Re: NTFS permission for Inprocess DLLs

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 07/14/03 

Date: Sun, 13 Jul 2003 22:55:53 -0700

Herb,

I think what you are experiencing is do to how Windows works.
AFAIK IIS only relies on the underlying Windows security.

Group memberships of an account are determined when the account
first logs in. If an account is added to new, removed from prior groups,
these changes will not be seen until the account has logged off and
then back logged back in.

Roger

"Herb Martin" <news@LearnQuick.com> wrote in message
news:%2363MFicSDHA.1252@TK2MSFTNGP10.phx.gbl...
> How does IIS deal with Inprocess DLLs and their permissions?
>
> Is this why IIS seems to 'cache permission' settings? -- i.e., changes
> to file permissions which should be reflected the next time the file
> is OPENED by a user are not necessarily reflected until IIS is restarted.
>
> Why one might say, "of course", there is a weirdness here, if the user
> in question never visits the visits the IIS until after the permission
> change,
> e.g., this sequence:
>
> IIS started -- NTFS permission change -- new user attempts access
> through that DLL that REQUIRES that permission change to be in
> effect.
>
> Does IIS somehow cache the permission themselves and run it's OWN
> security manager internally?
>
> If so, this would explain how my "not authorized" problem might result
> while NO AUDIT failures appear in the security log.
>
> Admission: I don't use permissions refencing the IUSR_machinename
> and IWAM_machinename DIRECTLY but instead use groups (best
> practice right <grin>) largely so that I can easily distinguish MY changes
> from those made by tools like IISLockdown, updates to software, etc.
>
> How about the Metabase? Could a tightening of something in there by
> the lockdown tool have hosed my access by anonymous users to the
> email submission EVEN THOUGH there are no audit failures on the
> FP2002 extension DLL nor on the output File?
>
>
>
>

Relevant Pages

  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... On the IIS directory security tab, anonymous access is disabled, digest ... authentication is disabled, integrated authentication is disabled and basic ... account created has full permissions for the folder and the file that's in it. ...
    (microsoft.public.inetserver.iis.security)
  • Re: DCOM calls fails - access denied
    ... That's exactly how I understood the ASP.NET security. ... But why does one configuration work but not the other? ... should get the token from IIS. ... If you set there a domain account, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Cannot use usernameForCertificateSecurity with IIS application pool custom account
    ... other account does not. ... It seems to be a bug or problem in one of the CryptoAPI functions. ... In IIS 5.0/6.0 to process the PFX file I use the CryptoAPI function ... The security context token cannot be retrieved ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: DCOM calls fails - access denied
    ... IIS security. ... That means the worker ... If you set there a domain account, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: How to configure IIS 7 to use a built-in account
    ... make Read permission for IUSR... ... And I know that IIS actually does work because the new account I ... settings. ...
    (microsoft.public.inetserver.iis)