On Oct 26, 2:19 pm, "Roger Abell [MVP]" <mvpnos...@asu.edu> wrote:
> This is perhaps a bit extreme, but I wonder if anyone might have a hint on
> this.
>
> I have to support multiuser/multiowner webs in multiple sites on IIS 6,
> which is no problem, except that they also require FPSE/Sharepoint
> extensions. As we know, those extensions are lame when it comes to ACLing
> content.
>
> So, I have been exploring a new route for content isolate in order to
> contain content authors from one another's content and in order to contain
> the backend accounts from the areas of other backend accounts on which the
> extensions plug grants to Network and Interactive.
>
> In order to break the effect of the excessive grants I am exploring use of
> not granting Bypass traverse checking to any of the browsing accounts
> (restricted access webs), the authoring accounts, or the backend accounts
> (read iusr*/iwam*). Doing this for the browsing, authoring, and iusr*
> accounts is no problem. I have in place NTFS failure audit for any failure
> by any account on any partition (system and/or content), and am running
> clean.
>
> But once Bypass traverse is taken away from the iwam* accounts, when an app
> pool needs to spin up it fails.
>
> The eventlog trace of this is:
>
> - a sequence of 5 attempts to start the pool, each failing and recording in
> system log
> Warning from source W3SVC, category none EventID 1009
> Message text is:
> A process serving application pool 'EnpubPool' terminated unexpectedly. The
> process id was '3440'. The process exit code was '0xffffffff'.
>
> - simultaneous with each of these 5 messages is a failure message in
> Application log
> Error from W3SVC-WP, category none, EventID 2269
> Message text is:
> The worker process failed to initialize the http.sys communication or the
> w3svc communication layer and therefore could not be started. The data field
> contains the error number.
> The data is access denied code 80070005
>
> - these are followed by one system log message
> Error from W3SVC, category none, EventID 1002
> Message text is:
> Application pool 'EnpubPool' is being automatically disabled due to a series
> of failures in the process(es) serving that application pool.
>
> Again, there are no failures recorded at the NTFS level.
>
> I have used Sysinternals WinObj to set a grant to the iwam* account group of
> List + Read Control on \Device\Http in the object namespace, as there were
> grants to only System and Administrators (which by the way included a
> "Special" that the Advanced view in WinObj does not illuminate, and which I
> was not able to grant to the iwam* group). There is a grant on both higher
> objects nodes to Everyone.
>
> If I grant Bypass traverse check to the iwam* group all is fine.
> So, there is a grant, I had assumed in the Windows object namespace, that is
> missing.
> In fact, until this I was not aware that Bypass traverse governed access
> checks on other than NTFS, but it quite apparently does.
>
> Anyone with any ideas as to where the missing grant might be? or how to
> trace into this to find it?
>
> I am not sure that this new approach is less or more of a performance drag
> than results from defining unique app pools for each web that is able to
> dynamically alter serverside execution (the in IIS 5 parallel to which was
> not too bad but IIS 6 is more heavyweight), and recognize that the excess
> empowerment of the Interactive and Network grants is only mostly, not
> totally, nullified.
>
> But at this point I am just trying to find from where the access denial
> arises when Bypass traverse checking is taken away for the iwam* account
> group.
>
> Thanks for reading all that, by the way.
> Roger

"David Wang" <w3.4you@gmail.com> wrote in message
news:1193544076.689868.13760@v23g2000prn.googlegroups.com...
> On Oct 26, 2:19 pm, "Roger Abell [MVP]" <mvpnos...@asu.edu> wrote:
>> This is perhaps a bit extreme, but I wonder if anyone might have a hint
>> on
>> this.
>>
>> I have to support multiuser/multiowner webs in multiple sites on IIS 6,
>> which is no problem, except that they also require FPSE/Sharepoint
>> extensions. As we know, those extensions are lame when it comes to
>> ACLing
>> content.
>>
>> So, I have been exploring a new route for content isolate in order to
>> contain content authors from one another's content and in order to
>> contain
>> the backend accounts from the areas of other backend accounts on which
>> the
>> extensions plug grants to Network and Interactive.
>>
>> In order to break the effect of the excessive grants I am exploring use
>> of
>> not granting Bypass traverse checking to any of the browsing accounts
>> (restricted access webs), the authoring accounts, or the backend accounts
>> (read iusr*/iwam*). Doing this for the browsing, authoring, and iusr*
>> accounts is no problem. I have in place NTFS failure audit for any
>> failure
>> by any account on any partition (system and/or content), and am running
>> clean.
>>
>> But once Bypass traverse is taken away from the iwam* accounts, when an
>> app
>> pool needs to spin up it fails.
>>
>> The eventlog trace of this is:
>>
>> - a sequence of 5 attempts to start the pool, each failing and recording
>> in
>> system log
>> Warning from source W3SVC, category none EventID 1009
>> Message text is:
>> A process serving application pool 'EnpubPool' terminated unexpectedly.
>> The
>> process id was '3440'. The process exit code was '0xffffffff'.
>>
>> - simultaneous with each of these 5 messages is a failure message in
>> Application log
>> Error from W3SVC-WP, category none, EventID 2269
>> Message text is:
>> The worker process failed to initialize the http.sys communication or the
>> w3svc communication layer and therefore could not be started. The data
>> field
>> contains the error number.
>> The data is access denied code 80070005
>>
>> - these are followed by one system log message
>> Error from W3SVC, category none, EventID 1002
>> Message text is:
>> Application pool 'EnpubPool' is being automatically disabled due to a
>> series
>> of failures in the process(es) serving that application pool.
>>
>> Again, there are no failures recorded at the NTFS level.
>>
>> I have used Sysinternals WinObj to set a grant to the iwam* account group
>> of
>> List + Read Control on \Device\Http in the object namespace, as there
>> were
>> grants to only System and Administrators (which by the way included a
>> "Special" that the Advanced view in WinObj does not illuminate, and which
>> I
>> was not able to grant to the iwam* group). There is a grant on both
>> higher
>> objects nodes to Everyone.
>>
>> If I grant Bypass traverse check to the iwam* group all is fine.
>> So, there is a grant, I had assumed in the Windows object namespace, that
>> is
>> missing.
>> In fact, until this I was not aware that Bypass traverse governed access
>> checks on other than NTFS, but it quite apparently does.
>>
>> Anyone with any ideas as to where the missing grant might be? or how to
>> trace into this to find it?
>>
>> I am not sure that this new approach is less or more of a performance
>> drag
>> than results from defining unique app pools for each web that is able to
>> dynamically alter serverside execution (the in IIS 5 parallel to which
>> was
>> not too bad but IIS 6 is more heavyweight), and recognize that the excess
>> empowerment of the Interactive and Network grants is only mostly, not
>> totally, nullified.
>>
>> But at this point I am just trying to find from where the access denial
>> arises when Bypass traverse checking is taken away for the iwam* account
>> group.
>>
>> Thanks for reading all that, by the way.
>> Roger
>
>
>
> I don't know the answer, but I know the developers who would know the
> answer from both the IIS and HTTP.SYS sides, so I will pass your
> question onto them.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>

On Oct 28, 11:12 pm, "Roger Abell [MVP]" <mvpNoS...@asu.edu> wrote:
> "David Wang" <w3.4...@gmail.com> wrote in message
>
> news:1193544076.689868.13760@v23g2000prn.googlegroups.com...
>
>
>
>
>
> > On Oct 26, 2:19 pm, "Roger Abell [MVP]" <mvpnos...@asu.edu> wrote:
> >> This is perhaps a bit extreme, but I wonder if anyone might have a hint
> >> on
> >> this.
>
> >> I have to support multiuser/multiowner webs in multiple sites on IIS 6,
> >> which is no problem, except that they also require FPSE/Sharepoint
> >> extensions. As we know, those extensions are lame when it comes to
> >> ACLing
> >> content.
>
> >> So, I have been exploring a new route for content isolate in order to
> >> contain content authors from one another's content and in order to
> >> contain
> >> the backend accounts from the areas of other backend accounts on which
> >> the
> >> extensions plug grants to Network and Interactive.
>
> >> In order to break the effect of the excessive grants I am exploring use
> >> of
> >> not granting Bypass traverse checking to any of the browsing accounts
> >> (restricted access webs), the authoring accounts, or the backend accounts
> >> (read iusr*/iwam*). Doing this for the browsing, authoring, and iusr*
> >> accounts is no problem. I have in place NTFS failure audit for any
> >> failure
> >> by any account on any partition (system and/or content), and am running
> >> clean.
>
> >> But once Bypass traverse is taken away from the iwam* accounts, when an
> >> app
> >> pool needs to spin up it fails.
>
> >> The eventlog trace of this is:
>
> >> - a sequence of 5 attempts to start the pool, each failing and recording
> >> in
> >> system log
> >> Warning from source W3SVC, category none EventID 1009
> >> Message text is:
> >> A process serving application pool 'EnpubPool' terminated unexpectedly.
> >> The
> >> process id was '3440'. The process exit code was '0xffffffff'.
>
> >> - simultaneous with each of these 5 messages is a failure message in
> >> Application log
> >> Error from W3SVC-WP, category none, EventID 2269
> >> Message text is:
> >> The worker process failed to initialize the http.sys communication or the
> >> w3svc communication layer and therefore could not be started. The data
> >> field
> >> contains the error number.
> >> The data is access denied code 80070005
>
> >> - these are followed by one system log message
> >> Error from W3SVC, category none, EventID 1002
> >> Message text is:
> >> Application pool 'EnpubPool' is being automatically disabled due to a
> >> series
> >> of failures in the process(es) serving that application pool.
>
> >> Again, there are no failures recorded at the NTFS level.
>
> >> I have used Sysinternals WinObj to set a grant to the iwam* account group
> >> of
> >> List + Read Control on \Device\Http in the object namespace, as there
> >> were
> >> grants to only System and Administrators (which by the way included a
> >> "Special" that the Advanced view in WinObj does not illuminate, and which
> >> I
> >> was not able to grant to the iwam* group). There is a grant on both
> >> higher
> >> objects nodes to Everyone.
>
> >> If I grant Bypass traverse check to the iwam* group all is fine.
> >> So, there is a grant, I had assumed in the Windows object namespace, that
> >> is
> >> missing.
> >> In fact, until this I was not aware that Bypass traverse governed access
> >> checks on other than NTFS, but it quite apparently does.
>
> >> Anyone with any ideas as to where the missing grant might be? or how to
> >> trace into this to find it?
>
> >> I am not sure that this new approach is less or more of a performance
> >> drag
> >> than results from defining unique app pools for each web that is able to
> >> dynamically alter serverside execution (the in IIS 5 parallel to which
> >> was
> >> not too bad but IIS 6 is more heavyweight), and recognize that the excess
> >> empowerment of the Interactive and Network grants is only mostly, not
> >> totally, nullified.
>
> >> But at this point I am just trying to find from where the access denial
> >> arises when Bypass traverse checking is taken away for the iwam* account
> >> group.
>
> >> Thanks for reading all that, by the way.
> >> Roger
>
> > I don't know the answer, but I know the developers who would know the
> > answer from both the IIS and HTTP.SYS sides, so I will pass your
> > question onto them.
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //
>
> Thanks David.
>
> I found it both curious and troublesome.
>
> While one still needs to use unique Iusr/Iwam accounts per web
> if one must guarantee full isolation, if this works without excessive
> overhead for the lack of bypass then it does make dealing with the
> extension's permissioning trivial instead of quite complex.
>
> Roger- Hide quoted text -
>
> - Show quoted text -

"David Wang" <w3.4you@gmail.com> wrote in message
news:1193791651.739344.87830@e9g2000prf.googlegroups.com...
> On Oct 28, 11:12 pm, "Roger Abell [MVP]" <mvpNoS...@asu.edu> wrote:
>> "David Wang" <w3.4...@gmail.com> wrote in message
>>
>> news:1193544076.689868.13760@v23g2000prn.googlegroups.com...
>>
>>
>>
>>
>>
>> > On Oct 26, 2:19 pm, "Roger Abell [MVP]" <mvpnos...@asu.edu> wrote:
>> >> This is perhaps a bit extreme, but I wonder if anyone might have a
>> >> hint
>> >> on
>> >> this.
>>
>> >> I have to support multiuser/multiowner webs in multiple sites on IIS
>> >> 6,
>> >> which is no problem, except that they also require FPSE/Sharepoint
>> >> extensions. As we know, those extensions are lame when it comes to
>> >> ACLing
>> >> content.
>>
>> >> So, I have been exploring a new route for content isolate in order to
>> >> contain content authors from one another's content and in order to
>> >> contain
>> >> the backend accounts from the areas of other backend accounts on which
>> >> the
>> >> extensions plug grants to Network and Interactive.
>>
>> >> In order to break the effect of the excessive grants I am exploring
>> >> use
>> >> of
>> >> not granting Bypass traverse checking to any of the browsing accounts
>> >> (restricted access webs), the authoring accounts, or the backend
>> >> accounts
>> >> (read iusr*/iwam*). Doing this for the browsing, authoring, and iusr*
>> >> accounts is no problem. I have in place NTFS failure audit for any
>> >> failure
>> >> by any account on any partition (system and/or content), and am
>> >> running
>> >> clean.
>>
>> >> But once Bypass traverse is taken away from the iwam* accounts, when
>> >> an
>> >> app
>> >> pool needs to spin up it fails.
>>
>> >> The eventlog trace of this is:
>>
>> >> - a sequence of 5 attempts to start the pool, each failing and
>> >> recording
>> >> in
>> >> system log
>> >> Warning from source W3SVC, category none EventID 1009
>> >> Message text is:
>> >> A process serving application pool 'EnpubPool' terminated
>> >> unexpectedly.
>> >> The
>> >> process id was '3440'. The process exit code was '0xffffffff'.
>>
>> >> - simultaneous with each of these 5 messages is a failure message in
>> >> Application log
>> >> Error from W3SVC-WP, category none, EventID 2269
>> >> Message text is:
>> >> The worker process failed to initialize the http.sys communication or
>> >> the
>> >> w3svc communication layer and therefore could not be started. The data
>> >> field
>> >> contains the error number.
>> >> The data is access denied code 80070005
>>
>> >> - these are followed by one system log message
>> >> Error from W3SVC, category none, EventID 1002
>> >> Message text is:
>> >> Application pool 'EnpubPool' is being automatically disabled due to a
>> >> series
>> >> of failures in the process(es) serving that application pool.
>>
>> >> Again, there are no failures recorded at the NTFS level.
>>
>> >> I have used Sysinternals WinObj to set a grant to the iwam* account
>> >> group
>> >> of
>> >> List + Read Control on \Device\Http in the object namespace, as there
>> >> were
>> >> grants to only System and Administrators (which by the way included a
>> >> "Special" that the Advanced view in WinObj does not illuminate, and
>> >> which
>> >> I
>> >> was not able to grant to the iwam* group). There is a grant on both
>> >> higher
>> >> objects nodes to Everyone.
>>
>> >> If I grant Bypass traverse check to the iwam* group all is fine.
>> >> So, there is a grant, I had assumed in the Windows object namespace,
>> >> that
>> >> is
>> >> missing.
>> >> In fact, until this I was not aware that Bypass traverse governed
>> >> access
>> >> checks on other than NTFS, but it quite apparently does.
>>
>> >> Anyone with any ideas as to where the missing grant might be? or how
>> >> to
>> >> trace into this to find it?
>>
>> >> I am not sure that this new approach is less or more of a performance
>> >> drag
>> >> than results from defining unique app pools for each web that is able
>> >> to
>> >> dynamically alter serverside execution (the in IIS 5 parallel to which
>> >> was
>> >> not too bad but IIS 6 is more heavyweight), and recognize that the
>> >> excess
>> >> empowerment of the Interactive and Network grants is only mostly, not
>> >> totally, nullified.
>>
>> >> But at this point I am just trying to find from where the access
>> >> denial
>> >> arises when Bypass traverse checking is taken away for the iwam*
>> >> account
>> >> group.
>>
>> >> Thanks for reading all that, by the way.
>> >> Roger
>>
>> > I don't know the answer, but I know the developers who would know the
>> > answer from both the IIS and HTTP.SYS sides, so I will pass your
>> > question onto them.
>>
>> > //David
>> >http://w3-4u.blogspot.com
>> >http://blogs.msdn.com/David.Wang
>> > //
>>
>> Thanks David.
>>
>> I found it both curious and troublesome.
>>
>> While one still needs to use unique Iusr/Iwam accounts per web
>> if one must guarantee full isolation, if this works without excessive
>> overhead for the lack of bypass then it does make dealing with the
>> extension's permissioning trivial instead of quite complex.
>>
>> Roger- Hide quoted text -
>>
>> - Show quoted text -
>
>
> I'm waiting for the responses since a couple of the key people
> involved with the design/implementation you are asking about have
> since moved onto other teams and projects, so it may take a little
> while. I can spend some of my "personal brownie points" to get the
> answers.
>