Re: Grant Object Access

From: Andrew Hayes (AndrewHayes_at_discussions.microsoft.com)
Date: 08/25/05 

Date: Thu, 25 Aug 2005 19:52:59 +0900

Can this problem be caused by the IUSR_ not having access to one of the
dependency files for the COM components?

Regards...Andrew

"Andrew Hayes" <AndrewHayes@discussions.microsoft.com> wrote in message
news:uAIf9HVqFHA.3204@TK2MSFTNGP10.phx.gbl...
> Now that I had resolved the issues on my test server, I'm moving all files
> and performing the various system changes on the new production server,
> but I've run into a snag.
>
> On certain ASP pages the web application checks that the current user has
> access to the database. It does this using a VB COM DLL.
>
> What I'm getting is the DCOM 10016 event being logged everytime I visit a
> page using the COM component, and the 'ASP 0178: 8007005' being shown in
> the browser. The usual solution is to find the component in the DCOM
> Config list and alter the permissions.
>
> I had a similiar problem with this on the test server. Then, when I had
> looked at the CLSID in the event, it was the Machine Debug Manager. This
> time though it's showing the CLSID for the custom COM component it's
> trying to use. Unfortunately, that doesn't show up in the DCOM Config list
> so I don't know how to set the permissions.
>
> Any pointers?
>
> Regards...Andrew
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:eoPJTwypFHA.3048@TK2MSFTNGP10.phx.gbl...
>> Tweaking the ACL on the service will let the account inquire
>> from the service control manager of the status of the server (or
>> if granted start/stop/pause it).
>> What account can define a new scheduled task is under the
>> internal control of the specific service code. I remember one
>> time looking for how to adjust that, and not finishing the search.
>> The blob at HKLM\Services\Schedule\Security is not what you
>> are after (it is the launch/access info for the service, per the use
>> of templates). It is probably the ACL on the "tasks" special
>> folder, but I am not certain although there seems no security
>> stored in the HKLM\Software\Microsoft\SchedulingAgent key.
>> You probably need to try researching this, and then if needed
>> posting a thread that makes clear your issue in its subject.
>> --
>> Roger Abell
>> Microsoft MVP (Windows Security)
>> MCSE (W2k3,W2k,Nt4) MCDBA
>> "Andrew Hayes" <AndrewHayes@discussions.microsoft.com> wrote in message
>> news:%23KnD5AvpFHA.1996@TK2MSFTNGP10.phx.gbl...
>>> Yes. This is going to be used for anonymous web access, but since the
>>> user
>>> has no control over the scheduled tasks in themselves (all the user can
>>> do
>>> is upload a data file), I don't think there is much risk. When the
>>> upload
>> is
>>> complete, the server automatically writes information about the datafile
>> to
>>> a database, enumerates the tasks to see if the virus-scan is already
>>> running, and if not then it creates a new task for starting a scan
>>> against
>>> the file the user uploaded.
>>>
>>> As it happens, there was a mistake in the ASP code in that it wasn't
>> setting
>>> one of our COM+ objects properties correctly, which was causing the
>>> follow
>>> on exception, but I hadn't been able to see that until I had got it pass
>> the
>>> Enumerating Scheduled Tasks error.
>>>
>>> As of this moment it all works correctly, so long as the IUSR_ account
>>> is
>>> part of the administrators group. Of course, that will not do in a
>>> production environment.
>>>
>>> I'll go through the KB article you posted Roger and see if I can get it
>>> to
>>> work that way. Last ditch attempt would be to use NTRights and add each
>>> right until it succeeds in creating the task, then remove them all and
>>> try
>>> again until I can get the minimum needed for it to work.
>>>
>>> The other way would be for the ASP page to create the COM+ object under
>>> a
>>> different identify, but I'm not sure how that works... More research is
>>> needed.
>>>
>>> Regards...Andrew
>>>
>>> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>>> news:u1AwGitpFHA.3568@TK2MSFTNGP10.phx.gbl...
>>> > The accesses you were being denied were to start and to query the
>>> > service. I am not so sure that granting those will allow you to then
>>> > schedule a new task, which your subsequent posts make it sound like
>>> > you are trying to do. The way I adjust rights to services is to
>>> > define
>>> > a security config editor template that is new, hence totally enpty,
>>> > and then use the services node to edit the values for the concerned
>>> > service, after which one uses the templated to analyze and configure
>>> > the machine.
>>> > That said, I have to wonder what in the world you are wanting to
>>> > do this for . . . As it now appears, you are wanting to allow the
>>> > Iusr_ account to define new scheduled tasks, and/or to manage
>>> > scheduled tasks. But the Iusr_ account is not used for authenticated
>>> > web access, so this means you are wanting to allow anonymous web
>>> > browsers to tweak around in the machine's scheduled tasks ??? !!! #
>>> > A recipe for disaster that sounds to be.
>>> >
>>> > --
>>> > Roger Abell
>>> > Microsoft MVP (Windows Security)
>>> > MCSE (W2k3,W2k,Nt4) MCDBA
>>> > "Andrew Hayes" <AndrewHayes@discussions.microsoft.com> wrote in
>>> > message
>>> > news:OFCkn9spFHA.3084@TK2MSFTNGP09.phx.gbl...
>>> >> False alarm. Sorry folks. :-(
>>> >>
>>> >> The reason I got past the previous error when trying to get service
>>> >> status
>>> >> was that I had added IUSR_ to the local administrators group. Adding
>> the
>>> >> Legacy Component does not correct the problem if I remove IUSR_ from
>> the
>>> >> local admin group.
>>> >>
>>> >> So the question is, what rights do I give IUSR_ to allow it to use
>>> >> the
>>> >> Schedule service correctly without making it a local administrator?
>>> >>
>>> >> I'll be taking a look at NTRights that Roger mentioned.
>>> >>
>>> >> Regards...Andrew
>>> >>
>>> >> "Andrew Hayes" <AndrewHayes@discussions.microsoft.com> wrote in
>>> >> message
>>> >> news:uvhwklspFHA.764@TK2MSFTNGP14.phx.gbl...
>>> >> > From what you have said, Roger, and from what the various KB
>>> >> > articles
>>> >> > concerning that error has lead me to, is that the IUSER_ account
>>> >> > doesn't
>>> >> > have the privileges. Right enough.
>>> >> >
>>> >> > Now, how to set those privileges?
>>> >> >
>>> >> > I finally found one way to do it.
>>> >> >
>>> >> > Using DCOMCNFG, I opened the COM+ library application that contains
>> all
>>> >> > the COM+ components for the web application, and tried adding a
>>> >> > "Component", selecting the Install New Component option and
>>> >> > browsing
>> to
>>> >> > the MSTASK.DLL file. This gives me the error "One or more files do
>> not
>>> >> > contain component or type libraries. These files cannot be
>> installed."
>>> >> >
>>> >> > So much for Scheduler being a COM component, but then, I use COM to
>>> >> > work
>>> >> > with it from the VC++ code. Very strange. So I tied to add a new
>>> >> > "Legacy
>>> >> > Component"...
>>> >> >
>>> >> > Although the Scheduler doesn't show up with a human-friendly name,
>>> >> > as
>>> >> > it
>>> >> > has no ProgID, it's CLSID was listed so I added it using that.
>>> >> > Seemed
>>> >> > to
>>> >> > work, although it creates an icon with no name. I then changed the
>>> >> > identify of the created object to one that has local administrator
>>> > rights,
>>> >> > and gave local Launch, Activation and Access permissions to the
>>> >> > local
>>> >> > IUSER_ and NETWORK_SERVICE accounts.
>>> >> >
>>> >> > Ran through my process again, and I no longer get the 560 for the
>>> > Schedule
>>> >> > object acccess but it is generating an Exception that I need to
>>> >> > track
>>> >> > down.
>>> >> >
>>> >> > Still, I'm a little further along than I had been, and I hope what
>>> >> > I
>>> >> > discovered would be useful to someone.
>>> >> >
>>> >> > Regards...Andrew
>>> >> >
>>> >> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>>> >> > news:utWtGYWpFHA.3940@TK2MSFTNGP14.phx.gbl...
>>> >> >>I am not aware what your COM+ component is attempting to do,
>>> >> >> but from the event message you post it would appear to me that
>>> >> >> a chain of events leading to attempt to get a handle to the
>>> >> >> Schedule
>>> >> >> service that allows querying and starting that service is denied.
>>> >> >> One does not grant rights to services in the ways you have
>>> >> >> attempted
>>> >> >> by altering the NTFS permissions on the binaries. Rather you need
>>> >> >> to either use security templates of such as NTrights.exe from the
>>> >> >> resource kit.
>>> >> >>
>>> >> >> --
>>> >> >> Roger Abell
>>> >> >> Microsoft MVP (Windows Security)
>>> >> >> MCSE (W2k3,W2k,Nt4) MCDBA
>>> >> >> "Andrew Hayes" <AndrewHayes@discussions.microsoft.com> wrote in
>>> >> >> message
>>> >> >> news:%23Xp7hLJpFHA.708@TK2MSFTNGP09.phx.gbl...
>>> >> >>> Hi All,
>>> >> >>>
>>> >> >>> As part of my continuing efforts to get COM+ components running
>> under
>>> >> >>> Windows 2003 Server SP1, I enabled Object Access auditing and
>>> >> >>> File
>>> >> >> auditing,
>>> >> >>> and ran through the process that is failing.
>>> >> >>>
>>> >> >>> One failure event was logged in the security log:
>>> >> >>>
>>> >> >>> Event Type: Failure Audit
>>> >> >>> Event Source: Security
>>> >> >>> Event Category: Object Access
>>> >> >>> Event ID: 560
>>> >> >>> Date: 2005/08/19
>>> >> >>> Time: 16:10:44
>>> >> >>> User: WIN2003\IUSR_WIN2003
>>> >> >>> Computer: WIN2003
>>> >> >>> Description:
>>> >> >>> Object Open:
>>> >> >>> Object Server: SC Manager
>>> >> >>> Object Type: SERVICE OBJECT
>>> >> >>> Object Name: Schedule
>>> >> >>> Handle ID: -
>>> >> >>> Operation ID: {0,84340653}
>>> >> >>> Process ID: 476
>>> >> >>> Image File Name: C:\WINDOWS\system32\services.exe
>>> >> >>> Primary User Name: WIN2003$
>>> >> >>> Primary Domain: DOMAIN
>>> >> >>> Primary Logon ID: (0x0,0x3E7)
>>> >> >>> Client User Name: IUSR_WIN2003
>>> >> >>> Client Domain: WIN2003
>>> >> >>> Client Logon ID: (0x0,0x504A958)
>>> >> >>> Accesses: Query status of service
>>> >> >>> Start the service
>>> >> >>>
>>> >> >>> Privileges: -
>>> >> >>> Restricted Sid Count: 0
>>> >> >>> Access Mask: 0x14
>>> >> >>>
>>> >> >>>
>>> >> >>> For more information, see Help and Support Center at
>>> >> >>> http://go.microsoft.com/fwlink/events.asp.
>>> >> >>>
>>> >> >>> This most certainly is the culprit of the Access Denied error I'm
>>> >> >>> getting
>>> >> >> in
>>> >> >>> my component.
>>> >> >>>
>>> >> >>> Now... Can anyone help me with granting access to Schedule? I've
>>> >> >>> tried
>>> >> >>> giving IUSR_WIN2003 "read and execute" and "read" permissions to
>>> >> >>> services.exe and mstask.dll, but to no avail.
>>> >> >>>
>>> >> >>>
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;833001&sd=ee
>>> >> >>> mentions something similiar with OWA and clusters, but uses
>>> >> >>> Active
>>> >> >> Directory
>>> >> >>> Users and Computers to change the settings, which doesn't exist
>>> >> >>> on
>>> > this
>>> >> >>> server as it's not part of Active Directory.
>>> >> >>>
>>> >> >>> Regards...Andrew
>>> >> >>>
>>> >> >>>
>>> >> >>
>>> >> >>
>>> >> >
>>> >> >
>>> >>
>>> >>
>>> >
>>> >
>>>
>>>
>>
>>
>
>