Re: Execute Access Forbidden

From: Karl Levinson [x y] MVP (levinson_k@excite.com)
Date: 10/23/02

• Next message: someone: "Spyware"
• Previous message: Frasheed: "IUSR_Servername not working for Anonymous Access"
• In reply to: Ira Whitney: "Execute Access Forbidden"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Karl Levinson [x y] MVP" <levinson_k@excite.com>
Date: Wed, 23 Oct 2002 10:04:00 -0400

"Ira Whitney" <mis@americap-mfg.com> wrote in message
news:9c2201c27945$f1a51f30$35ef2ecf@TKMSFTNGXA11...
> I am about to pull out my hair and I dont have any to
> spare. For some reason i can not run any ASP on my WIN2000
> server. I have selected SCRIPT ONLY and tried EXECUTABLES
> too. No matter what I try I can get the asp to work. I
> never had this problem with NT4 server :/
>
> Send reply to mis@americap-mfg.com

Without knowing the error message, this could be a long shot, but here are
some things that could cause the problem. [It may be more sensible to
follow the other post first, it's up to you]

====================

IIS may be using the IWAM_computername account instead of the
IUSR_computername account when executing web page scripts. If so, there may
be a problem with insufficient permissions or incorrect password on the IWAM
account, especially if you assigned permissions to the IUSR account instead
of the IWAM account.

Use the IIS MMC to look at the "Application Isolation" properties of the
folder containing the troubled script files. IIS runs application scripts
using the IWAM account if the "Application Isolation" setting for the script
or the folder containing the script is set to "Medium" or "High."

[If your web page scripts start working after changing this setting to
"Low," then you have probably confirmed that you have a problem with the
IWAM account as described below. If changing this setting does not fix the
problem, then the rest of this article may not apply to you and you should
consider doing general .ASP troubleshooting instead.]

Like the IUSR account, a copy of the IWAM account password is stored in the
IIS metabase, so that IIS can log on as the IWAM account. IIS cannot log on
as IWAM and/or IUSR if the password in the IIS metabase does not match the
actual password for that user ID in the Windows security database.

The ADSUTIL.VBS command can be used to retrieve or change the IWAM and/or
IUSR ID and/or password that is stored in the IIS metabase. For example,
you may need to use the command "ADSUTIL GET" to get the IWAM password from
the metabase, then use the Windows 2000 / XP / .NET Local Users and Groups
MMC to change the password on the IWAM account to match.

More information on using the ADSUTIL.VBS command can be found in the
articles below:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q297989
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296851

If you have deleted or created a new login ID to be used instead of the
existing IWAM or IUSR account, you may need to grant the new account
permission to "Log on Locally." See the article below for more information:

www.iisfaq.com/default.asp?View=A324&P=128

If an application script or web page on your IIS web server is unable to
accessing files on another remote computer, you may need to determine which
login ID is being used by the IIS web server to run the script, and set up
an identical login ID and password for that account on the remote computer
[or in some cases, the Windows domain]. See the article below for more
information:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q207671

You should also consider enabling security auditing of failed file access on
the files in question, then check the Windows Security Event Log to see
which account is unable to access which files. [Enabling security auditing
of certain events like failed accesses is also possibly a good idea on IIS
servers for intrusion detection and security reasons as well.]

Note that to enable logging of access to files or registry settings, you
must both enable logging in the overall computer policy AND also add
auditing settings on individual folders or registry keys in the NTFS
security properties in Windows Explorer or the REGEDT32 registry editor.
[Using REGEDIT will not work.] To log file access, the files must be on an
NTFS-formatted partition.

Note also that to enable logging of security events on a Windows domain, you
must change the auditing policy on all domain controllers. Changing the
auditing policy on the computers in the domain enables logging of failed
logins to the computers using local accounts and would not necessarily log
attempts to log into the domain.

Consider changing the Windows event log settings to be appropriate for your
environment. Consider increasing the maximum log size to retain more
information. Be careful not to log too much, or you might find that your
logs contain only a few minutes or hours worth of data. Finally, check the
logs to be sure logs are really being captured.

For more information on enabling and configuring auditing, see the articles
below:
http://nsa1.www.conxion.com/win2k/download.htm a.k.a. http://www.nsa.gov
[look for the NSA Security Recommendation Guides for Windows 2000 and also
Group Policy]
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/
13w2kadc.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q310399 - XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549 - 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q248260 - 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q301640 - 2000, file
access settings
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300958 - 2000,
monitoring for unauthorized user access
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q157238 - NT
http://www.labmice.net/troubleshooting/EventLog.htm

[Thanks to Thomas Deml and others]

• Next message: someone: "Spyware"
• Previous message: Frasheed: "IUSR_Servername not working for Anonymous Access"
• In reply to: Ira Whitney: "Execute Access Forbidden"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: IWAM Out of sync ... on the IWAM account in the Windows user database. ... I'm having a problem with the IUSR_computername or IWAM_computername account ... on my computer or IIS web server, or the account keeps getting locked out. ... The ADSUTIL.VBS command can be used to retrieve or change the IWAM and/or ... (microsoft.public.inetserver.iis.security) Re: lan file access with perl cgi scripts under iis 5.0 ... this will probably involve adding a local IUSR account to the remote ... and setting IIS to not control the password for the anonymous iusr ... the IUSR account and not the IWAM account that is being denied access. ... (microsoft.public.inetserver.iis.security) Re: HTTP 401.1 - Unauthorized: Logon Failed ... What are the minimum or default NTFS file permissions required for IIS, ... I'm having a problem with the IUSR_computername or IWAM_computername account ... folder containing the troubled script files. ... using the IWAM account if the "Application Isolation" setting for the script ... (microsoft.public.inetserver.iis.security) Re: IWAM Out of sync ... IWAM password, shouldn´t we run the SYNCIWAM.Vbs script from Adminscripts ... I think I did this the last time: Change Password on account, ... > on my computer or IIS web server, or the account keeps getting locked out. ... (microsoft.public.inetserver.iis.security) Re: CGI Security on IIS 6.0 ... Was it written for an IIS ... >The script takes a username and current password and new ... anonymous user, attempting to perform an LDAP query that is restricted ... account, nor are you logging in as the anonymous user when you run the ... (microsoft.public.inetserver.iis.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint