Re: CGI Security on IIS 6.0

From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: 07/14/04 

Date: Wed, 14 Jul 2004 14:37:46 GMT

On Tue, 13 Jul 2004 14:59:44 -0700, "Mike Garner"
<anonymous@discussions.microsoft.com> wrote:

>
>>-----Original Message-----
>>On Tue, 13 Jul 2004 07:49:28 -0700, "Mike Garner"
>><anonymous@discussions.microsoft.com> wrote:
>>
>>>OK. I found and error. In the System Event Viewer I get
>a
>>>Warning LsaSrv: The Security System could not establish
>a
>>>secured connection with the server ldap/<my domain
>>>controller>. No authentication protocol was available.
>>>
>>>I get this error each time the script is executed via
>>>CGI. Again, no filemon errors to speak of, and it works
>>>fine when run from command line or as CGI on Apache.
>>>
>>>Any ideas?
>>
>>What is this script doing? Was it written for an IIS
>system? Has it
>>ever worked on this server?
>>
>>Jeff
>>.
>>
>The script takes a username and current password and new
>password via html form and reset that user's Microsoft
>Active Directory password as the new password; provided
>the current password is correct. Works like a charm on
>this very server from command line or as Apache CGI. ALL
>other (and there are lots) of PERL CGI work with IIS. I
>eventually got it to work by changing the account this
>individual script runs as from within the IIS manager
>under directory security ->Account for Anonymous Access
>but I just didn't think I'd have to go that far. Its
>really bizarre. Its an IIS thing for sure, but I can't
>track it down to what.

It's not an IIS thing, and you just nailed it. You're running as the
anonymous user, attempting to perform an LDAP query that is restricted
to AD admin accounts. Apache doesn't run as the anonymous user
account, nor are you logging in as the anonymous user when you run the
command line.

By changing the account used, you now have an anonymous user requiring
no login or validation able to perform administrative functions. Your
script works, but your security is shot to hell.

Jeff

Relevant Pages

  • Re: Execute Access Forbidden
    ... I have selected SCRIPT ONLY and tried EXECUTABLES ... IUSR_computername account when executing web page scripts. ... Use the IIS MMC to look at the "Application Isolation" properties of the ... using the IWAM account if the "Application Isolation" setting for the script ...
    (microsoft.public.inetserver.iis.security)
  • Re: HTTP 401.1 - Unauthorized: Logon Failed
    ... What are the minimum or default NTFS file permissions required for IIS, ... I'm having a problem with the IUSR_computername or IWAM_computername account ... folder containing the troubled script files. ... using the IWAM account if the "Application Isolation" setting for the script ...
    (microsoft.public.inetserver.iis.security)
  • Re: IWAM Out of sync
    ... IWAM password, shouldn´t we run the SYNCIWAM.Vbs script from Adminscripts ... I think I did this the last time: Change Password on account, ... > on my computer or IIS web server, or the account keeps getting locked out. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Running a script from an ASP page
    ... ProcessIdentity can be set in the IIS Manager UI. ... Identify the Application Pool your app runs in. ... anonymous user, you need to synchronize the username/password yourself. ... >>> or of the account given to the anonymous user to access cmd.exe. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Secured IIS Project - IIS 4.0 Secure Script
    ... Secured IIS Project - IIS 4.0 Secure Script ... Machines which were upgraded from IIS 2.0 (original NT installation), ... Remove FTP Service ...
    (NT-Bugtraq)