IIS Server Security - IIS 5.0 vs IIS 6.0

Author

IIS 5.0 vs IIS 6.0

Antero

2006-07-21, 7:23 pm

Greetings,

I have an asp page that allows me to start and stop services on my windows
2000 server and run some batch files as well. Now that we are upgrading to
windows 2003 this page is not working. I have changed the security parameters
on IIS 6.0 but still I cant run my batch (I am using .bat ) files. What else
should I do in order to make an asp page to run batch files (that among other
things start or stop services) on windows 2003?.

Thanks!.

David Wang [Msft]

2006-07-21, 7:23 pm

http://blogs.msdn.com/david.wang/ar...003_Part_2.aspx

Depending on your security requirements, it may no longer work.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"Antero" <Antero@discussions.microsoft.com> wrote in message
news:BACCB6C7-7444-4F66-91B7-492419F41269@microsoft.com...
> Greetings,
>
> I have an asp page that allows me to start and stop services on my windows
> 2000 server and run some batch files as well. Now that we are upgrading to
> windows 2003 this page is not working. I have changed the security
> parameters
> on IIS 6.0 but still I cant run my batch (I am using .bat ) files. What
> else
> should I do in order to make an asp page to run batch files (that among
> other
> things start or stop services) on windows 2003?.
>
> Thanks!.

Antero

2006-07-24, 1:24 pm

Thanks David for your answer.

I am not a very technicall person, I tried to understand what the article
said but I coulndnt reproduce it on my IIS, I cannot find a cgi-bin folder on
my server and I dont know how to map asp.dll as a script engine. Can you
explain it to me in more detail or maybe there is another way to run batch
files remotely and if you know how, please let me know.

Thanks again!.

"David Wang [Msft]" wrote:

> http://blogs.msdn.com/david.wang/ar...003_Part_2.aspx
>
> Depending on your security requirements, it may no longer work.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
>
> "Antero" <Antero@discussions.microsoft.com> wrote in message
> news:BACCB6C7-7444-4F66-91B7-492419F41269@microsoft.com...
>
>
>

David Wang [Msft]

2006-07-24, 7:21 pm

It is actually all configured already, so you do not need to worry about it.

My blog entries simply describe the technical details behind the
configuration so that if you want, you can create your own configuration
based on that information. But it's not necessary for your common case, and
I rely on you to correctly interpret and use the information.

In short, the blog entry describes why your current configuration does not
work as well as one way to make it work - you have to evaluate whether it
fits your security and functional requirements.

The core issue is that your code in ASP is likely using Win32
CreateProcess() to launch the .bat batch files. Security changes in CMD.EXE
parsing of .bat files affect execution of .bat batch files from
CreateProcess(). Your choices are to either:
1. Run Application Pool with LocalSystem identity (security vulnerability)
2. Run Application with same Identity as the user identity executing the ASP
page, which depends on authentication

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"Antero" <Antero@discussions.microsoft.com> wrote in message
news:F60BA84F-06F3-484E-A43D-AF6C8A34B86D@microsoft.com...[vbcol=seagreen]
> Thanks David for your answer.
>
> I am not a very technicall person, I tried to understand what the article
> said but I coulndnt reproduce it on my IIS, I cannot find a cgi-bin folder
> on
> my server and I dont know how to map asp.dll as a script engine. Can you
> explain it to me in more detail or maybe there is another way to run batch
> files remotely and if you know how, please let me know.
>
> Thanks again!.
>
> "David Wang [Msft]" wrote:
>