| Author |
file permissons on system.dlls
|
|
| FrankA 2005-02-04, 6:00 pm |
| Hi!
I am completely confused:
there are several KB-articles that discribe how to give NTFS permissions on
the different msado15.dlls for IWAM+IUSR to have db access in IIS.
Now my problem is to understand, why IIS can run without giving these
permissions??
enabling file Audit AND checking with process explorer I can see that the
dllhost.exe that is running as IWAM can open a file and has a handle that
only Users and Administrators have access to.
same with the vbscript.dll!!
how can this happen?
thanks!
| |
| David Wang [Msft] 2005-02-05, 2:47 am |
| What groups are included in "Users" and "Administrators" ? I'm willing to
be that there is a group in one of them which includes another group...
which eventually includes IWAM and IUSR.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"FrankA" <dj_rocco@kein_spam_gmx.de> wrote in message
news:urNjf1sCFHA.3540@TK2MSFTNGP14.phx.gbl...
Hi!
I am completely confused:
there are several KB-articles that discribe how to give NTFS permissions on
the different msado15.dlls for IWAM+IUSR to have db access in IIS.
Now my problem is to understand, why IIS can run without giving these
permissions??
enabling file Audit AND checking with process explorer I can see that the
dllhost.exe that is running as IWAM can open a file and has a handle that
only Users and Administrators have access to.
same with the vbscript.dll!!
how can this happen?
thanks!
| |
| FrankA 2005-02-05, 5:49 pm |
| IIS Server is stand alone.
> What groups are included in "Users" and "Administrators" ?
groups?
these are the server local groups, so I can only add single local users or
built-in local "authorities".
> I'm willing to
> be that there is a group in one of them which includes another group...
> which eventually includes IWAM and IUSR
nesting local groups?
members of Users is empty:
Administrators only contain 2 local admin accounts.
| |
| Jiri Richter [MSFT] 2005-02-09, 8:50 pm |
| The following information applies to Windows Server 2003. One of the members
of the Users group is the built-in group "Authenticated Users". This is
essentially any user who provides proper credential. In order to run the
dllhost.exe as IWAM user the IWAM user had to provide proper credentials
(this is done by IIS) so the IWAM user become also member of the
Authenticated Users group.
--
Jiri Richter
Microsoft Corp.
This posting is provided "AS IS" with no warranties, and confers no rights.
"FrankA" <dj_rocco@kein_spam_gmx.de> wrote in message
news:urNjf1sCFHA.3540@TK2MSFTNGP14.phx.gbl...
> Hi!
>
> I am completely confused:
>
> there are several KB-articles that discribe how to give NTFS permissions
> on
> the different msado15.dlls for IWAM+IUSR to have db access in IIS.
>
> Now my problem is to understand, why IIS can run without giving these
> permissions??
>
> enabling file Audit AND checking with process explorer I can see that the
> dllhost.exe that is running as IWAM can open a file and has a handle that
> only Users and Administrators have access to.
>
> same with the vbscript.dll!!
>
> how can this happen?
>
> thanks!
>
>
| |
| FrankA 2005-02-12, 5:49 pm |
| > built-in local "authorities".
jepp, and it was that "authentificated users" group.
sorry.
| |
| FrankA 2005-02-12, 5:49 pm |
| > The following information applies to Windows Server 2003. One of the
> members
> of the Users group is the built-in group "Authenticated Users". This is
> essentially any user who provides proper credential. In order to run the
> dllhost.exe as IWAM user the IWAM user had to provide proper credentials
> (this is done by IIS) so the IWAM user become also member of the
> Authenticated Users group.
BINGO!!
and that is true for win2k also. But I never noticed it so clearly!
But then I do not understand to make IWAM and IUSR member of the local
guests group if they are in fact member of the users group too? where is the
meaning of hardening?
thx in advance.
|
|
|
|