| Groups | Blog | Home |
iis security : IIS7: CreateProcessWithLogonW access denied
prior to v7, but fails with access denied (5) on v7. Any ideas on a what permissions are required for this to work? Thanks. [StructLayout(LayoutKind.Sequential)] internal struct PROCESS_INFORMATION { internal IntPtr hProcess; internal IntPtr hThread; internal int dwProcessId; internal int dwThreadId; } [StructLayout(LayoutKind.Sequential)] internal struct STARTUPINFO { internal int cb; [MarshalAs(UnmanagedType.LPTStr)] internal string lpReserved; [MarshalAs(UnmanagedType.LPTStr)] internal string lpDesktop; [MarshalAs(UnmanagedType.LPTStr)] internal string lpTitle; internal int dwX; internal int dwY; internal int dwXSize; internal int dwYSize; internal int dwXCountChars; internal int dwYCountChars; internal int dwFillAttribute; internal int dwFlags; internal short wShowWindow; internal short cbReserved2; internal IntPtr lpReserved2; internal IntPtr hStdInput; internal IntPtr hStdOutput; internal IntPtr hStdError; } [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)] internal static extern bool CreateProcessWithLogonW(String lpszUsername, String lpszDomain, String lpszPassword, int dwLogonFlags, string applicationName, StringBuilder commandLine, int creationFlags, IntPtr environment, string currentDirectory, ref STARTUPINFO sui, out PROCESS_INFORMATION processInfo); //dwLogonFlags Specifies the logon option const int LOGON_WITH_PROFILE = 1; const int LOGON_NETCREDENTIALS_ONLY = 2; //dwCreationFlags - Specifies how the process is created const int CREATE_UNICODE_ENVIRONMENT = 0x00000400; //dwCreationFlags parameter controls the new process's priority class const int NORMAL_PRIORITY_CLASS = 0x00000020; const int IDLE_PRIORITY_CLASS = 0x00000040; const int HIGH_PRIORITY_CLASS = 0x00000080; const int REALTIME_PRIORITY_CLASS = 0x00000100; const int BELOW_NORMAL_PRIORITY_CLASS = 0x00004000; const int ABOVE_NORMAL_PRIORITY_CLASS = 0x00008000; string app = "cmd"; StringBuilder p = new StringBuilder(); p.Append("/c dir"); PROCESS_INFORMATION processInfo; STARTUPINFO startInfo = new STARTUPINFO(); startInfo.cb = Marshal.SizeOf(startInfo); startInfo.lpDesktop = "winsta0\\default"; if (CreateProcessWithLogonW(user, ".", pwd, LOGON_NETCREDENTIALS_ONLY, app, p, NORMAL_PRIORITY_CLASS | CREATE_UNICODE_ENVIRONMENT, IntPtr.Zero, "", ref startInfo, out processInfo)) { Response.Write("<p>Started with Process ID " + processInfo.dwProcessId.ToString() + "</p>"); } else { Response.Write(Marshal.GetLastWin32Error()); }
I believe Code Access Security for ASP.Net was "Low" prior to IIS7/
Vista, which allowed code like yours to work with ASP.Net, but it was *horribly* insecure. In IIS7 it was raised to "Medium", which will make code like yours fail. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // [quoted text, click to view] On Jun 17, 2:53=A0pm, "Kyle Alons" <re...@to.newsgroup> wrote:
> Code like this in an ASP.NET web page (code behind .cs file) works in IIS > prior to v7, but fails with access denied (5) on v7. =A0Any ideas on a wha= t > permissions are required for this to work? =A0Thanks. > > =A0 =A0 [StructLayout(LayoutKind.Sequential)] > =A0 =A0 internal struct PROCESS_INFORMATION > =A0 =A0 { > =A0 =A0 =A0 =A0 internal IntPtr hProcess; > =A0 =A0 =A0 =A0 internal IntPtr hThread; > =A0 =A0 =A0 =A0 internal int dwProcessId; > =A0 =A0 =A0 =A0 internal int dwThreadId; > =A0 =A0 } > > =A0 =A0 [StructLayout(LayoutKind.Sequential)] > =A0 =A0 internal struct STARTUPINFO > =A0 =A0 { > =A0 =A0 =A0 =A0 internal int cb; > =A0 =A0 =A0 =A0 [MarshalAs(UnmanagedType.LPTStr)] > =A0 =A0 =A0 =A0 internal string lpReserved; > =A0 =A0 =A0 =A0 [MarshalAs(UnmanagedType.LPTStr)] > =A0 =A0 =A0 =A0 internal string lpDesktop; > =A0 =A0 =A0 =A0 [MarshalAs(UnmanagedType.LPTStr)] > =A0 =A0 =A0 =A0 internal string lpTitle; > =A0 =A0 =A0 =A0 internal int dwX; > =A0 =A0 =A0 =A0 internal int dwY; > =A0 =A0 =A0 =A0 internal int dwXSize; > =A0 =A0 =A0 =A0 internal int dwYSize; > =A0 =A0 =A0 =A0 internal int dwXCountChars; > =A0 =A0 =A0 =A0 internal int dwYCountChars; > =A0 =A0 =A0 =A0 internal int dwFillAttribute; > =A0 =A0 =A0 =A0 internal int dwFlags; > =A0 =A0 =A0 =A0 internal short wShowWindow; > =A0 =A0 =A0 =A0 internal short cbReserved2; > =A0 =A0 =A0 =A0 internal IntPtr lpReserved2; > =A0 =A0 =A0 =A0 internal IntPtr hStdInput; > =A0 =A0 =A0 =A0 internal IntPtr hStdOutput; > =A0 =A0 =A0 =A0 internal IntPtr hStdError; > =A0 =A0 } > > =A0 =A0 [DllImport("advapi32.dll", CharSet =3D CharSet.Auto, SetLastError = =3D true)] > =A0 =A0 internal static extern bool CreateProcessWithLogonW(String lpszUse= rname, > =A0 =A0 =A0 =A0 String lpszDomain, String lpszPassword, int dwLogonFlags, = string > applicationName, > =A0 =A0 =A0 =A0 StringBuilder commandLine, int creationFlags, IntPtr envir= onment, > string currentDirectory, > =A0 =A0 =A0 =A0 ref STARTUPINFO sui, out PROCESS_INFORMATION processInfo);= > > =A0 =A0 //dwLogonFlags Specifies the logon option > =A0 =A0 const int LOGON_WITH_PROFILE =3D 1; > =A0 =A0 const int LOGON_NETCREDENTIALS_ONLY =3D 2; > > =A0 =A0 //dwCreationFlags - Specifies how the process is created > =A0 =A0 const int CREATE_UNICODE_ENVIRONMENT =3D 0x00000400; > > =A0 =A0 //dwCreationFlags parameter controls the new process's priority cl= ass > =A0 =A0 const int NORMAL_PRIORITY_CLASS =3D 0x00000020; > =A0 =A0 const int IDLE_PRIORITY_CLASS =3D 0x00000040; > =A0 =A0 const int HIGH_PRIORITY_CLASS =3D 0x00000080; > =A0 =A0 const int REALTIME_PRIORITY_CLASS =3D 0x00000100; > =A0 =A0 const int BELOW_NORMAL_PRIORITY_CLASS =3D 0x00004000; > =A0 =A0 const int ABOVE_NORMAL_PRIORITY_CLASS =3D 0x00008000; > > string app =3D "cmd"; > > StringBuilder p =3D new StringBuilder(); > > p.Append("/c dir"); > > PROCESS_INFORMATION processInfo; > STARTUPINFO startInfo =3D new STARTUPINFO(); > startInfo.cb =3D Marshal.SizeOf(startInfo); > startInfo.lpDesktop =3D "winsta0\\default"; > > if (CreateProcessWithLogonW(user, ".", pwd, > =A0 =A0 =A0 =A0LOGON_NETCREDENTIALS_ONLY, app, p, > =A0 =A0 =A0 =A0NORMAL_PRIORITY_CLASS | CREATE_UNICODE_ENVIRONMENT, IntPtr.= Zero, "", > ref startInfo, out processInfo)) > =A0 =A0 =A0{ > =A0 =A0 =A0 =A0 =A0 =A0 Response.Write("<p>Started with Process ID " + > processInfo.dwProcessId.ToString() + "</p>"); > =A0 =A0 } > =A0 =A0 else > =A0 =A0 { > =A0 =A0 =A0 =A0 Response.Write(Marshal.GetLastWin32Error()); > =A0 =A0 }
[quoted text, click to view]
"David Wang" <w3.4you@gmail.com> wrote in message Vista, which allowed code like yours to work with ASP.Net, but it wasnews:535a7732-0e28-425f-b38b-6c5792e97d54@u36g2000prf.googlegroups.com... >I believe Code Access Security for ASP.Net was "Low" prior to IIS7/ *horribly* insecure. Is there an alternative that works with the new default security setting?
[quoted text, click to view]
On Jun 18, 5:04=A0am, "Kyle Alons" <re...@to.newsgroup> wrote: > "David Wang" <w3.4...@gmail.com> wrote in message > > news:535a7732-0e28-425f-b38b-6c5792e97d54@u36g2000prf.googlegroups.com...= >I believe Code Access Security for ASP.Net was "Low" prior to IIS7/ > > Vista, which allowed code like yours to work with ASP.Net, but it was > *horribly* insecure. > > Is there an alternative that works with the new default security setting? There is no alternative for your type of code to work with the default setting -- that would be allowing the very security vulnerabilities which were closed by changing the default. Your choices are to either change the default or modify the default Code Access Security on your system. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang
[quoted text, click to view]
>There is no alternative for your type of code to work with the default setting -- that would be allowing the very security vulnerabilitieswhich were closed by changing the default. [quoted text, click to view] >Your choices are to either change the default or modify the default Code Access Security on your system.How is that done?
[quoted text, click to view]
On Jun 19, 10:20=A0am, "Kyle Alons" <re...@to.newsgroup> wrote: > >There is no alternative for your type of code to work with the default > > setting -- that would be allowing the very security vulnerabilities > which were closed by changing the default. > > >Your choices are to either change the default or modify the default > > Code Access Security on your system. > > How is that done? I highly recommend searching on the terms "Modify Code Access Security" to arrive at good answers for your question. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang
[quoted text, click to view]
>I highly recommend searching on the terms "Modify Code Access Security" to arrive at good answers for your question.Based on http://msdn.microsoft.com/en-us/library/aa302425.aspx, I added a trust element to machine.config (both 32- and 64-bit flavors): <system.web> <!-- level="[Full|High|Medium|Low|Minimal]" --> <trust level="Full" originUrl=""/> </system.web> but still get access denied.
[quoted text, click to view]
On Jun 20, 12:03=A0pm, "Kyle Alons" <re...@to.newsgroup> wrote: > >I highly recommend searching on the terms "Modify Code Access > > Security" to arrive at good answers for your question. > > Based onhttp://msdn.microsoft.com/en-us/library/aa302425.aspx, I added a > trust element to machine.config (both 32- and 64-bit flavors): > > <system.web> > =A0 <!-- level=3D"[Full|High|Medium|Low|Minimal]" --> > =A0 <trust level=3D"Full" originUrl=3D""/> > </system.web> > > but still get access denied. How are you certain your settings actually took place at the scope you desire... //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang
[quoted text, click to view]
>How are you certain your settings actually took place at the scope you desire...I'm not certain of much, but changing the setting does seem to have some effect. "Full" results in GetLastError of 5 (access denied), while High or Medium results in: Security Exception Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file. Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed. .... and Low or Minimal gives: Server Error in '/Test' Application. -------------------------------------------------------------------------------- Debugging is not supported under current trust level settings. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.Web.HttpException: Debugging is not supported under current trust level settings.
Do you need to use cmd.exe. Try another EXE.
//David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // [quoted text, click to view] On Jun 21, 9:03=A0pm, "Kyle Alons" <re...@to.newsgroup> wrote:
> >How are you certain your settings actually took place at the scope you > > desire... > > I'm not certain of much, but changing the setting does seem to have some > effect. =A0"Full" results in GetLastError of 5 (access denied), while Hig= h or > Medium results in: > > Security Exception > Description: The application attempted to perform an operation not allowe= d > by the security policy. =A0To grant this application the required permiss= ion > please contact your system administrator or change the application's trus= t > level in the configuration file. > > Exception Details: System.Security.SecurityException: Request for the > permission of type 'System.Security.Permissions.SecurityPermission, > mscorlib, Version=3D2.0.0.0, Culture=3Dneutral, PublicKeyToken=3Db77a5c56= 1934e089' > failed. > ... > > and Low or Minimal gives: > > Server Error in '/Test' Application. > -------------------------------------------------------------------------= --=AD----- > > Debugging is not supported under current trust level settings. > Description: An unhandled exception occurred during the execution of the > current web request. Please review the stack trace for more information > about the error and where it originated in the code. > > Exception Details: System.Web.HttpException: Debugging is not supported > under current trust level settings.
[quoted text, click to view]
On Jun 23, 10:26=A0am, "Kyle Alons" <re...@to.newsgroup> wrote: > >Do you need to use cmd.exe. Try another EXE. > > I've tried with xcopy, cscript, and a bogus (non-existent) exe and get th= e > same result. Those are all EXE in System32, which like CMD.EXE have "special" ACLs that prevent them from being launched remotely from IIS. CMD.EXE has further security checks inside of it to prevent being used to launch batch scripts launched remotely from IIS. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang
[quoted text, click to view]
>Do you need to use cmd.exe. Try another EXE. I've tried with xcopy, cscript, and a bogus (non-existent) exe and get the same result.
[quoted text, click to view]
>Those are all EXE in System32, which like CMD.EXE have "special" ACLs that prevent them from being launched remotely from IIS.Even a bogus EXE like 'blah'? I also have the same problem with a custom console executable (which is what I was using originally). It and the others previously mentioned (except the non-existent one, but that one doesn't result in access denied either) work properly from ASP.NET on Win XP/2003, but I haven't found a way to get it to work in 2008.
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |