Re: Grant Object Access
From: Andrew Hayes (AndrewHayes_at_discussions.microsoft.com)
Date: 08/25/05
- Next message: nono78: "Virus"
- Previous message: David Beder [MSFT]: "Re: Does the SCW break Windows Firewall?"
- In reply to: Roger Abell: "Re: Grant Object Access"
- Next in thread: Andrew Hayes: "Re: Grant Object Access"
- Reply: Andrew Hayes: "Re: Grant Object Access"
- Reply: Roger Abell: "Re: Grant Object Access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 25 Aug 2005 17:51:05 +0900
Now that I had resolved the issues on my test server, I'm moving all files
and performing the various system changes on the new production server, but
I've run into a snag.
On certain ASP pages the web application checks that the current user has
access to the database. It does this using a VB COM DLL.
What I'm getting is the DCOM 10016 event being logged everytime I visit a
page using the COM component, and the 'ASP 0178: 8007005' being shown in the
browser. The usual solution is to find the component in the DCOM Config list
and alter the permissions.
I had a similiar problem with this on the test server. Then, when I had
looked at the CLSID in the event, it was the Machine Debug Manager. This
time though it's showing the CLSID for the custom COM component it's trying
to use. Unfortunately, that doesn't show up in the DCOM Config list so I
don't know how to set the permissions.
Any pointers?
Regards...Andrew
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:eoPJTwypFHA.3048@TK2MSFTNGP10.phx.gbl...
> Tweaking the ACL on the service will let the account inquire
> from the service control manager of the status of the server (or
> if granted start/stop/pause it).
> What account can define a new scheduled task is under the
> internal control of the specific service code. I remember one
> time looking for how to adjust that, and not finishing the search.
> The blob at HKLM\Services\Schedule\Security is not what you
> are after (it is the launch/access info for the service, per the use
> of templates). It is probably the ACL on the "tasks" special
> folder, but I am not certain although there seems no security
> stored in the HKLM\Software\Microsoft\SchedulingAgent key.
> You probably need to try researching this, and then if needed
> posting a thread that makes clear your issue in its subject.
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Andrew Hayes" <AndrewHayes@discussions.microsoft.com> wrote in message
> news:%23KnD5AvpFHA.1996@TK2MSFTNGP10.phx.gbl...
>> Yes. This is going to be used for anonymous web access, but since the
>> user
>> has no control over the scheduled tasks in themselves (all the user can
>> do
>> is upload a data file), I don't think there is much risk. When the upload
> is
>> complete, the server automatically writes information about the datafile
> to
>> a database, enumerates the tasks to see if the virus-scan is already
>> running, and if not then it creates a new task for starting a scan
>> against
>> the file the user uploaded.
>>
>> As it happens, there was a mistake in the ASP code in that it wasn't
> setting
>> one of our COM+ objects properties correctly, which was causing the
>> follow
>> on exception, but I hadn't been able to see that until I had got it pass
> the
>> Enumerating Scheduled Tasks error.
>>
>> As of this moment it all works correctly, so long as the IUSR_ account is
>> part of the administrators group. Of course, that will not do in a
>> production environment.
>>
>> I'll go through the KB article you posted Roger and see if I can get it
>> to
>> work that way. Last ditch attempt would be to use NTRights and add each
>> right until it succeeds in creating the task, then remove them all and
>> try
>> again until I can get the minimum needed for it to work.
>>
>> The other way would be for the ASP page to create the COM+ object under a
>> different identify, but I'm not sure how that works... More research is
>> needed.
>>
>> Regards...Andrew
>>
>> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> news:u1AwGitpFHA.3568@TK2MSFTNGP10.phx.gbl...
>> > The accesses you were being denied were to start and to query the
>> > service. I am not so sure that granting those will allow you to then
>> > schedule a new task, which your subsequent posts make it sound like
>> > you are trying to do. The way I adjust rights to services is to define
>> > a security config editor template that is new, hence totally enpty,
>> > and then use the services node to edit the values for the concerned
>> > service, after which one uses the templated to analyze and configure
>> > the machine.
>> > That said, I have to wonder what in the world you are wanting to
>> > do this for . . . As it now appears, you are wanting to allow the
>> > Iusr_ account to define new scheduled tasks, and/or to manage
>> > scheduled tasks. But the Iusr_ account is not used for authenticated
>> > web access, so this means you are wanting to allow anonymous web
>> > browsers to tweak around in the machine's scheduled tasks ??? !!! #
>> > A recipe for disaster that sounds to be.
>> >
>> > --
>> > Roger Abell
>> > Microsoft MVP (Windows Security)
>> > MCSE (W2k3,W2k,Nt4) MCDBA
>> > "Andrew Hayes" <AndrewHayes@discussions.microsoft.com> wrote in message
>> > news:OFCkn9spFHA.3084@TK2MSFTNGP09.phx.gbl...
>> >> False alarm. Sorry folks. :-(
>> >>
>> >> The reason I got past the previous error when trying to get service
>> >> status
>> >> was that I had added IUSR_ to the local administrators group. Adding
> the
>> >> Legacy Component does not correct the problem if I remove IUSR_ from
> the
>> >> local admin group.
>> >>
>> >> So the question is, what rights do I give IUSR_ to allow it to use the
>> >> Schedule service correctly without making it a local administrator?
>> >>
>> >> I'll be taking a look at NTRights that Roger mentioned.
>> >>
>> >> Regards...Andrew
>> >>
>> >> "Andrew Hayes" <AndrewHayes@discussions.microsoft.com> wrote in
>> >> message
>> >> news:uvhwklspFHA.764@TK2MSFTNGP14.phx.gbl...
>> >> > From what you have said, Roger, and from what the various KB
>> >> > articles
>> >> > concerning that error has lead me to, is that the IUSER_ account
>> >> > doesn't
>> >> > have the privileges. Right enough.
>> >> >
>> >> > Now, how to set those privileges?
>> >> >
>> >> > I finally found one way to do it.
>> >> >
>> >> > Using DCOMCNFG, I opened the COM+ library application that contains
> all
>> >> > the COM+ components for the web application, and tried adding a
>> >> > "Component", selecting the Install New Component option and browsing
> to
>> >> > the MSTASK.DLL file. This gives me the error "One or more files do
> not
>> >> > contain component or type libraries. These files cannot be
> installed."
>> >> >
>> >> > So much for Scheduler being a COM component, but then, I use COM to
>> >> > work
>> >> > with it from the VC++ code. Very strange. So I tied to add a new
>> >> > "Legacy
>> >> > Component"...
>> >> >
>> >> > Although the Scheduler doesn't show up with a human-friendly name,
>> >> > as
>> >> > it
>> >> > has no ProgID, it's CLSID was listed so I added it using that.
>> >> > Seemed
>> >> > to
>> >> > work, although it creates an icon with no name. I then changed the
>> >> > identify of the created object to one that has local administrator
>> > rights,
>> >> > and gave local Launch, Activation and Access permissions to the
>> >> > local
>> >> > IUSER_ and NETWORK_SERVICE accounts.
>> >> >
>> >> > Ran through my process again, and I no longer get the 560 for the
>> > Schedule
>> >> > object acccess but it is generating an Exception that I need to
>> >> > track
>> >> > down.
>> >> >
>> >> > Still, I'm a little further along than I had been, and I hope what I
>> >> > discovered would be useful to someone.
>> >> >
>> >> > Regards...Andrew
>> >> >
>> >> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> >> > news:utWtGYWpFHA.3940@TK2MSFTNGP14.phx.gbl...
>> >> >>I am not aware what your COM+ component is attempting to do,
>> >> >> but from the event message you post it would appear to me that
>> >> >> a chain of events leading to attempt to get a handle to the
>> >> >> Schedule
>> >> >> service that allows querying and starting that service is denied.
>> >> >> One does not grant rights to services in the ways you have
>> >> >> attempted
>> >> >> by altering the NTFS permissions on the binaries. Rather you need
>> >> >> to either use security templates of such as NTrights.exe from the
>> >> >> resource kit.
>> >> >>
>> >> >> --
>> >> >> Roger Abell
>> >> >> Microsoft MVP (Windows Security)
>> >> >> MCSE (W2k3,W2k,Nt4) MCDBA
>> >> >> "Andrew Hayes" <AndrewHayes@discussions.microsoft.com> wrote in
>> >> >> message
>> >> >> news:%23Xp7hLJpFHA.708@TK2MSFTNGP09.phx.gbl...
>> >> >>> Hi All,
>> >> >>>
>> >> >>> As part of my continuing efforts to get COM+ components running
> under
>> >> >>> Windows 2003 Server SP1, I enabled Object Access auditing and File
>> >> >> auditing,
>> >> >>> and ran through the process that is failing.
>> >> >>>
>> >> >>> One failure event was logged in the security log:
>> >> >>>
>> >> >>> Event Type: Failure Audit
>> >> >>> Event Source: Security
>> >> >>> Event Category: Object Access
>> >> >>> Event ID: 560
>> >> >>> Date: 2005/08/19
>> >> >>> Time: 16:10:44
>> >> >>> User: WIN2003\IUSR_WIN2003
>> >> >>> Computer: WIN2003
>> >> >>> Description:
>> >> >>> Object Open:
>> >> >>> Object Server: SC Manager
>> >> >>> Object Type: SERVICE OBJECT
>> >> >>> Object Name: Schedule
>> >> >>> Handle ID: -
>> >> >>> Operation ID: {0,84340653}
>> >> >>> Process ID: 476
>> >> >>> Image File Name: C:\WINDOWS\system32\services.exe
>> >> >>> Primary User Name: WIN2003$
>> >> >>> Primary Domain: DOMAIN
>> >> >>> Primary Logon ID: (0x0,0x3E7)
>> >> >>> Client User Name: IUSR_WIN2003
>> >> >>> Client Domain: WIN2003
>> >> >>> Client Logon ID: (0x0,0x504A958)
>> >> >>> Accesses: Query status of service
>> >> >>> Start the service
>> >> >>>
>> >> >>> Privileges: -
>> >> >>> Restricted Sid Count: 0
>> >> >>> Access Mask: 0x14
>> >> >>>
>> >> >>>
>> >> >>> For more information, see Help and Support Center at
>> >> >>> http://go.microsoft.com/fwlink/events.asp.
>> >> >>>
>> >> >>> This most certainly is the culprit of the Access Denied error I'm
>> >> >>> getting
>> >> >> in
>> >> >>> my component.
>> >> >>>
>> >> >>> Now... Can anyone help me with granting access to Schedule? I've
>> >> >>> tried
>> >> >>> giving IUSR_WIN2003 "read and execute" and "read" permissions to
>> >> >>> services.exe and mstask.dll, but to no avail.
>> >> >>>
>> >> >>>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;833001&sd=ee
>> >> >>> mentions something similiar with OWA and clusters, but uses Active
>> >> >> Directory
>> >> >>> Users and Computers to change the settings, which doesn't exist on
>> > this
>> >> >>> server as it's not part of Active Directory.
>> >> >>>
>> >> >>> Regards...Andrew
>> >> >>>
>> >> >>>
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>
- Next message: nono78: "Virus"
- Previous message: David Beder [MSFT]: "Re: Does the SCW break Windows Firewall?"
- In reply to: Roger Abell: "Re: Grant Object Access"
- Next in thread: Andrew Hayes: "Re: Grant Object Access"
- Reply: Andrew Hayes: "Re: Grant Object Access"
- Reply: Roger Abell: "Re: Grant Object Access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
