get this to work without elevating IUSR to administrator for example?

ADDED

Accessing user certificates requires running as the specific user, and accessing the user private key requires either that the user has logged on locally with the password, or that the server is enabled for delegation.

Machine certificates are readable by everyone, but accessing the private key requires admin rights (or local user) unless you adjust the ACL.

ADDED

In this situation, there are no restraints on certificates, but "MY" certificate store is empty and I don't want to buy a certificate just for this.

I am currently using WS2003. The server I am connecting to is gmail.com to send emails using TLS. My code can look for a certificate, but I don't have one. In the reading I have done, it seems like a giant headache to get a certificate, with registration and purchasing and installation, otherwise you just get a temporary solution which is no help. Unless you know of an easy way to get a certificate, this is a lot more trouble than I want to go to just to send email from a CGI app. Is there ANY other way?

I VERY much appreciate your help Joe, but $30/yr x nServers is just not an option. I am wondering if there is a way to hand the task off to another process that IS running with Admin privildeges, like a service perhaps? I could even create an application that is scheduled to read from a given folder and send any emails found there. Other than that, I would have to try elevating the CGI application to Administrator.

ADDED

Goyuix, thank you for the suggestions. The challenge is to provide a stand alone solution without resorting to other libraries like .NET (60MB) or ASP with it's attendant problems.

You are correct, I only need server Authentication. I was not aware it was possible to authenticate one side only. your statement: "Having no client certificate should not stop you from establishing a secure channel for SMTP. You may just need to code around that part of the handshake." turned out to be the solution.

This reminds me of the old plumber joke. The plumber is called to unblock the drain. He takes one look , pulls out a hammer and hits the pipe once. He asks for $180 for 5 mins work itemized as, $30 callout charge and $150 to kown where to hit the pipe.

Thank you both. This has been a LONG uphill slog.

An appliction launched by IIS6 (as a result of an HTTP request) is failing to initialize a dll. If I launch it as the administrator when logged in locally by double clicking, all is good.

This app utilizes TLS encryption via a third party DLL called cryptlib. http://www.coastrd.com/smtps/cryptlib This should not be any big deal in itself, as most of my CGI apps use MySQL/zlib/... etc dlls without problem. In this case (probably due to the nature of creating an SSL/TLS session) the app runs fine if launched by double clicking as administrator, but will not run when launched by IIS as the result of an incoming request. IIS uses the account "Internet Guest Account... (... IUSR)" (we assume) to execute the CGI application from a simple web page HTTP POST request.

I have tried giving full control to the IUSR account on the app, the dll and the folder but no joy. Next I broke out ProcMon and looked for an "ACCESS DENIED" result. The only one I could find was as a result of CreateFile Desired Access: Read Attributes, Delete, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, C:\WINDOWS\Debug\UserMode\ChkAcc.log

This is puzzling as my application is not writing to that log file (I assume IIS is so why would it be having a problem?)

Next I compared the ProcMon output for the successful Administrator launch against the IUSR launch and discovered that a "ReadFile" operation was not present in the failed launch. I do not get an ACCESS DENIED error for this, the operation just doesn't happen.

The sequence of sequntial operations for cl32.dll should be: QueryOpen CreateFile CreateFileMapping QueryStandardInformationFile CreateFileMapping CreateFileMapping CloseFile Load Image ReadFile

I assume this is where the DLL is loaded into memory for use.

Instead of the ReadFile operation (in the failed launch) there is: RegOpenKey HKU\S-1-5-21-4122272316-1273673783-4216733774-1003 NAME NOT FOUND

It quacked a little like the "Bypass traverse checking" problem described here http://forums.iis.net/t/1153139.aspx http://technet.microsoft.com/en-us/library/cc739389(WS.10).aspx but that did not solve the problem.

At this point we have exceeded the limit of my knowledge of user accounts and permissions by a large margin. One thing is clear, this a permissions problem. The question is, which permission?

ADDED

Adding ISUR to Administrators: 1. Right-click My Computer on your Desktop and click Manage. 2. When the Computer Management window opens, expand Local Users And Groups 3. Select Groups and double-click Administrators in the right pane. 4. Click the Add button 5. Click Advanced then Find Now and Select IUSR 6. Click OK. 7. Restart IIS

This did NOT fix the issue. I dug up Filemon v7.3 and it is IUSR that is

er.exe:2240 OPEN C:\WINDOWS\system32\USERENV.dll SUCCESS Options: Open Access: 00100021  
er.exe:2240 CLOSE C:\WINDOWS\system32\USERENV.dll SUCCESS  
er.exe:2240 OPEN C:\WINDOWS\debug\UserMode\ChkAcc.log ACCESS DENIED MY-SERVER\IUSR_MY-SERVER  
er.exe:2240 CREATE C:\WINDOWS\debug\UserMode\ChkAcc.log ACCESS DENIED MY-SERVER\IUSR_MY-SERVER 

At this point ill take any stabs in the dark at what permission this might be :)

ADDED

I changed the permission on the file ChkAcc.log and the folder UserMode, I also checked the advanced permissions and found a deny on the application and the Dll. I removed them both. I restarted IIS and even re-booted the machine. Still no luck.

I am wondering if the ACCESS DENIED is in fact the problem. I rewrote the app to create and write to a file in that folder and it worked:

OPEN            C:\WINDOWS\debug\UserMode\ChkAcc.txt    SUCCESS Options: OpenIf  Access: 00120196
SET INFORMATION     C:\WINDOWS\debug\UserMode\ChkAcc.txt    SUCCESS Length: 0
SET INFORMATION     C:\WINDOWS\debug\UserMode\ChkAcc.txt    SUCCESS Length: 0
WRITE           C:\WINDOWS\debug\UserMode\ChkAcc.txt    SUCCESS Offset: 0 Length: 41
WRITE           C:\WINDOWS\debug\UserMode\ChkAcc.txt    SUCCESS Offset: 41 Length: 2
SET INFORMATION     C:\WINDOWS\debug\UserMode\ChkAcc.txt    SUCCESS Length: 43
SET INFORMATION     C:\WINDOWS\debug\UserMode\ChkAcc.txt    SUCCESS Length: 43
CLOSE           C:\WINDOWS\debug\UserMode\ChkAcc.txt    SUCCESS 

This leads me to suspect that the folder permission is not the issue at all, but the DLL is failing to initialize for some reason.

Is there some way to give IUSR the identical permissions as ADMIN? then perhaps I can remove them one by one. Perhaps I could even create a second user with ADMIN permissions and have IIS use that instead of IUSR for incoming CGI requests?

Clearly adding IUSR to the ADMIN group is not the same as running the app as ADMIN.

ADDED

Actually the problem turned out to be due to the dll performing various sanity-check tests on startup, including the ability to read files. To do this it tries to read the user's home directory (or in Windows terms the user's profile directory)

In testing on Windows 2003 Server box, I find

IUSR

CSIDL_APPDATA = C:\WINDOWS\system32\config\systemprofile\Application Data

Administrator

CSIDL_APPDATA = C:\Documents and Settings\Administrator.MY-SERVER\Application Data

I suspect that the cgi process is being denied access to any system32 folders. This is behavior I would expect until IUSR is added to the administrators, then I would expect this to work.... yet it doesn't. The solution was to re-write the dll, but I am still puzzled by this