ASPNET->NETWORK SERVICE rights too restrictive

This problem could cost us hundereds of thousands of pounds, and even worse,
some reputation! So any help is appreciated.

I have posted in iis.security, but maybe this is more relevant in general
security, as I see some similar posts here. I hope someone can help, with a
suggestion other than to rewrite out code!

Basically our system ran fine with IIS6.0, windows 2000 server (using . And
with the advent of the NETWORK SERVICE user we cannot run our code.

We have asp.net code which calls a dcom component exe, which is configured
to run (with dcomcnfg) as the launching user. On windows 2000, this is
ASPNET, but on Windows 2003 Enterprise Edition Sp1 this is NETWORK SERVICE
and subsequently fails.

We can configure the component to use the 'interactive user', and it works
fine, however, that user has to be logged in! Which isn't acceptable -
imagine hotmail going down because bill gates logs out of his PC?
We can configure it to use a different nominated user, but it only works if
that user is a member of the Administrator group (yet again - unacceptable).

Before someone shouts that we're trying to access files/registry keys that
are admin only, we're not (on purpose). Our product is highly graphical, and
we are using a code base which is shared between our GUI and DCOM components.
This code basically serves up nice diagrams to the web site.

We believe we are being denied GUI resources that we need. And can't find
any way of telling IIS or DCOM that we need a non-admin user who can interact
with GUI stuff!

Is there any tool that allows to see the real configuration of users and
their rights? I'm sure the Administrator user has more real rights than we
can see with the available on the dialogs windows configuration provides. We
want to make our own user up with rights that allow the ability to have a GUI
interaction..
Nothing i have tried in security policies have helped either.

The code fails in particular when it attempts to use the VS MFC/C++ call
::LoadMenu. GetLastError() tells us ERROR_ACCESS_DENIED (5),
However, Loading string, icon, and bitmaps work fine. And we can even load
the resource through LoadResource LockResource for the same menu!). We can
easily remove the need for a menu, but we can't do much about when MFC
creates a window and when it attempts to register a windows hook
(AfxHookWindowCreate
fails on ::SetWindowsHookEx) which fails with ERROR_ACCESS_DENIED.

We know we MIGHT fix our problem with a complete re-write to not use the
MFC Doc/View architecture and perform all functions with memory Device
contexts,
but time constraints currently prevent that course of action.

Is there a way (like services) to specify that the dcom component can
interact with the desktop or get access to gui components, or that IIS can be
configured to launch calls to our exe component where it has appropriate
rights to create windows hooks.

We want to avoid making the whole of the IIS site elevated though, of course!

We wondered if the ERROR_ACCESS_DENIED was something to do with the
WindowStation/Desktop DACL, that IIS creates when it calls CreateProcess for
our DCOM server.
We have examined the resulting DACL of these when running as NETWORK SERVICE
and Administrator, and noticed that the effective rights of
DESKTOP_CREATEMENU and DESKTOP_CREATEHOOK are unavailable in NETWORK
SERVICE. I have tried to switch desktops, but yet again, ACCESS_DENIED.
But I'm not sure if this is related, as I've not managed to prove that
programmatically removing these rights from a current desktop had any effect.
It could be the IIS call to CreateProcessAsUser is not giving us adequate
winstations, or can we configure a SAFE user to have specific rights to the
GUI?

This seems to be the one missing area, in windows config tools, how to
configure rights to the desktop services for a user?

Am I on the right track or can we use a different user account with good
security, but just the ability to be slightly gui 'interactive'?

Regards


Giles Middleton

.

Relevant Pages

  • Re: CE Services documentation or literature
    ... The CENet blog in my signature has additional articles about service ... There's no GUI to control services on CE, but there is a command line ... This posting is provided "AS IS" with no warranties, and confers no rights. ... We`r looking for an example/sample code for Windows CE Service & ...
    (microsoft.public.windowsce.embedded)
  • Re: Splash Screens , how could something so basic still be hard?
    ... You say that there "is no message pump to allow for further GUI ... Note that by "there is no message pump", I mean that because of the way the code is written, no message pump is working while the "splash screen" is displayed. ... In a normal Forms app, there would be a message pump loop, and there's no reason to believe that in those examples, one doesn't exist. ... The same technique is possible in Windows, ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: So leaky that a $4 billion industry was built to protect it
    ... a richer data interpreter, e.g. Wordpad ... release on Windows then, and ever since. ... To do any real damage to the operating system as ... with their rights) have the right to alter their own data. ...
    (microsoft.public.windowsxp.general)
  • Re: WM5 to WM6 GPSID Problem on HTC P3300
    ... Windows CE Networking ... This posting is provided "AS IS" with no warranties, and confers no rights. ... your WM6 SDK GPS sample, ... public GpsPosition GetPosition ...
    (microsoft.public.pocketpc.developer)
  • Re: Wiseman and McGhie are Ranting Again
    ... >>>rest of the system by dropping Word's run time priority in stages. ... Nearly everything with a GUI has something like an event ... That part of the OS is the windows manager and is typically a ... That is your event loop. ...
    (microsoft.public.mac.office.word)