Re: dllhost still running in ii6

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 03/24/05 

Date: Thu, 24 Mar 2005 14:27:33 -0800

Usage of FileSystemObject has been known to be blocked by various personal
security software (I think they pop up a dialog box, and since IIS runs as a
service, the dialog box does not show up on your desktop and hence
completely hangs the server [either halts or high CPU]). Bad, bad security
software, popping up UI on a server... 

-- 
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"drazic19" <drazic19@discussions.microsoft.com> wrote in message
news:13E93AD8-8CFC-46F6-BED5-F4380972D2AF@microsoft.com...
Hi,
Think you've got the problem pretty much perfectly right. I've got IIS6
working now without IIS5 isolation, had to recreate the IUSR account and get
the username and password correct in anonomous user. Website works fine and
w3wp.exe is being started by Network Service. So that seems to be fine. As
for tracking down the code that causes the CPU for w3wp.exe to spiral out of
control its a line that creates a file in a file upload:
Set MyFile =
objFSO2.CreateTextFile(server.MapPath(UploadRequest.Item("inpDirectory").Ite
m("Value") & "/" & FileName))
any further ideas or places to start looking?
Thanks for the help,
drazic19
"David Wang [Msft]" wrote:
> Re: Anonymous access resulting in 401.1
>
> Here is one of those differences between upgrade and clean
install/migration
> that I mentioned earlier.
>
> A IIS5 feature that was cut from IIS6 for security reasons is the "Allow
IIS
> to control password", which required IIS to run as LocalSystem. You can
> still do this on IIS6 if you make the right configuration, but it is not
> recommended.
>
> This feature magically allows IIS to log in as the anonymous user without
> needing the password, so it can definitely get out of sync and you won't
> know it on IIS5.
>
> Now, assume that prior to upgrade you had an incorrect anonymous user
> password. Since IIS5 uses "Allow IIS to control password", anonymous
> authentication magically works. On upgrade, this feature stayed enabled
> (remember, it's compat), anonymous authentication stayed working. When you
> turned off IIS5 Compatibility Mode, IIS6 runs as Network Service (not
> LocalSystem), so it cannot use this feature, and now IIS6 uses the
incorrect
> anonymous user password and gets a 401.1 (username/password not correct).
> Make sense?
>
>
> Re: dllhost.exe reaching 100%
> If IWAM is able to start the process, then you do not have a user/password
> synchronization problem. You will have to figure out what code is running
in
> that process that is spinning at 100%. You can use a tool like IISState
when
> it happens to take a snapshot of the state in that dllhost.exe.
>
> http://www.iisfaq.com/default.aspx?view=P197
>
> -- 
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "drazic19" <drazic19@discussions.microsoft.com> wrote in message
> news:6D7A3725-9139-450B-A1E8-36FAE32F24CC@microsoft.com...
> sorry think i've caused some confusion. Its my IWAM uses that starts and
> runs
> the dllhost process and lets it get to 100%, all the other dllhost
processes
> that are running are fine and stay in the boundaries expected. any reason
> for
> this?
>
> thanks
>
> drazic19
>
> "drazic19" wrote:
>
> > ok, thanks for the help.
> >
> > on a similar line, i disabled iis5 isolation mode and all my sites
dropped
> > off and displayed 401.1 credentials incorrect. eventually tracked this
> down
> > to my iusr account in anonymous access. checked the password/username
etc
> all
> > were fine, but when i created a new iusr account and set it as anonymous
> > access all was good. This leads me to think that my old iusr account
> became
> > corrupt during the upgrade as it was this account that was calling
dllhost
> > and allowed it to grow to 100%, the new iusr account hasn't had this
> problem.
> > any ideas?
> >
> > thanks for the help.
> >
> > drazic19
> >
> > "David Wang [Msft]" wrote:
> >
> > > On upgrade from W2K to WS03, IIS6 will run in IIS5 Compatibility Mode
> and
> > > many of your previous ACLs/settings will remain (for compatibility
> reasons).
> > > In other words, the security and compatibility settings are different
> when
> > > you upgrade vs a clean install, and it is intentional.
> > >
> > > For maximal security, I recommend clean-installing WS03 with IIS6, and
> then
> > > migrate the websites/data over. You start with a clean, secure slate
to
> open
> > > up functionality instead of re-inheriting W2K/IIS5 settings and
locking
> > > down.
> > >
> > > -- 
> > > //David
> > > IIS
> > > http://blogs.msdn.com/David.Wang
> > > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > > //
> > > "drazic19" <drazic19@discussions.microsoft.com> wrote in message
> > > news:31718189-E286-4D6A-A580-2DD341BA445C@microsoft.com...
> > > Hi,
> > >
> > > wonder if anyone can help me or confirm some thought. i've upgraded my
> > > servers from 2k to 2003, doing a straight upgrade function. now my
> belief
> > > was
> > > that in iis 5 when a site is started / spun up a new dllhost process
is
> > > started and in iis 6.0 this is replace by the wpwnet process (or
> whatever
> > > its
> > > called) running an application pool therefore only one of that process
> > > should
> > > be running. since the upgrade i seem to have dllhosts starting up all
> the
> > > time and growing till they take 100% of cpu, freeze the server and
need
> > > killing. any ideas why this is happening?
> > >
> > > on a side note the security settings for my sites use a local account
as
> the
> > > anonomous access does this affect things? should this be setup in this
> way?
> > >
> > >
> > >
>
>
>

Relevant Pages

  • Re: dllhost still running in ii6
    ... Here is one of those differences between upgrade and clean install/migration ... This feature magically allows IIS to log in as the anonymous user without ... > to my iusr account in anonymous access. ...
    (microsoft.public.inetserver.iis)
  • Re: Why rename the IUSR account?
    ... if the IUSR account has access _only_ to content that is publicy ... Would it be better to disable the original IUSR account and create a new one ... As mentioned in the IIS Insider article. ... > It's just another layer of security. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Mac Server Hacked In Less Than 6 Hours
    ... Windows has RAS, and for it is built in since NT 3.1 ... | A typical IIS box and this Mac are not the same thing so the comparison ... IIS has been subject to quite a few bugs and so have ... Security isn't a proprietary attribute. ...
    (sci.crypt)
  • Re: DCOM calls fails - access denied
    ... That's exactly how I understood the ASP.NET security. ... But why does one configuration work but not the other? ... should get the token from IIS. ... If you set there a domain account, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: How to secure IIS?
    ... XP as well, because even if you don't install IIS, there are still a number ... If you think Windows 98 is secure, ... easy to attack, if there's no firewall... ... IIS security checklists] 3) install firewall and antivirus, ...
    (microsoft.public.inetserver.iis.security)