|
| Hi,
We currently have an C# ASP.NET app that operates correctly out of Windows
Server 2003 and IIS 6.0. It makes a couple operating system calls (Active
Directory routines and certificate routines), so in order for it to have
permission to make those calls, we found we had to create an app pool for it
using the predefined priviledges of Local System. Only when it is listed
under Local System does it have permission to execute those calls.
Next, we tried it on Windows Server 2000. We try running it on IIS 5.0 and
found that those same calls fail. So we set the Web Site's Application
Protection to "Low (IIS Process)", but it still failed. Next, we also tried
setting the IIS Service rights/permissions in the IIS Service's properties
from Local System to Administrator but it still fails.
I have read in numerous places that "In previous versions of IIS, worker
processes ran as Local System, a powerful account that has system
administrator privileges on the server. Because LocalSystem has access to
almost all resources on the operating system, this caused security
implications." However, that does not seem to be true as an App Pool Local
System in IIS 6.0 seems give more permissions than IIS 5.0 does. I can
actually see an extra permission given to the IIS 6.0 process named
SeTcbPriviledge that is not present in the IIS 5.0 process and hence the
reason it fails.
What is the solution to make a process on a IIS 5.0 server behave with true
Local System priviledges? Can I set up the IIS 5.0 server differently (e.g,
app protection setting) to give it the proper priviledges, OR, should I try
to grant the SeTcbPriviledge into the IIS 5.0 process.
Thanks,
GD
|
|