|
Home > Archive > IIS Server Security > September 2005 > ISAPI filter design for proper permissions?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
ISAPI filter design for proper permissions?
|
|
| Gery D. Dorazio 2005-09-04, 2:50 am |
| It appears IIS 6 and/or SP1 on Windows 2003 have changed the security
landscape for writing ISAPI filters and extensions (W32API not .NET) which
have to access resources like the application event log.
Can someone point to some good information on how to write/rewrite/redesign
ISAPIs to work properly in this new environment?
Thanks,
Gery
--
Gery D. Dorazio
Development Engineer
EnQue Corporation
1334 Queens Road
Charlotte, NC 28207
(704) 377-3327
| |
| David Wang [Msft] 2005-09-04, 7:48 am |
| Sorry, but I cannot think of any.
All that has changed is that the process identity used to run ISAPI Filters
has changed from LocalSystem of inetinfo.exe on IIS5 to Network Service of
w3wp.exe on IIS6 -- which is documented in several ways.
Anything else is the responsibility of the user to track the needs of that
particular subsystem. Theoretically, ISAPI Filter can access any part of
Windows as a resource, so we would either need to document all Windows
changes and its effects on IIS/ISAPI, or potentially guess a subset that
may/not fit your needs. We chose to do neither and wait for you as the
customer to ask for your important set and focus on that.
The event log change is a popular one that affects web-based applications
like ISAPI Filters, ISAPI Extensions, and ASP pages. You can search on it in
the newsgroups for more info. Here is one possibility:
http://support.microsoft.com/kb/301309
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Gery D. Dorazio" <gdorazio@enque.net> wrote in message
news:eRRee4QsFHA.3732@TK2MSFTNGP11.phx.gbl...
It appears IIS 6 and/or SP1 on Windows 2003 have changed the security
landscape for writing ISAPI filters and extensions (W32API not .NET) which
have to access resources like the application event log.
Can someone point to some good information on how to write/rewrite/redesign
ISAPIs to work properly in this new environment?
Thanks,
Gery
--
Gery D. Dorazio
Development Engineer
EnQue Corporation
1334 Queens Road
Charlotte, NC 28207
(704) 377-3327
| |
| Gery D. Dorazio 2005-09-04, 5:51 pm |
| Hi David,
Thanks for the reply.
I think I read somewhere on your blog about writing a service that the ISAPI
filter/extension should access for requesting services and that the filter
should not do it directly. Do you remember that and if so can you comment on
how you think a filter should be designed and or whether a service should be
implemented to actually do the event logging?
Basically, I tried installing event logging into an authentication filter
and it is failing with '05...' data which is access denied. This is the
reason for this post.
Thanks,
Gery
--
Gery D. Dorazio
Development Engineer
EnQue Corporation
1334 Queens Road
Charlotte, NC 28207
(704) 377-3327
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:upEizsSsFHA.3720@TK2MSFTNGP14.phx.gbl...
> Sorry, but I cannot think of any.
>
> All that has changed is that the process identity used to run ISAPI
> Filters
> has changed from LocalSystem of inetinfo.exe on IIS5 to Network Service of
> w3wp.exe on IIS6 -- which is documented in several ways.
>
> Anything else is the responsibility of the user to track the needs of that
> particular subsystem. Theoretically, ISAPI Filter can access any part of
> Windows as a resource, so we would either need to document all Windows
> changes and its effects on IIS/ISAPI, or potentially guess a subset that
> may/not fit your needs. We chose to do neither and wait for you as the
> customer to ask for your important set and focus on that.
>
> The event log change is a popular one that affects web-based applications
> like ISAPI Filters, ISAPI Extensions, and ASP pages. You can search on it
> in
> the newsgroups for more info. Here is one possibility:
> http://support.microsoft.com/kb/301309
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
> "Gery D. Dorazio" <gdorazio@enque.net> wrote in message
> news:eRRee4QsFHA.3732@TK2MSFTNGP11.phx.gbl...
> It appears IIS 6 and/or SP1 on Windows 2003 have changed the security
> landscape for writing ISAPI filters and extensions (W32API not .NET) which
> have to access resources like the application event log.
>
> Can someone point to some good information on how to
> write/rewrite/redesign
> ISAPIs to work properly in this new environment?
>
> Thanks,
> Gery
>
> --
> Gery D. Dorazio
> Development Engineer
>
> EnQue Corporation
> 1334 Queens Road
> Charlotte, NC 28207
> (704) 377-3327
>
>
>
|
|
|
|
|