Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon?

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 02/18/04 

Date: Wed, 18 Feb 2004 14:24:23 -0800

> However, you mentioned that the COM actions are "completely subject to
> its behavior, not ASP's"... But isn't the COM object running under the
> impersonated account? In IIS 6.0, is that (by default) the IUSR account
or
> is it the applicaiton pool identity account?

The COM object can be running under the impersonated account, but any Win32
code can change the user token with which it executes any action. For
example, even if IIS launched the COM object with the impersonated user, the
COM object can call RevertToSelf() immediately and start executing as the
process identity.

HOW DO YOU KNOW THAT IT DID NOT DO THIS???

It is arbitrary code, as I note, so it can have arbitrary behavior -- and
you CANNOT assume anything about the identity it uses or how it works unless
you have its source code or accurate documentation. As a result, it is
incorrect for you to apply what documentation says about ASP's behavior to
any components that it runs -- the component MAY cooperate with ASP's
behavior, but it doesn't have to. 

-- 
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"C K" <blah@blah.com> wrote in message
news:c0rsmu$mrk$1@newstree.wise.edt.ericsson.se...
Hi David,
The COM object is an apartment model COM object (created with ATL) that is
created in the global.asa and assigned to session scope with the
<OBJECT RUNAT=Server SCOPE=Session ...>
command.  (I do know that it is not recommended for apartment COM objects to
be assigned to session scope, but that is how the object was designed...
would this have any effect on impersonation identities?)   Otherwise, the
COM object is not part of any MTS/COM+ package where you can configure the
identity it is running under.
As far as I know, the COM is not doing anything explicitly to specify any
change in privileges or security access rights.  It is just performing what
is needed to be done, which is connecting to the remote server, d/ling the
data, and creating the memory mapped files in the data directory.
However, you mentioned that the COM actions are "completely subject to its
behavior, not ASP's"... But isn't the COM object running under the
impersonated account?  In IIS 6.0, is that (by default) the IUSR account or
is it the applicaiton pool identity account?
Thanks.
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:uKGZuyt8DHA.2412@TK2MSFTNGP09.phx.gbl...
> ASP itself uses the impersonated identity, as described by documentation
and
> verified through testing. Custom code that ASP runs, like your COM object,
> could be doing something else. Actions done by the custom code, like
connect
> to a network server and d/l files, is completely subject to its behavior,
> not ASP's.  It could cooperate with ASP's behavior, but it doesn't have
to.
>
> Is the COM object configured to use the impersonated (IUSR) or process
> (TestService) identity?  Do you know?
>
> For example, a COM object could be calling RevertToSelf(), which in older
> IIS gives it access to LocalSystem (in low isolation) or IWAM (in
> medium/high isolation).  It will now be using "TestService" identity.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "C K" <blah@blah.com> wrote in message
> news:c0j6gt$moo$1@newstree.wise.edt.ericsson.se...
> Hi,
>
> It is actually not an upload application.  When the web application first
> starts up, it will launch a COM object method that connects to a remote
> server and then sync some information to its local store.  This local
store
> is in the form of some memory mapped files that are located in a data
> directory.  That is what I find strange.  I had thought that either the
IUSR
> would need the write privileges or that both the IUSR and the TestService
> account would need write, but it is actually only the TestService account
> that matters.
>
> What actually happens is this: If everything works, the memory mapped
files
> are created and have the correct data.  If I do not give the TestService
> account modify/write privileges, then the memory mapped files are created
in
> the directory, but they have no data in them.  The routines to retrieve
the
> data are in a statically linked dll that I do not maintain, so I do not
know
> what kind of things it is doing.  I just know that generally it connects
to
> a remote server and retrieves data.
>
> In this case, I do not believe it has to do with the chaching of the user
> tokens because after each NTFS permission change, I do an iisreset.  I
also
> have only anonymous authentication enabled as well -- no other auth is
> enabled.
>
> Thanks.
>
>
> ""WenJun Zhang[msft]"" <v-wzhang@online.microsoft.com> wrote in message
> news:OfEZtvh8DHA.1988@cpmsftngxa07.phx.gbl...
> > Hi C K,
> >
> > As I know, in this kind of scenarios, both process identifier(i.e
> > TestService) and thread indentifier(IUSR_machinename) need have write
> > permission on the upload folder. I have tested some similar web
> > applications as yours - using com dll in ASP pages to upload files
> > and the result was coincident.
> >
> > I doubt if the behavior you met is caused by IIS caches IUSR
> > account's token. By default, IIS refreshes this kind of cache every
> > 15 mins:
> > 152526 Changing the Default Interval for User Tokens in IIS
> > http://support.microsoft.com/?id=152526
> >
> > Recycle the site's application pool or use iisreset to restart IIS to
> > test. Also, only enable anonymous access on this site to prevent the
> > possiblity of IE auto finishing integreted auth with IIS. Will the
> > behavior persist?
> >
> > Have a nice day,
> >
> > WenJun Zhang
> > Microsoft Online Support
> > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > Get Secure! - www.microsoft.com/security
> >
>
>
>

Relevant Pages

  • Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon?
    ... and creating the memory mapped files in the data directory. ... impersonated account? ... > IIS ... > would need the write privileges or that both the IUSR and the TestService ...
    (microsoft.public.inetserver.iis)
  • RE: SOME Users cannot access OWA others do, error HTTP 500
    ... I understand that some account access OWA ... IIS 6.0 compression corruption causes access violations ... compressed copy of the affected files on the SBS server: ...
    (microsoft.public.windows.server.sbs)
  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... On the IIS directory security tab, anonymous access is disabled, digest ... authentication is disabled, integrated authentication is disabled and basic ... account created has full permissions for the folder and the file that's in it. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Virtual Directory - Permission Denied with fso CopyFile
    ... TestUser (normal user account with same credentials on all machines). ... I logged into the IIS server as vdirUser and simply typed ... open and I had read and write permissions to the share. ... I logged off and back into the IIS server as the administrator and deleted ...
    (microsoft.public.inetserver.iis)
  • Re: Digest Authentication
    ... It sounds like IIS is having problems impersonating the IUSR account, ... In IIS, you do not need Script Source or Write permissions unless you ... But the Digest authentication for windows domain is ...
    (microsoft.public.inetserver.iis)