2

I was recently tasked with fixing a Windows Server 2003 server running IIS 6.0 that was giving:

HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource.

It started giving these responses after windows update patch kb2633880 was applied which seems to have changed some default permissions with the IUSR_Machine account and the .Net framework directory.

The problem is all requests for asp.net resources (e.g. .aspx) did not work while everything else did (e.g. text, html). The application is set to serve anonymous requests using the IUSR_machine account and Network Service for the application pool account.

I verified the Network Service account can access the C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727 directory just fine but the IUSR_machine account cannot. After granting the IUSR_machine account access to the C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727 directory the problem is resolved. This seems very strange to me.

My question is why isn't IIS using the account of my application pool (Network Service) to load the aspnet_isapi.dll? From the troubleshoot above it seems quite clear that it is in fact using the IUSR_machine for this, which seems like a security hole. The identity tag in web.config is not set either so that is default.

I would appreciate any advice on this one, thanks.

James
  • 131
  • 4

1 Answers1

1

I can't speak to your expectations, but the defaults for pretty much every system or .Net DLL are for Users to have Read access.

Aspnet_ISAPI is both a filter and an extension, so might be loaded by the W3WP booting (as App Pool account), or by access to a script-mapped file (script mapping actually runs the DLL in the context of the user doing the work, as you'd expect).

TristanK
  • 8,953
  • 2
  • 27
  • 39
  • What is interesting is that the IUSR_Machine account is a guest and *not* a member of the local users group, but through some mysterious means it still had access to those files even though there is no explicit ACL for that account on that directory. I really want to get to the bottom of this. – James Mar 14 '12 at 16:22