Re: Grant Object Access

From: Andrew Hayes (AndrewHayes_at_discussions.microsoft.com)
Date: 08/22/05

  • Next message: Andrew Hayes: "Re: Grant Object Access" 
    Date: Mon, 22 Aug 2005 17:06:20 +0900

    Yes. This is going to be used for anonymous web access, but since the user
    has no control over the scheduled tasks in themselves (all the user can do
    is upload a data file), I don't think there is much risk. When the upload is
    complete, the server automatically writes information about the datafile to
    a database, enumerates the tasks to see if the virus-scan is already
    running, and if not then it creates a new task for starting a scan against
    the file the user uploaded.

    As it happens, there was a mistake in the ASP code in that it wasn't setting
    one of our COM+ objects properties correctly, which was causing the follow
    on exception, but I hadn't been able to see that until I had got it pass the
    Enumerating Scheduled Tasks error.

    As of this moment it all works correctly, so long as the IUSR_ account is
    part of the administrators group. Of course, that will not do in a
    production environment.

    I'll go through the KB article you posted Roger and see if I can get it to
    work that way. Last ditch attempt would be to use NTRights and add each
    right until it succeeds in creating the task, then remove them all and try
    again until I can get the minimum needed for it to work.

    The other way would be for the ASP page to create the COM+ object under a
    different identify, but I'm not sure how that works... More research is
    needed.

    Regards...Andrew

    "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    news:u1AwGitpFHA.3568@TK2MSFTNGP10.phx.gbl...
    > The accesses you were being denied were to start and to query the
    > service. I am not so sure that granting those will allow you to then
    > schedule a new task, which your subsequent posts make it sound like
    > you are trying to do. The way I adjust rights to services is to define
    > a security config editor template that is new, hence totally enpty,
    > and then use the services node to edit the values for the concerned
    > service, after which one uses the templated to analyze and configure
    > the machine.
    > That said, I have to wonder what in the world you are wanting to
    > do this for . . . As it now appears, you are wanting to allow the
    > Iusr_ account to define new scheduled tasks, and/or to manage
    > scheduled tasks. But the Iusr_ account is not used for authenticated
    > web access, so this means you are wanting to allow anonymous web
    > browsers to tweak around in the machine's scheduled tasks ??? !!! #
    > A recipe for disaster that sounds to be.
    >
    > --
    > Roger Abell
    > Microsoft MVP (Windows Security)
    > MCSE (W2k3,W2k,Nt4) MCDBA
    > "Andrew Hayes" <AndrewHayes@discussions.microsoft.com> wrote in message
    > news:OFCkn9spFHA.3084@TK2MSFTNGP09.phx.gbl...
    >> False alarm. Sorry folks. :-(
    >>
    >> The reason I got past the previous error when trying to get service
    >> status
    >> was that I had added IUSR_ to the local administrators group. Adding the
    >> Legacy Component does not correct the problem if I remove IUSR_ from the
    >> local admin group.
    >>
    >> So the question is, what rights do I give IUSR_ to allow it to use the
    >> Schedule service correctly without making it a local administrator?
    >>
    >> I'll be taking a look at NTRights that Roger mentioned.
    >>
    >> Regards...Andrew
    >>
    >> "Andrew Hayes" <AndrewHayes@discussions.microsoft.com> wrote in message
    >> news:uvhwklspFHA.764@TK2MSFTNGP14.phx.gbl...
    >> > From what you have said, Roger, and from what the various KB articles
    >> > concerning that error has lead me to, is that the IUSER_ account
    >> > doesn't
    >> > have the privileges. Right enough.
    >> >
    >> > Now, how to set those privileges?
    >> >
    >> > I finally found one way to do it.
    >> >
    >> > Using DCOMCNFG, I opened the COM+ library application that contains all
    >> > the COM+ components for the web application, and tried adding a
    >> > "Component", selecting the Install New Component option and browsing to
    >> > the MSTASK.DLL file. This gives me the error "One or more files do not
    >> > contain component or type libraries. These files cannot be installed."
    >> >
    >> > So much for Scheduler being a COM component, but then, I use COM to
    >> > work
    >> > with it from the VC++ code. Very strange. So I tied to add a new
    >> > "Legacy
    >> > Component"...
    >> >
    >> > Although the Scheduler doesn't show up with a human-friendly name, as
    >> > it
    >> > has no ProgID, it's CLSID was listed so I added it using that. Seemed
    >> > to
    >> > work, although it creates an icon with no name. I then changed the
    >> > identify of the created object to one that has local administrator
    > rights,
    >> > and gave local Launch, Activation and Access permissions to the local
    >> > IUSER_ and NETWORK_SERVICE accounts.
    >> >
    >> > Ran through my process again, and I no longer get the 560 for the
    > Schedule
    >> > object acccess but it is generating an Exception that I need to track
    >> > down.
    >> >
    >> > Still, I'm a little further along than I had been, and I hope what I
    >> > discovered would be useful to someone.
    >> >
    >> > Regards...Andrew
    >> >
    >> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    >> > news:utWtGYWpFHA.3940@TK2MSFTNGP14.phx.gbl...
    >> >>I am not aware what your COM+ component is attempting to do,
    >> >> but from the event message you post it would appear to me that
    >> >> a chain of events leading to attempt to get a handle to the Schedule
    >> >> service that allows querying and starting that service is denied.
    >> >> One does not grant rights to services in the ways you have attempted
    >> >> by altering the NTFS permissions on the binaries. Rather you need
    >> >> to either use security templates of such as NTrights.exe from the
    >> >> resource kit.
    >> >>
    >> >> --
    >> >> Roger Abell
    >> >> Microsoft MVP (Windows Security)
    >> >> MCSE (W2k3,W2k,Nt4) MCDBA
    >> >> "Andrew Hayes" <AndrewHayes@discussions.microsoft.com> wrote in
    >> >> message
    >> >> news:%23Xp7hLJpFHA.708@TK2MSFTNGP09.phx.gbl...
    >> >>> Hi All,
    >> >>>
    >> >>> As part of my continuing efforts to get COM+ components running under
    >> >>> Windows 2003 Server SP1, I enabled Object Access auditing and File
    >> >> auditing,
    >> >>> and ran through the process that is failing.
    >> >>>
    >> >>> One failure event was logged in the security log:
    >> >>>
    >> >>> Event Type: Failure Audit
    >> >>> Event Source: Security
    >> >>> Event Category: Object Access
    >> >>> Event ID: 560
    >> >>> Date: 2005/08/19
    >> >>> Time: 16:10:44
    >> >>> User: WIN2003\IUSR_WIN2003
    >> >>> Computer: WIN2003
    >> >>> Description:
    >> >>> Object Open:
    >> >>> Object Server: SC Manager
    >> >>> Object Type: SERVICE OBJECT
    >> >>> Object Name: Schedule
    >> >>> Handle ID: -
    >> >>> Operation ID: {0,84340653}
    >> >>> Process ID: 476
    >> >>> Image File Name: C:\WINDOWS\system32\services.exe
    >> >>> Primary User Name: WIN2003$
    >> >>> Primary Domain: DOMAIN
    >> >>> Primary Logon ID: (0x0,0x3E7)
    >> >>> Client User Name: IUSR_WIN2003
    >> >>> Client Domain: WIN2003
    >> >>> Client Logon ID: (0x0,0x504A958)
    >> >>> Accesses: Query status of service
    >> >>> Start the service
    >> >>>
    >> >>> Privileges: -
    >> >>> Restricted Sid Count: 0
    >> >>> Access Mask: 0x14
    >> >>>
    >> >>>
    >> >>> For more information, see Help and Support Center at
    >> >>> http://go.microsoft.com/fwlink/events.asp.
    >> >>>
    >> >>> This most certainly is the culprit of the Access Denied error I'm
    >> >>> getting
    >> >> in
    >> >>> my component.
    >> >>>
    >> >>> Now... Can anyone help me with granting access to Schedule? I've
    >> >>> tried
    >> >>> giving IUSR_WIN2003 "read and execute" and "read" permissions to
    >> >>> services.exe and mstask.dll, but to no avail.
    >> >>>
    >> >>> http://support.microsoft.com/default.aspx?scid=kb;en-us;833001&sd=ee
    >> >>> mentions something similiar with OWA and clusters, but uses Active
    >> >> Directory
    >> >>> Users and Computers to change the settings, which doesn't exist on
    > this
    >> >>> server as it's not part of Active Directory.
    >> >>>
    >> >>> Regards...Andrew
    >> >>>
    >> >>>
    >> >>
    >> >>
    >> >
    >> >
    >>
    >>
    >
    >

  • Next message: Andrew Hayes: "Re: Grant Object Access"