Re: Grant Object Access

From: Andrew Hayes (AndrewHayes_at_discussions.microsoft.com)
Date: 08/26/05

  • Next message: Steve Shurber: "re:Transparent Screensaver for 2003 Server"
    Date: Fri, 26 Aug 2005 12:45:38 +0900
    
    

    Sorry Roger, but I got it all working by setting it to server application
    rather than library application, running under a local user.

    The main problem is that the Scheduled Tasks system will only run the task
    if the supplied Run As account information is the same as the creator
    information. If my app is set for library, then the creator is IUSR_. In
    order for the task to run I would have to know the password for IUSR_ (which
    you wouldn't normally), and if I go to Set Password... in Computer
    Management I get this long warning about setting a password can cause
    irreversable data loss due to Windows protecting certain information if the
    password is reset.

    I suppose it's possible to change the Identity before the Scheduled Tasks
    object is instanced so that the "Creator" is a known local account... But
    I'll leave that for the developers to handle at a later time.

    IIS settings between the 2 servers are the same. They are both running in
    "worker process isolation mode". The web site application settings are also
    the same, "Scripts and Executables" and "DefaultAppPool". The application
    pool settings are also the same. Both are running under the Network Service.

    The errors are certainly being raised for the IUSR_ SID, and the components
    are registered, but... Of the 20 odd components listed under the COM+
    application, only 1 appears in the DCOM Config list. I have to wonder why
    that one is different? I'm assuming that the 20 use the premissions settings
    from the parent application.

    The MSVC?71.dll's were missing on the production machine although some of
    the components are compiled under VS.NET 2003. Maybe I need to make a
    distribution disk. The 10016 errors occur before any code in the COM
    components is executed.

    The final trick was making sure I had all the permissions set correctly for
    the local user account that is used as the Identity for the COM+ app. It's
    not a member of admin so you have to manually set permissions on the
    folders, files, and registry. Oh, and that dumb problem with the MSVB6
    runtime dll. Some of the components use it so I had to reset the permissions
    on that.

    I'm hoping that MS will release some sort of COM security wizard that'll do
    all these different steps for you...

    Regards...Andrew

    "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    news:uoGR$YYqFHA.3524@tk2msftngp13.phx.gbl...
    > Hi Andrew,
    >
    > I trust that the way you got all working in the test system was with
    > the component reverted back from system to library component . ..
    >
    > Have you examined the IIS settings for the web app in IIS for differences
    > test vs production - in particular the isolation protection level?
    > I do not recall your mentioning that this is IIS 6 not 5, but the IIS
    > config
    > can cause account used to vary.
    > The errors are clearly tagged still to Iusr_ context?
    > I am sure that you know your component is registered,
    > but when you drill into the components mgmt console
    > %windir%\system32\com\comexp.msc
    > you cannot locate it ?
    >
    > Yes, the access denial could be from a dependency of the component,
    > but wouldn't you know if you are or are not trapping all exceptions
    > that may get thrown, and what you are not handling? Anyway, that
    > would assume the component launches to begin with instead of a
    > dependency needed to get that far.
    >
    > So what was the final trick you needed in the test environment anyway?
    > Last I figured from your posts, you found a parameter error in the calling
    > of the component after you got past the perms on the task special folder
    > so enumeration was allowed.
    >
    > Oh yes, on my production IIS I like seeing access errors when ASP
    > failures trigger MDM trying to fire up - ok for it to launch on a dev box
    > but not on the production IIS. That you do not see it mentioned in the
    > event logs on the prod box may mean they have not blocked debugging there.
    >
    > --
    > Roger
    > "Andrew Hayes" <AndrewHayes@discussions.microsoft.com> wrote in message
    > news:uAIf9HVqFHA.3204@TK2MSFTNGP10.phx.gbl...
    >> Now that I had resolved the issues on my test server, I'm moving all
    >> files
    >> and performing the various system changes on the new production server,
    > but
    >> I've run into a snag.
    >>
    >> On certain ASP pages the web application checks that the current user has
    >> access to the database. It does this using a VB COM DLL.
    >>
    >> What I'm getting is the DCOM 10016 event being logged everytime I visit a
    >> page using the COM component, and the 'ASP 0178: 8007005' being shown in
    > the
    >> browser. The usual solution is to find the component in the DCOM Config
    > list
    >> and alter the permissions.
    >>
    >> I had a similiar problem with this on the test server. Then, when I had
    >> looked at the CLSID in the event, it was the Machine Debug Manager. This
    >> time though it's showing the CLSID for the custom COM component it's
    > trying
    >> to use. Unfortunately, that doesn't show up in the DCOM Config list so I
    >> don't know how to set the permissions.
    >>
    >> Any pointers?
    >>
    >> Regards...Andrew
    >>
    >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    >> news:eoPJTwypFHA.3048@TK2MSFTNGP10.phx.gbl...
    >> > Tweaking the ACL on the service will let the account inquire
    >> > from the service control manager of the status of the server (or
    >> > if granted start/stop/pause it).
    >> > What account can define a new scheduled task is under the
    >> > internal control of the specific service code. I remember one
    >> > time looking for how to adjust that, and not finishing the search.
    >> > The blob at HKLM\Services\Schedule\Security is not what you
    >> > are after (it is the launch/access info for the service, per the use
    >> > of templates). It is probably the ACL on the "tasks" special
    >> > folder, but I am not certain although there seems no security
    >> > stored in the HKLM\Software\Microsoft\SchedulingAgent key.
    >> > You probably need to try researching this, and then if needed
    >> > posting a thread that makes clear your issue in its subject.
    >> > --
    >> > Roger Abell
    >> > Microsoft MVP (Windows Security)
    >> > MCSE (W2k3,W2k,Nt4) MCDBA
    >> > "Andrew Hayes" <AndrewHayes@discussions.microsoft.com> wrote in message
    >> > news:%23KnD5AvpFHA.1996@TK2MSFTNGP10.phx.gbl...
    >> >> Yes. This is going to be used for anonymous web access, but since the
    >> >> user
    >> >> has no control over the scheduled tasks in themselves (all the user
    >> >> can
    >> >> do
    >> >> is upload a data file), I don't think there is much risk. When the
    > upload
    >> > is
    >> >> complete, the server automatically writes information about the
    > datafile
    >> > to
    >> >> a database, enumerates the tasks to see if the virus-scan is already
    >> >> running, and if not then it creates a new task for starting a scan
    >> >> against
    >> >> the file the user uploaded.
    >> >>
    >> >> As it happens, there was a mistake in the ASP code in that it wasn't
    >> > setting
    >> >> one of our COM+ objects properties correctly, which was causing the
    >> >> follow
    >> >> on exception, but I hadn't been able to see that until I had got it
    > pass
    >> > the
    >> >> Enumerating Scheduled Tasks error.
    >> >>
    >> >> As of this moment it all works correctly, so long as the IUSR_ account
    > is
    >> >> part of the administrators group. Of course, that will not do in a
    >> >> production environment.
    >> >>
    >> >> I'll go through the KB article you posted Roger and see if I can get
    >> >> it
    >> >> to
    >> >> work that way. Last ditch attempt would be to use NTRights and add
    >> >> each
    >> >> right until it succeeds in creating the task, then remove them all and
    >> >> try
    >> >> again until I can get the minimum needed for it to work.
    >> >>
    >> >> The other way would be for the ASP page to create the COM+ object
    >> >> under
    > a
    >> >> different identify, but I'm not sure how that works... More research
    >> >> is
    >> >> needed.
    >> >>
    >> >> Regards...Andrew
    >> >>
    >> >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    >> >> news:u1AwGitpFHA.3568@TK2MSFTNGP10.phx.gbl...
    >> >> > The accesses you were being denied were to start and to query the
    >> >> > service. I am not so sure that granting those will allow you to
    >> >> > then
    >> >> > schedule a new task, which your subsequent posts make it sound like
    >> >> > you are trying to do. The way I adjust rights to services is to
    > define
    >> >> > a security config editor template that is new, hence totally enpty,
    >> >> > and then use the services node to edit the values for the concerned
    >> >> > service, after which one uses the templated to analyze and configure
    >> >> > the machine.
    >> >> > That said, I have to wonder what in the world you are wanting to
    >> >> > do this for . . . As it now appears, you are wanting to allow the
    >> >> > Iusr_ account to define new scheduled tasks, and/or to manage
    >> >> > scheduled tasks. But the Iusr_ account is not used for
    >> >> > authenticated
    >> >> > web access, so this means you are wanting to allow anonymous web
    >> >> > browsers to tweak around in the machine's scheduled tasks ??? !!! #
    >> >> > A recipe for disaster that sounds to be.
    >> >> >
    >> >> > --
    >> >> > Roger Abell
    >> >> > Microsoft MVP (Windows Security)
    >> >> > MCSE (W2k3,W2k,Nt4) MCDBA
    >> >> > "Andrew Hayes" <AndrewHayes@discussions.microsoft.com> wrote in
    > message
    >> >> > news:OFCkn9spFHA.3084@TK2MSFTNGP09.phx.gbl...
    >> >> >> False alarm. Sorry folks. :-(
    >> >> >>
    >> >> >> The reason I got past the previous error when trying to get service
    >> >> >> status
    >> >> >> was that I had added IUSR_ to the local administrators group.
    >> >> >> Adding
    >> > the
    >> >> >> Legacy Component does not correct the problem if I remove IUSR_
    >> >> >> from
    >> > the
    >> >> >> local admin group.
    >> >> >>
    >> >> >> So the question is, what rights do I give IUSR_ to allow it to use
    > the
    >> >> >> Schedule service correctly without making it a local administrator?
    >> >> >>
    >> >> >> I'll be taking a look at NTRights that Roger mentioned.
    >> >> >>
    >> >> >> Regards...Andrew
    >> >> >>
    >> >> >> "Andrew Hayes" <AndrewHayes@discussions.microsoft.com> wrote in
    >> >> >> message
    >> >> >> news:uvhwklspFHA.764@TK2MSFTNGP14.phx.gbl...
    >> >> >> > From what you have said, Roger, and from what the various KB
    >> >> >> > articles
    >> >> >> > concerning that error has lead me to, is that the IUSER_ account
    >> >> >> > doesn't
    >> >> >> > have the privileges. Right enough.
    >> >> >> >
    >> >> >> > Now, how to set those privileges?
    >> >> >> >
    >> >> >> > I finally found one way to do it.
    >> >> >> >
    >> >> >> > Using DCOMCNFG, I opened the COM+ library application that
    > contains
    >> > all
    >> >> >> > the COM+ components for the web application, and tried adding a
    >> >> >> > "Component", selecting the Install New Component option and
    > browsing
    >> > to
    >> >> >> > the MSTASK.DLL file. This gives me the error "One or more files
    >> >> >> > do
    >> > not
    >> >> >> > contain component or type libraries. These files cannot be
    >> > installed."
    >> >> >> >
    >> >> >> > So much for Scheduler being a COM component, but then, I use COM
    > to
    >> >> >> > work
    >> >> >> > with it from the VC++ code. Very strange. So I tied to add a new
    >> >> >> > "Legacy
    >> >> >> > Component"...
    >> >> >> >
    >> >> >> > Although the Scheduler doesn't show up with a human-friendly
    >> >> >> > name,
    >> >> >> > as
    >> >> >> > it
    >> >> >> > has no ProgID, it's CLSID was listed so I added it using that.
    >> >> >> > Seemed
    >> >> >> > to
    >> >> >> > work, although it creates an icon with no name. I then changed
    >> >> >> > the
    >> >> >> > identify of the created object to one that has local
    >> >> >> > administrator
    >> >> > rights,
    >> >> >> > and gave local Launch, Activation and Access permissions to the
    >> >> >> > local
    >> >> >> > IUSER_ and NETWORK_SERVICE accounts.
    >> >> >> >
    >> >> >> > Ran through my process again, and I no longer get the 560 for the
    >> >> > Schedule
    >> >> >> > object acccess but it is generating an Exception that I need to
    >> >> >> > track
    >> >> >> > down.
    >> >> >> >
    >> >> >> > Still, I'm a little further along than I had been, and I hope
    >> >> >> > what
    > I
    >> >> >> > discovered would be useful to someone.
    >> >> >> >
    >> >> >> > Regards...Andrew
    >> >> >> >
    >> >> >> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    >> >> >> > news:utWtGYWpFHA.3940@TK2MSFTNGP14.phx.gbl...
    >> >> >> >>I am not aware what your COM+ component is attempting to do,
    >> >> >> >> but from the event message you post it would appear to me that
    >> >> >> >> a chain of events leading to attempt to get a handle to the
    >> >> >> >> Schedule
    >> >> >> >> service that allows querying and starting that service is
    >> >> >> >> denied.
    >> >> >> >> One does not grant rights to services in the ways you have
    >> >> >> >> attempted
    >> >> >> >> by altering the NTFS permissions on the binaries. Rather you
    > need
    >> >> >> >> to either use security templates of such as NTrights.exe from
    >> >> >> >> the
    >> >> >> >> resource kit.
    >> >> >> >>
    >> >> >> >> --
    >> >> >> >> Roger Abell
    >> >> >> >> Microsoft MVP (Windows Security)
    >> >> >> >> MCSE (W2k3,W2k,Nt4) MCDBA
    >> >> >> >> "Andrew Hayes" <AndrewHayes@discussions.microsoft.com> wrote in
    >> >> >> >> message
    >> >> >> >> news:%23Xp7hLJpFHA.708@TK2MSFTNGP09.phx.gbl...
    >> >> >> >>> Hi All,
    >> >> >> >>>
    >> >> >> >>> As part of my continuing efforts to get COM+ components running
    >> > under
    >> >> >> >>> Windows 2003 Server SP1, I enabled Object Access auditing and
    > File
    >> >> >> >> auditing,
    >> >> >> >>> and ran through the process that is failing.
    >> >> >> >>>
    >> >> >> >>> One failure event was logged in the security log:
    >> >> >> >>>
    >> >> >> >>> Event Type: Failure Audit
    >> >> >> >>> Event Source: Security
    >> >> >> >>> Event Category: Object Access
    >> >> >> >>> Event ID: 560
    >> >> >> >>> Date: 2005/08/19
    >> >> >> >>> Time: 16:10:44
    >> >> >> >>> User: WIN2003\IUSR_WIN2003
    >> >> >> >>> Computer: WIN2003
    >> >> >> >>> Description:
    >> >> >> >>> Object Open:
    >> >> >> >>> Object Server: SC Manager
    >> >> >> >>> Object Type: SERVICE OBJECT
    >> >> >> >>> Object Name: Schedule
    >> >> >> >>> Handle ID: -
    >> >> >> >>> Operation ID: {0,84340653}
    >> >> >> >>> Process ID: 476
    >> >> >> >>> Image File Name: C:\WINDOWS\system32\services.exe
    >> >> >> >>> Primary User Name: WIN2003$
    >> >> >> >>> Primary Domain: DOMAIN
    >> >> >> >>> Primary Logon ID: (0x0,0x3E7)
    >> >> >> >>> Client User Name: IUSR_WIN2003
    >> >> >> >>> Client Domain: WIN2003
    >> >> >> >>> Client Logon ID: (0x0,0x504A958)
    >> >> >> >>> Accesses: Query status of service
    >> >> >> >>> Start the service
    >> >> >> >>>
    >> >> >> >>> Privileges: -
    >> >> >> >>> Restricted Sid Count: 0
    >> >> >> >>> Access Mask: 0x14
    >> >> >> >>>
    >> >> >> >>>
    >> >> >> >>> For more information, see Help and Support Center at
    >> >> >> >>> http://go.microsoft.com/fwlink/events.asp.
    >> >> >> >>>
    >> >> >> >>> This most certainly is the culprit of the Access Denied error
    > I'm
    >> >> >> >>> getting
    >> >> >> >> in
    >> >> >> >>> my component.
    >> >> >> >>>
    >> >> >> >>> Now... Can anyone help me with granting access to Schedule?
    >> >> >> >>> I've
    >> >> >> >>> tried
    >> >> >> >>> giving IUSR_WIN2003 "read and execute" and "read" permissions
    >> >> >> >>> to
    >> >> >> >>> services.exe and mstask.dll, but to no avail.
    >> >> >> >>>
    >> >> >> >>>
    >> > http://support.microsoft.com/default.aspx?scid=kb;en-us;833001&sd=ee
    >> >> >> >>> mentions something similiar with OWA and clusters, but uses
    > Active
    >> >> >> >> Directory
    >> >> >> >>> Users and Computers to change the settings, which doesn't exist
    > on
    >> >> > this
    >> >> >> >>> server as it's not part of Active Directory.
    >> >> >> >>>
    >> >> >> >>> Regards...Andrew
    >> >> >> >>>
    >> >> >> >>>
    >> >> >> >>
    >> >> >> >>
    >> >> >> >
    >> >> >> >
    >> >> >>
    >> >> >>
    >> >> >
    >> >> >
    >> >>
    >> >>
    >> >
    >> >
    >>
    >>
    >
    >


  • Next message: Steve Shurber: "re:Transparent Screensaver for 2003 Server"