IIS Out of Process Pooled Applications Security

Good Afternoon,

Recently one of the following windows updates / hotfixes for my Windows 2000
Server, altered the security settings of my "IIS Out of Process Pooled
Applications" COM object. This caused my web server to stop working...

The account that was displayed was the IWAM_machine account, I noted that
the username was present, but not the password with ******** in the field
under it. In calling for software support for my third party web
application, they altered the user account to be "Interactive User" (One
Logged in to the Computer).

Here are my questions:

1) What hotfix would have affected the setting or password?

2) Is there anything wrong in making the security for Out of Process Pooled
Applicaitons as the "Interactive User"?

3) If the user really should be the IWAM account, how do I sync the IWAM
account password with the COM object so that the password is present in the
fields?

4) Is there greater security in having the user as the interactive or as the
IWAM account?

5) Making it the interactive user account, does this mean that someone with
rights to run the COM service, needs to log into the machine, and remain
logged in at all times? (In the past I could just reboot the server, and
leave it at the logon screen no user was required to log in.)

----

Windows updates - After the reboot the IIS Out of Process Pooled applicaiton
service would not start, I got event 36 for the server failing to load
'/LM/W3SVC/1/ROOT', the error was the "Server Execution Failed".

Attempting to start the service in COM Services, resulted in an error 80080005

Thanks
J

Here is the list of fixes:

KB
--
890830 - Mal Software Removal Tool
911564 - Media Player Plugin Update
829019 - .NET Framework 2.0
900725 - Security Updates for W2K
905749 - (same)
908519 - (same)
899589 - (same)
912919 - (same)
901017 - (same)
904706 - (same)
908523 - (same)
896424 - (same)
902400 - (same)
905414 - (same)
905915 - Cumulative Update for IE6 SP1
905495 - Security Update for IE6 SP1
904368 - Update for W2K

RE: IIS Out of Process Pooled Applications Security

Hi J,

Thanks for posting!

For the current issue, I think the issue is caused by the security.

>"The account that was displayed was the IWAM_machine account, I noted that
the username was present, but not the password with ******** in the field
under it."

Actually, the password is generated by the operation system itself. So, for
security reason, we can not see it.

>"In calling for software support for my third party web application, they
altered the user account to be "Interactive User" (One Logged in to the
Computer)."

Does this mean the third party software modifies the identity to
"Interactive User"?

>"1) What hotfix would have affected the setting or password?"

As far as I know, the hot-fix performs this based on security reason. This
means there is potential risk when changing identity to "Interactive User".

>"3) If the user really should be the IWAM account, how do I sync the IWAM
account password with the COM object so that the password is present in the
fields?"

You can use the adsutil.vbs to obtain the IWAM password likes below:
"cscript.exe adsutil.vbs get w3svc/wamuserpass"

>"4) Is there greater security in having the user as the interactive or as
the IWAM account?"

Actually, the identity of IIS out process is supposed to be IWAM account.
Microsoft doesn't recommend any changing of this.

>"5) Making it the interactive user account, does this mean that someone
with rights to run the COM service, needs to log into the machine, and
remain logged in at all times? (In the past I could just reboot the
server, and leave it at the logon screen no user was required to log in.)"

This means when the user access the web site, they potentially has the same
rights as the user who are logging the system. I think this is not security
enough.

Regards,

Yuan Ren [MSFT]
Microsoft Online Support
======================================================
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
updated on February 14, 2006. Please complete a re-registration process
by entering the secure code mmpng06 when prompted. Once you have
entered the secure code mmpng06, you will be able to update your profile
and access the partner newsgroups.
======================================================
When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
======================================================

RE: IIS Out of Process Pooled Applications Security

Thanks for the info that you provided.

I have an update...things are still broken...

1) The Adsutil.vbs script needed to be modified to show me the password
without a mask of **********

2) I did this change, and retrieved the password.

3) I entered the password in the IIS Out-of-Process Pooled applications
componant but the setting will not stay there. By this I mean that if I
enter the password, click okay, then go back in to look at the identity tab
of the service, it shows the IWAM account, but with no Password.

I followed the steps and suggestions in KB 297989, whereby I entered the
password in for the Users and Groups IWAM account, this too did not make a
different, the password will not remain. And the Web Site will not function
unless the user is Interactive.

---

I then followed suggestions from my Third Party Vendor to delete the IIS
Utilities / IIS In-Process Applications, and the IIS Out-of-Process Pooled
Applications objects. By unchecking the Disable Deletion setting, and then
running the following.

From the inetsvr directory at a cmd prompt, I ran:

rundll32 wamreg.dll, CreateIISPackage
regsvr32 asptxn.dll

After that step, the IIS objects I deleted prior were re-created, and the
IWAM account was present in the Out of Process pooled applications object on
the identity tab. But once again there was no password present.

Even still the Website would not function...

I had to change the setting back to Interactive User to allow the site to
continue to function. Note that in each of these tests I bounced IIS using
the iisreset /restart command to get a fresh load.

A member of the Third Party software team, has indicated that the
Interactive user setting is not what their software is designed to require,
and they are not suggesting that the change be made, yet they did...perhaps
as just a work-around at this point.

Please let me know what you suggest next.

Thanks
J


""Yuan Ren[MSFT]"" wrote:

> Hi J,
>
> Thanks for posting!
>
> For the current issue, I think the issue is caused by the security.
>
> >"The account that was displayed was the IWAM_machine account, I noted that
> the username was present, but not the password with ******** in the field
> under it."
>
> Actually, the password is generated by the operation system itself. So, for
> security reason, we can not see it.
>
> >"In calling for software support for my third party web application, they
> altered the user account to be "Interactive User" (One Logged in to the
> Computer)."
>
> Does this mean the third party software modifies the identity to
> "Interactive User"?
>
> >"1) What hotfix would have affected the setting or password?"
>
> As far as I know, the hot-fix performs this based on security reason. This
> means there is potential risk when changing identity to "Interactive User".
>
> >"3) If the user really should be the IWAM account, how do I sync the IWAM
> account password with the COM object so that the password is present in the
> fields?"
>
> You can use the adsutil.vbs to obtain the IWAM password likes below:
> "cscript.exe adsutil.vbs get w3svc/wamuserpass"
>
> >"4) Is there greater security in having the user as the interactive or as
> the IWAM account?"
>
> Actually, the identity of IIS out process is supposed to be IWAM account.
> Microsoft doesn't recommend any changing of this.
>
> >"5) Making it the interactive user account, does this mean that someone
> with rights to run the COM service, needs to log into the machine, and
> remain logged in at all times? (In the past I could just reboot the
> server, and leave it at the logon screen no user was required to log in.)"
>
> This means when the user access the web site, they potentially has the same
> rights as the user who are logging the system. I think this is not security
> enough.
>
> Regards,
>
> Yuan Ren [MSFT]
> Microsoft Online Support
> ======================================================
> PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
> updated on February 14, 2006. Please complete a re-registration process
> by entering the secure code mmpng06 when prompted. Once you have
> entered the secure code mmpng06, you will be able to update your profile
> and access the partner newsgroups.
> ======================================================
> When responding to posts, please "Reply to Group" via your newsreader
> so that others may learn and benefit from this issue.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
> ======================================================
>
>

RE: IIS Out of Process Pooled Applications Security

Hi J,

Thanks for your reply!

From your description, my understanding is that you want to know why the
password of the IWAM user is not masked with asterisk. If I have
misunderstood anything, please let me know.

As far as I know, the IWAM user in Windows 2000 is different with one in
Windows Server 2003. The account is masked without asterisk but the blank
actually. So, the application works well after changing the identity to the
IWAM, I think there is no problem at the current stage.

Thanks for your understanding!

Regards

Yuan Ren [MSFT]
Microsoft Online Support