| Groups | Blog | Home |
iis security : IIS Out of Process Pooled Applications Security
Recently one of the following windows updates / hotfixes for my Windows 2000 Server, altered the security settings of my "IIS Out of Process Pooled Applications" COM object. This caused my web server to stop working... The account that was displayed was the IWAM_machine account, I noted that the username was present, but not the password with ******** in the field under it. In calling for software support for my third party web application, they altered the user account to be "Interactive User" (One Logged in to the Computer). Here are my questions: 1) What hotfix would have affected the setting or password? 2) Is there anything wrong in making the security for Out of Process Pooled Applicaitons as the "Interactive User"? 3) If the user really should be the IWAM account, how do I sync the IWAM account password with the COM object so that the password is present in the fields? 4) Is there greater security in having the user as the interactive or as the IWAM account? 5) Making it the interactive user account, does this mean that someone with rights to run the COM service, needs to log into the machine, and remain logged in at all times? (In the past I could just reboot the server, and leave it at the logon screen no user was required to log in.) ---- Windows updates - After the reboot the IIS Out of Process Pooled applicaiton service would not start, I got event 36 for the server failing to load '/LM/W3SVC/1/ROOT', the error was the "Server Execution Failed". Attempting to start the service in COM Services, resulted in an error 80080005 Thanks J Here is the list of fixes: KB -- 890830 - Mal Software Removal Tool 911564 - Media Player Plugin Update 829019 - .NET Framework 2.0 900725 - Security Updates for W2K 905749 - (same) 908519 - (same) 899589 - (same) 912919 - (same) 901017 - (same) 904706 - (same) 908523 - (same) 896424 - (same) 902400 - (same) 905414 - (same) 905915 - Cumulative Update for IE6 SP1 905495 - Security Update for IE6 SP1
Hi J,
Thanks for posting! For the current issue, I think the issue is caused by the security. [quoted text, click to view] >"The account that was displayed was the IWAM_machine account, I noted that the username was present, but not the password with ******** in the field under it." Actually, the password is generated by the operation system itself. So, for security reason, we can not see it. [quoted text, click to view] >"In calling for software support for my third party web application, they altered the user account to be "Interactive User" (One Logged in to the Computer)." Does this mean the third party software modifies the identity to "Interactive User"? [quoted text, click to view] >"1) What hotfix would have affected the setting or password?" As far as I know, the hot-fix performs this based on security reason. This means there is potential risk when changing identity to "Interactive User". [quoted text, click to view] >"3) If the user really should be the IWAM account, how do I sync the IWAM account password with the COM object so that the password is present in the fields?" You can use the adsutil.vbs to obtain the IWAM password likes below: "cscript.exe adsutil.vbs get w3svc/wamuserpass" [quoted text, click to view] >"4) Is there greater security in having the user as the interactive or as the IWAM account?"Actually, the identity of IIS out process is supposed to be IWAM account. Microsoft doesn't recommend any changing of this. [quoted text, click to view] >"5) Making it the interactive user account, does this mean that someone with rights to run the COM service, needs to log into the machine, and remain logged in at all times? (In the past I could just reboot the server, and leave it at the logon screen no user was required to log in.)" This means when the user access the web site, they potentially has the same rights as the user who are logging the system. I think this is not security enough. Regards, Yuan Ren [MSFT] Microsoft Online Support ====================================================== PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were updated on February 14, 2006. Please complete a re-registration process by entering the secure code mmpng06 when prompted. Once you have entered the secure code mmpng06, you will be able to update your profile and access the partner newsgroups. ====================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from this issue. ====================================================== This posting is provided "AS IS" with no warranties, and confers no rights. ======================================================
Thanks for the info that you provided.
I have an update...things are still broken... 1) The Adsutil.vbs script needed to be modified to show me the password without a mask of ********** 2) I did this change, and retrieved the password. 3) I entered the password in the IIS Out-of-Process Pooled applications componant but the setting will not stay there. By this I mean that if I enter the password, click okay, then go back in to look at the identity tab of the service, it shows the IWAM account, but with no Password. I followed the steps and suggestions in KB 297989, whereby I entered the password in for the Users and Groups IWAM account, this too did not make a different, the password will not remain. And the Web Site will not function unless the user is Interactive. --- I then followed suggestions from my Third Party Vendor to delete the IIS Utilities / IIS In-Process Applications, and the IIS Out-of-Process Pooled Applications objects. By unchecking the Disable Deletion setting, and then running the following. From the inetsvr directory at a cmd prompt, I ran: rundll32 wamreg.dll, CreateIISPackage regsvr32 asptxn.dll After that step, the IIS objects I deleted prior were re-created, and the IWAM account was present in the Out of Process pooled applications object on the identity tab. But once again there was no password present. Even still the Website would not function... I had to change the setting back to Interactive User to allow the site to continue to function. Note that in each of these tests I bounced IIS using the iisreset /restart command to get a fresh load. A member of the Third Party software team, has indicated that the Interactive user setting is not what their software is designed to require, and they are not suggesting that the change be made, yet they did...perhaps as just a work-around at this point. Please let me know what you suggest next. Thanks J [quoted text, click to view] ""Yuan Ren[MSFT]"" wrote:
> Hi J, > > Thanks for posting! > > For the current issue, I think the issue is caused by the security. > > >"The account that was displayed was the IWAM_machine account, I noted that > the username was present, but not the password with ******** in the field > under it." > > Actually, the password is generated by the operation system itself. So, for > security reason, we can not see it. > > >"In calling for software support for my third party web application, they > altered the user account to be "Interactive User" (One Logged in to the > Computer)." > > Does this mean the third party software modifies the identity to > "Interactive User"? > > >"1) What hotfix would have affected the setting or password?" > > As far as I know, the hot-fix performs this based on security reason. This > means there is potential risk when changing identity to "Interactive User". > > >"3) If the user really should be the IWAM account, how do I sync the IWAM > account password with the COM object so that the password is present in the > fields?" > > You can use the adsutil.vbs to obtain the IWAM password likes below: > "cscript.exe adsutil.vbs get w3svc/wamuserpass" > > >"4) Is there greater security in having the user as the interactive or as > the IWAM account?" > > Actually, the identity of IIS out process is supposed to be IWAM account. > Microsoft doesn't recommend any changing of this. > > >"5) Making it the interactive user account, does this mean that someone > with rights to run the COM service, needs to log into the machine, and > remain logged in at all times? (In the past I could just reboot the > server, and leave it at the logon screen no user was required to log in.)" > > This means when the user access the web site, they potentially has the same > rights as the user who are logging the system. I think this is not security > enough. > > Regards, > > Yuan Ren [MSFT] > Microsoft Online Support > ====================================================== > PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were > updated on February 14, 2006. Please complete a re-registration process > by entering the secure code mmpng06 when prompted. Once you have > entered the secure code mmpng06, you will be able to update your profile > and access the partner newsgroups. > ====================================================== > When responding to posts, please "Reply to Group" via your newsreader > so that others may learn and benefit from this issue. > ====================================================== > This posting is provided "AS IS" with no warranties, and confers no rights. > ====================================================== >
Hi J,
Thanks for your reply! From your description, my understanding is that you want to know why the password of the IWAM user is not masked with asterisk. If I have misunderstood anything, please let me know. As far as I know, the IWAM user in Windows 2000 is different with one in Windows Server 2003. The account is masked without asterisk but the blank actually. So, the application works well after changing the identity to the IWAM, I think there is no problem at the current stage. Thanks for your understanding! Regards Yuan Ren [MSFT] Microsoft Online Support
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |