Re: Grant Object Access
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 08/25/05
- Next message: Steven L Umbach: "Re: GPO Password length not working"
- Previous message: CB: "Re: GPO Password length not working"
- In reply to: Andrew Hayes: "Re: Grant Object Access"
- Next in thread: Andrew Hayes: "Re: Grant Object Access"
- Reply: Andrew Hayes: "Re: Grant Object Access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 25 Aug 2005 08:04:39 -0700
Hi Andrew,
I trust that the way you got all working in the test system was with
the component reverted back from system to library component . ..
Have you examined the IIS settings for the web app in IIS for differences
test vs production - in particular the isolation protection level?
I do not recall your mentioning that this is IIS 6 not 5, but the IIS config
can cause account used to vary.
The errors are clearly tagged still to Iusr_ context?
I am sure that you know your component is registered,
but when you drill into the components mgmt console
%windir%\system32\com\comexp.msc
you cannot locate it ?
Yes, the access denial could be from a dependency of the component,
but wouldn't you know if you are or are not trapping all exceptions
that may get thrown, and what you are not handling? Anyway, that
would assume the component launches to begin with instead of a
dependency needed to get that far.
So what was the final trick you needed in the test environment anyway?
Last I figured from your posts, you found a parameter error in the calling
of the component after you got past the perms on the task special folder
so enumeration was allowed.
Oh yes, on my production IIS I like seeing access errors when ASP
failures trigger MDM trying to fire up - ok for it to launch on a dev box
but not on the production IIS. That you do not see it mentioned in the
event logs on the prod box may mean they have not blocked debugging there.
--
Roger
"Andrew Hayes" <AndrewHayes@discussions.microsoft.com> wrote in message
news:uAIf9HVqFHA.3204@TK2MSFTNGP10.phx.gbl...
> Now that I had resolved the issues on my test server, I'm moving all files
> and performing the various system changes on the new production server,
but
> I've run into a snag.
>
> On certain ASP pages the web application checks that the current user has
> access to the database. It does this using a VB COM DLL.
>
> What I'm getting is the DCOM 10016 event being logged everytime I visit a
> page using the COM component, and the 'ASP 0178: 8007005' being shown in
the
> browser. The usual solution is to find the component in the DCOM Config
list
> and alter the permissions.
>
> I had a similiar problem with this on the test server. Then, when I had
> looked at the CLSID in the event, it was the Machine Debug Manager. This
> time though it's showing the CLSID for the custom COM component it's
trying
> to use. Unfortunately, that doesn't show up in the DCOM Config list so I
> don't know how to set the permissions.
>
> Any pointers?
>
> Regards...Andrew
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:eoPJTwypFHA.3048@TK2MSFTNGP10.phx.gbl...
> > Tweaking the ACL on the service will let the account inquire
> > from the service control manager of the status of the server (or
> > if granted start/stop/pause it).
> > What account can define a new scheduled task is under the
> > internal control of the specific service code. I remember one
> > time looking for how to adjust that, and not finishing the search.
> > The blob at HKLM\Services\Schedule\Security is not what you
> > are after (it is the launch/access info for the service, per the use
> > of templates). It is probably the ACL on the "tasks" special
> > folder, but I am not certain although there seems no security
> > stored in the HKLM\Software\Microsoft\SchedulingAgent key.
> > You probably need to try researching this, and then if needed
> > posting a thread that makes clear your issue in its subject.
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Andrew Hayes" <AndrewHayes@discussions.microsoft.com> wrote in message
> > news:%23KnD5AvpFHA.1996@TK2MSFTNGP10.phx.gbl...
> >> Yes. This is going to be used for anonymous web access, but since the
> >> user
> >> has no control over the scheduled tasks in themselves (all the user can
> >> do
> >> is upload a data file), I don't think there is much risk. When the
upload
> > is
> >> complete, the server automatically writes information about the
datafile
> > to
> >> a database, enumerates the tasks to see if the virus-scan is already
> >> running, and if not then it creates a new task for starting a scan
> >> against
> >> the file the user uploaded.
> >>
> >> As it happens, there was a mistake in the ASP code in that it wasn't
> > setting
> >> one of our COM+ objects properties correctly, which was causing the
> >> follow
> >> on exception, but I hadn't been able to see that until I had got it
pass
> > the
> >> Enumerating Scheduled Tasks error.
> >>
> >> As of this moment it all works correctly, so long as the IUSR_ account
is
> >> part of the administrators group. Of course, that will not do in a
> >> production environment.
> >>
> >> I'll go through the KB article you posted Roger and see if I can get it
> >> to
> >> work that way. Last ditch attempt would be to use NTRights and add each
> >> right until it succeeds in creating the task, then remove them all and
> >> try
> >> again until I can get the minimum needed for it to work.
> >>
> >> The other way would be for the ASP page to create the COM+ object under
a
> >> different identify, but I'm not sure how that works... More research is
> >> needed.
> >>
> >> Regards...Andrew
> >>
> >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> >> news:u1AwGitpFHA.3568@TK2MSFTNGP10.phx.gbl...
> >> > The accesses you were being denied were to start and to query the
> >> > service. I am not so sure that granting those will allow you to then
> >> > schedule a new task, which your subsequent posts make it sound like
> >> > you are trying to do. The way I adjust rights to services is to
define
> >> > a security config editor template that is new, hence totally enpty,
> >> > and then use the services node to edit the values for the concerned
> >> > service, after which one uses the templated to analyze and configure
> >> > the machine.
> >> > That said, I have to wonder what in the world you are wanting to
> >> > do this for . . . As it now appears, you are wanting to allow the
> >> > Iusr_ account to define new scheduled tasks, and/or to manage
> >> > scheduled tasks. But the Iusr_ account is not used for authenticated
> >> > web access, so this means you are wanting to allow anonymous web
> >> > browsers to tweak around in the machine's scheduled tasks ??? !!! #
> >> > A recipe for disaster that sounds to be.
> >> >
> >> > --
> >> > Roger Abell
> >> > Microsoft MVP (Windows Security)
> >> > MCSE (W2k3,W2k,Nt4) MCDBA
> >> > "Andrew Hayes" <AndrewHayes@discussions.microsoft.com> wrote in
message
> >> > news:OFCkn9spFHA.3084@TK2MSFTNGP09.phx.gbl...
> >> >> False alarm. Sorry folks. :-(
> >> >>
> >> >> The reason I got past the previous error when trying to get service
> >> >> status
> >> >> was that I had added IUSR_ to the local administrators group. Adding
> > the
> >> >> Legacy Component does not correct the problem if I remove IUSR_ from
> > the
> >> >> local admin group.
> >> >>
> >> >> So the question is, what rights do I give IUSR_ to allow it to use
the
> >> >> Schedule service correctly without making it a local administrator?
> >> >>
> >> >> I'll be taking a look at NTRights that Roger mentioned.
> >> >>
> >> >> Regards...Andrew
> >> >>
> >> >> "Andrew Hayes" <AndrewHayes@discussions.microsoft.com> wrote in
> >> >> message
> >> >> news:uvhwklspFHA.764@TK2MSFTNGP14.phx.gbl...
> >> >> > From what you have said, Roger, and from what the various KB
> >> >> > articles
> >> >> > concerning that error has lead me to, is that the IUSER_ account
> >> >> > doesn't
> >> >> > have the privileges. Right enough.
> >> >> >
> >> >> > Now, how to set those privileges?
> >> >> >
> >> >> > I finally found one way to do it.
> >> >> >
> >> >> > Using DCOMCNFG, I opened the COM+ library application that
contains
> > all
> >> >> > the COM+ components for the web application, and tried adding a
> >> >> > "Component", selecting the Install New Component option and
browsing
> > to
> >> >> > the MSTASK.DLL file. This gives me the error "One or more files do
> > not
> >> >> > contain component or type libraries. These files cannot be
> > installed."
> >> >> >
> >> >> > So much for Scheduler being a COM component, but then, I use COM
to
> >> >> > work
> >> >> > with it from the VC++ code. Very strange. So I tied to add a new
> >> >> > "Legacy
> >> >> > Component"...
> >> >> >
> >> >> > Although the Scheduler doesn't show up with a human-friendly name,
> >> >> > as
> >> >> > it
> >> >> > has no ProgID, it's CLSID was listed so I added it using that.
> >> >> > Seemed
> >> >> > to
> >> >> > work, although it creates an icon with no name. I then changed the
> >> >> > identify of the created object to one that has local administrator
> >> > rights,
> >> >> > and gave local Launch, Activation and Access permissions to the
> >> >> > local
> >> >> > IUSER_ and NETWORK_SERVICE accounts.
> >> >> >
> >> >> > Ran through my process again, and I no longer get the 560 for the
> >> > Schedule
> >> >> > object acccess but it is generating an Exception that I need to
> >> >> > track
> >> >> > down.
> >> >> >
> >> >> > Still, I'm a little further along than I had been, and I hope what
I
> >> >> > discovered would be useful to someone.
> >> >> >
> >> >> > Regards...Andrew
> >> >> >
> >> >> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> >> >> > news:utWtGYWpFHA.3940@TK2MSFTNGP14.phx.gbl...
> >> >> >>I am not aware what your COM+ component is attempting to do,
> >> >> >> but from the event message you post it would appear to me that
> >> >> >> a chain of events leading to attempt to get a handle to the
> >> >> >> Schedule
> >> >> >> service that allows querying and starting that service is denied.
> >> >> >> One does not grant rights to services in the ways you have
> >> >> >> attempted
> >> >> >> by altering the NTFS permissions on the binaries. Rather you
need
> >> >> >> to either use security templates of such as NTrights.exe from the
> >> >> >> resource kit.
> >> >> >>
> >> >> >> --
> >> >> >> Roger Abell
> >> >> >> Microsoft MVP (Windows Security)
> >> >> >> MCSE (W2k3,W2k,Nt4) MCDBA
> >> >> >> "Andrew Hayes" <AndrewHayes@discussions.microsoft.com> wrote in
> >> >> >> message
> >> >> >> news:%23Xp7hLJpFHA.708@TK2MSFTNGP09.phx.gbl...
> >> >> >>> Hi All,
> >> >> >>>
> >> >> >>> As part of my continuing efforts to get COM+ components running
> > under
> >> >> >>> Windows 2003 Server SP1, I enabled Object Access auditing and
File
> >> >> >> auditing,
> >> >> >>> and ran through the process that is failing.
> >> >> >>>
> >> >> >>> One failure event was logged in the security log:
> >> >> >>>
> >> >> >>> Event Type: Failure Audit
> >> >> >>> Event Source: Security
> >> >> >>> Event Category: Object Access
> >> >> >>> Event ID: 560
> >> >> >>> Date: 2005/08/19
> >> >> >>> Time: 16:10:44
> >> >> >>> User: WIN2003\IUSR_WIN2003
> >> >> >>> Computer: WIN2003
> >> >> >>> Description:
> >> >> >>> Object Open:
> >> >> >>> Object Server: SC Manager
> >> >> >>> Object Type: SERVICE OBJECT
> >> >> >>> Object Name: Schedule
> >> >> >>> Handle ID: -
> >> >> >>> Operation ID: {0,84340653}
> >> >> >>> Process ID: 476
> >> >> >>> Image File Name: C:\WINDOWS\system32\services.exe
> >> >> >>> Primary User Name: WIN2003$
> >> >> >>> Primary Domain: DOMAIN
> >> >> >>> Primary Logon ID: (0x0,0x3E7)
> >> >> >>> Client User Name: IUSR_WIN2003
> >> >> >>> Client Domain: WIN2003
> >> >> >>> Client Logon ID: (0x0,0x504A958)
> >> >> >>> Accesses: Query status of service
> >> >> >>> Start the service
> >> >> >>>
> >> >> >>> Privileges: -
> >> >> >>> Restricted Sid Count: 0
> >> >> >>> Access Mask: 0x14
> >> >> >>>
> >> >> >>>
> >> >> >>> For more information, see Help and Support Center at
> >> >> >>> http://go.microsoft.com/fwlink/events.asp.
> >> >> >>>
> >> >> >>> This most certainly is the culprit of the Access Denied error
I'm
> >> >> >>> getting
> >> >> >> in
> >> >> >>> my component.
> >> >> >>>
> >> >> >>> Now... Can anyone help me with granting access to Schedule? I've
> >> >> >>> tried
> >> >> >>> giving IUSR_WIN2003 "read and execute" and "read" permissions to
> >> >> >>> services.exe and mstask.dll, but to no avail.
> >> >> >>>
> >> >> >>>
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;833001&sd=ee
> >> >> >>> mentions something similiar with OWA and clusters, but uses
Active
> >> >> >> Directory
> >> >> >>> Users and Computers to change the settings, which doesn't exist
on
> >> > this
> >> >> >>> server as it's not part of Active Directory.
> >> >> >>>
> >> >> >>> Regards...Andrew
> >> >> >>>
> >> >> >>>
> >> >> >>
> >> >> >>
> >> >> >
> >> >> >
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>
> >
> >
>
>
- Next message: Steven L Umbach: "Re: GPO Password length not working"
- Previous message: CB: "Re: GPO Password length not working"
- In reply to: Andrew Hayes: "Re: Grant Object Access"
- Next in thread: Andrew Hayes: "Re: Grant Object Access"
- Reply: Andrew Hayes: "Re: Grant Object Access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
