at work I am struggling a bit with the following situation:
We have a web application that runs on a WIndows Server 2008 64 bits machine. The app's ApplicationPool is running under the ApplicationPoolIdentity and configured for .net 2 and Classic pipeline mode.
This works fine up to the moment that XmlSerialization requires creation of Serializer assemblies where MEF is being used to create a collection of knowntypes.
To remedy this I was hoping that granting the ApplicationPoolIdentity rights to the ASP.Net Temporary Files directory would be enough, but alas...
What I did was the run the following command from a cmd prompt:
icacls "c:\windows\microsoft.net\framework64\v2.0.50727\Temporary ASP.NET Files" /grant "IIS AppPool\MyAppPool":(M)
Obviously this did not work, otherwise you would not be reading this :)
Strange thing is that whenever I grant the Users or even more specific, the Authenticated Users Group those permissions, it works. What's weird as well (in my eyes) is that before I started granting access the ApplicationPoolIdentity was already a member of IIS_IUSRS which does have Modify rights for the temporary asp files directory.
And now I'm left wondering why this situation requires Modify rights for the Authenticated Users group. I thought it could be because the apppool account was missing additional rights (googling for this returned some results, so I tried those), but granting the ApplicationPoolIdentity modification rights to the Windows\Temp directory and/or the application directory itself did not fix it.
For now we have a workaround, but I hate that I don't know what is exactly going on here, so I was hoping any of you guys could shed some light on this.
Thanx in advance!
If the application pool is running as AppPool Identity then things should work out-of-the box since the worker process will be injected the IIS_IUSRS SID which will have the right permissions to write.
My guess, is that the application must be using Windows authentication and impersonation is enabled in ASP.NET so that code is probably be ran as the specific user that is making the request and not necesarilly the process identity.
Am I right on the guess that the app is running Windows Authentication? and impersonation is enabled in asp.net ?
Might not be relevant to you - but if you are running the app pool as a domain user, the rules change on the automatic injection of IIS_IUSRS token into the process at startup. This caught us out recently when moving to .net 4, and not having permission on the new Temporary ASP.net Files directory.
See here for a workaround: http://www.yusufozturk.info/iis7/asp-net-write-access-error-on-iis7-5.html
Related
I had some malicious javascript appended to my .js files on a website and tracked the hack in my logs to an old FCKEditor exploit.
As a relative novice, I've been reading up a bit on how this was done and how I can protect against it, but I have a few specific questions, listed below.
If it's helpful, this was Windows Server 2012, IIS 8 and SQL Server, and, I'm embarrassed to say it, but this was an old site still running Classic ASP. Here are my questions:
I had IUSR as my Anonymous User in IIS. When the hacker uploaded the .asp file to get shell access, I assumed they only had the privileges conferred to them via IUSR, correct? If the server is properly hardened, they can't escalate privileges to get more access than what IUSR has, right?
I've changed my Anonymous User to be the application pool identity. Since a hacker's grab-shell-access ASP program now won't have IUSR's privileges and will only have the application pool identity, is it safe to assume that they can't get the ability to run commands like WHOAMI or any other such commands? What rights would application pool identity (and thus any of my .asp programs that serve up web pages) have?
Last question. OK, so I clearly was giving IUSR too much power on this box, given that an anonymous user for IIS could run a .asp program and get shell access. So how do I query what privileges IUSR has across the entire computer? I know I can, for example, right click on my inetpub folder and look a security to see what IUSR can do, but is there a way to get a report across the entire server to understand the full rights and privileges for that particular user.
My focus with these questions is more about general learning than about protecting this box. I'm sure some might be inclined to say your box is probably toast and backdoored, so dump it and start with a new server, but I know that. I also know that I should have done some hardening that I didn't. Thanks for your answers to questions above, which will help me learn and improve. Much appreciated.
1.IUSR will determine what identity you are using to view your web page and also application pool identity will decide whether the application or shell can be executeed. So you need to minimize permission for both app pool identity and iusr.
2.By default application pool identity don't have permission to access something like powershell or cmd. So you don't have to afraid command like whoami will be executed.
3.I'm afraid there is no simple way to do permission traversal. But you just need to make sure you have already minizized your application pool identity permission.
My ASP-Webpages application needs to write self-generated files to a local folder under its root directory. Everything runs like a charm on- and from my development environment, even to any other given network locations.
The problem is that I can’t get the production environment to do the same. Just no files get created, anywhere. Nor are any exceptions thrown on missing permissions etc. Nada.
I believe I’ve read and tried out just about everything anyone had written on the Internet over the past seven years and I feel like I’m chasing my own behind trying to solve this problem. Should it be really that difficult?
At the risk of getting marked as duplicate I see no other option than to post my question here..
Basically, here is what I have this far:
The production application runs on Windows Server 2008 R2, IIS version 7.5. It has a dedicated Application Pool, with its identity set to ApplicationPoolIdentity (.NET Framework v4 / Integrated pipeline).
Application Basic Settings
Verified AppPool membership of IIS_IUSRS.
Verified Group Membership
User Authentication is set to Windows Authentication.
User Authentication
Should Anonymous Authentication be set to ‘Enabled’ to get the ApplicationPoolIdentity be used? I’ve tried setting it on, but it conflicts with the Windows Authentication, which is an essential part of our application and cannot be switched off.
If so, then how?
Both the Application Pool and the IIS_IUSRS have been granted Read & Write permissions on the folder.
I’ve tried setting Full control, but that didn’t help either.
Folder Security Settings
Here is the (stripped down) code that writes the files to the desired location:
Stripped-down Code
Other (silly) things I’ve tried are:
Playing around with absolute and relative path directions in my code.
Enabling Anonymous Authentication, resulting in a conflict with the necessary Windows Authentication.
Set Application Pool ProcessModel identity to Network Service.
Recycle Application Pool.
Load User Profile ‘On’ for the Application Pool.
Setting IE Enhanced Security Configuration ‘Off’ for users.
Restarting server machine.
Using different browsers.
Give 'everyone' full folder permissions, just to try the effects, nothing..
Set AuthenticatedUserOverride to UseWorkerProcessUser via IIS Configuration Editor. This causes that my application doesn't recognise Current.User.Identity.Name anymore, so it blocks further site access.
What I need is to keep Windows Authentication, but also be able to have the application anonymously write files to a given location.
Can anybody please hint me in the right direction or just tell me what I’ve overlooked?
Thanks!
Hope you can help.
We have a web application (.NET 2.0) that has some custom code that is used to poke a windows service when a file is uploaded. We issue a command using the following code:
Dim serviceName As String = "Processor Service 1.0"
sc = New ServiceController(serviceName)
sc.ExecuteCommand(200)
Running this code in a standalone app works fine but when running through website throws an access denied error. Code works fine in IIS 6.
We are using an application pool with a user and is in Admin group. I figure it's something to do with IIS but now sure what.
Hoping you guys can help.
Thanks
The permissions that are needed to interact with local services are pretty high. Your asp.net app is likely running as anonymous (local account IUSR), or the "application pool identity". You would have setup your app in IIS (app pool) to use a different account with greater permissions.
In IIS Admin, under the section "IIS", "Authentication", you need to enable a stronger authentication method. If "Anonymous Authentication" is the only one enabled, then check the settings "Edit" to see if it is running as IUSR or "Application pool identity". This is where you determine, or set, the account (and permission set) that your ASP.NET app is using.
I feel that I should strongly warn against elevating the permissions for IIS and anonymous users. This would create a very dangerous back-door into your system. The suggestion from bgs264 is a very good one: make a separate service (or scheduled process) that watches for file uploads, or modify the existing service to use the file-watcher to monitor for uploaded files. It could run under a higher permission set and would be much more isolated from your IIS. Granting admin permissions to IIS or its app pools, is just like begging for trouble.
I have a new Win7 workstation and I am trying to get ScrewTurn Wiki to run on the machine. My STW installation is using the file system option to store its data, and as such I need to give write permissions to the ASP.NET worker process in the folder the website is installed in.
HOWEVER, I cannot seem to be able to come up with name of the worker process in Win7 in order to add it to the permissions for the folder. In XP it was ASPNET_WP, if I remember correctly, but that is not its name in Win7.
Can someone please tell me?
Edited to add:
In response to #Dragan_Radivojevic, here's what the application pool in question looks like (named ScrewTurnWiki):
The Identity is "ApplicationPoolIdentity"
Giving write permissions to all IIS_USRS group is a bad idea from the security point of view. You dont need to do that and you can go with giving permissions only to system user running the application pool.
If you are using II7 (and I guess you do) do the following.
Open IIS7
Select Website for which you need to modify permissions
Go to Basic Settings and see which application pool you're using.
Go to Application pools and find application pool from #3
Find system account used for running this application pool (Identity column)
Navigate to your storage folder in IIS, select it and click on Edit Permissions (under Actions sub menu on the right)
Open security tab and add needed permissions only for user you identified in #3
Note #1: if you see ApplicationPoolIdentity in #3 you need to reference this system user like this IIS AppPool{application_pool_name} . For example IIS AppPool\DefaultAppPool
Note #2: when adding this user make sure to set correct locations in the Select Users or Groups dialog. This needs to be set to local machine because this is local account.
I know this is an old thread but to further expand the answer here, by default IIS 7.5 creates application pool identity accounts to run the worker process under. You can't search for these accounts like normal user accounts when adding file permissions. To add them into NTFS permission ACL you can type the entire name of the application pool identity and it will work.
It is just a slight difference in the way the application pool identity accounts are handle as they are seen to be virtual accounts.
Also the username of the application pool identity is "IIS AppPool\application pool name" so if it was the application pool DefaultAppPool the user account would be "IIS AppPool\DefaultAppPool".
These can be seen if you open computer management and look at the members of the local group IIS_IUSRS. The SID appended to the end of them is not need when adding the account into an NTFS permission ACL.
Hope that helps
My immediate solution (since I couldn't find the ASP.NET worker process) was to give write (that is, Modify) permission to IIS_IUSRS. This worked. I seem to recall that in WinXP I had to specifically given the ASP.NET worker process write permission to accomplish this. Maybe my memory is faulty, but anyway...
#DraganRadivojevic wrote that he thought this was dangerous from a security viewpoint. I do not disagree, but since this was my workstation and not a network server, it seemed relatively safe. In any case, his answer is better and is what I finally settled on after chasing down a fail-path due to not specifying the correct domain for the AppPool user.
The full command would be something like below, notice the quotes
icacls "c:\inetpub\wwwroot\tmp" /grant "IIS AppPool\DefaultAppPool:F"
I am in the process of deploying a web application on IIS5 on my server which runs windows XP.So when i run my application in visual studio its perfect.But when i deployed it into IIS it throws me an error saying that the access denied to a particular file.
My app reads a xml file based on the input(which is nothing but the other system in the network).As i browsed to the properties of that file manually and unchecked the read only attribute,still it dint work out.Can any one guide me to the proper solution ?
you might have to give read/write (if needed) to following users:
iis_wpg
network service
aspnet
In IIS, your site runs under the credentials of the application pool assigned to it. You can either change the credentials of your application pool to an account that has permission to access that file, or else grant access to the default account that the application pool is currently using.
You mention that you are using basic auth...
Generally, the web application will then impersonate the user logged in.
So, if your file isn't accessible by the user that logged in, then it won't be accessible to the web application impersonating them on the system either. You will need to check the permissions of those files and set them accordingly.