Can we use wildcards with NETSH HTTP ADD URLACL in Windows 7 / 2008r2?

Question

i'm using IIS7 express and therefore need to unblock port 80 if I wish to hit the website locally and on the default http port. To do this, i use ..

netsh http add urlacl url=http://my.custom.locahost.domain.com:80/ user=mydomain\myusername

is it possible to say something like

netsh http add urlacl url=*:80/ user=*

so basically, anything going to port 80, by anyone, is allowed?

score 25 · Answer 1 · answered Feb 03 '14 at 13:17

25

netsh http add urlacl url=http://+:80/ user=Everyone

Note that the valid value for user actually depends on your system language (Everyone for English, Jeder for German).

answered Feb 03 '14 at 13:17

jgillich

445
5
10

4

+1 For the localization information – Basic Mar 01 '15 at 23:34
"Tout le monde" for French – Drakkin Sep 19 '16 at 08:51
I think, `Jeder` (GER) and `Everyone` (ENG) and `Ĉiuj` (ESO) and `Каждый` (RUS) are ridiculous... But it is MS-approach, and who am I to judge them... – maxkoryukov Apr 18 '18 at 01:08
I really thought this was a joke until the moment I saw it working. – Tarc May 28 '18 at 23:49
System.Security.Principal.SecurityIdentifier sid = new System.Security.Principal.SecurityIdentifier(System.Security.Principal.WellKnownSidType.WorldSid, null); System.Security.Principal.NTAccount acct = sid.Translate(typeof(System.Security.Principal.NTAccount)) as System.Security.Principal.NTAccount ; Console.WriteLine(acct.ToString()); ...as posted by user "LucVK-T" on social.msdn – oo_dev Aug 26 '19 at 13:50

score 15 · Answer 2 · answered Mar 27 '15 at 09:15

15

Basing on @jgillich answer, I propose to do the following:

netsh http add urlacl url=http://+:80/ sddl=D:(A;;GX;;;S-1-1-0)

sddl argument will be virtually the same as user, but you don't need to think of a localized group name. So, it's more universal.

answered Mar 27 '15 at 09:15

Denis V

287
2
7

1

Wouldn't it be better to use S-1-2-0 to only use local users? – Johny Skovdal Aug 14 '15 at 05:38
in our configuration we need domain user support, S-1-2-0 would not work, but if someone can confirm one form is valid for local users and the other for domain users that would be excellent information. – Shaun Wilson Dec 10 '15 at 00:26
1

@DenisV do you have any documentation what "D:(A;;GX;;;S-1-1-0)" means? – Peter Aug 22 '16 at 09:36
2

@Peter maybe this can be an answer: https://itconnect.uw.edu/wares/msinf/other-help/understanding-sddl-syntax/ – Denis V Aug 22 '16 at 18:12
1

@DenisV thanks that explains the first part but not `S-1-1-0` and `S-1-2-0` but it will do! – Peter Aug 23 '16 at 06:27
1

@Peter, [here](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379649(v=vs.85).aspx) you have more information – Sergio Basurco Feb 08 '17 at 12:10
1

This does not seem to work in Windows 10, I get a `Missing closing ')' in expression-.` error. – Håkon K. Olafsen May 07 '18 at 09:42
@HåkonK.Olafsen it does work. Proof: https://snag.gy/8KqaIU.jpg – Denis V May 07 '18 at 15:26
Not here: https://snag.gy/Vke3PJ.jpg @DenisV – Håkon K. Olafsen May 12 '18 at 18:35
1

@HåkonK.Olafsen don't use powershell for this command. Use classic windows shell (cmd.exe). – Denis V May 12 '18 at 18:42

score 5 · Accepted Answer · answered Jun 10 '11 at 18:18

5

See here: http://msdn.microsoft.com/en-us/library/ms733768.aspx which shows this:

netsh http add urlacl url=http://+:80/MyUri user=DOMAIN\user

My understanding is that it will listening to anything at port 80 and if you want it linked to a specific address, you'd actually have to unbind it. That's what I have to do if I want to run IIS and Apache on the same box with both listening to port 80.

For the user, domain\domain users should be a valid domain group which includes everyone.

answered Jun 10 '11 at 18:18

Phillip Jubb

141
1

2

I found that I had to use `*` instead of `+`. My binding looks like ``. Why does `+` work for you? – binki Mar 26 '15 at 14:44
1

@binki Both are valid with slightly different purposes. See [Routing Incoming Requests](https://docs.microsoft.com/en-us/windows/win32/http/routing-incoming-requests) for further information. – lauxjpn Dec 30 '20 at 15:02

score 1 · Answer 4 · answered Oct 26 '21 at 14:39

1

My best guess was to set exactly the same url you add to the listener and do:

 netsh http add urlacl url="[exact same value]" user=%USERDOMAIN%\%USERNAME%

answered Oct 26 '21 at 14:39

Noman_1

121
3

Can we use wildcards with NETSH HTTP ADD URLACL in Windows 7 / 2008r2?

4 Answers4

Linked