IIS6 on Win 2003 server ISAPI loadLibrary security problem

Hi,

I have an ISAPI which need load other DLL, which load other dlls. If
this dll is in some directory, which is indicated in system PATH
environment variable I obtain every time
access denied error after loadLibrary call. I tryed set IUSR_ ..
account with even full control on dll directory still no way to make it
work. It work only if all necessary dlls are in

...\system32\inetsrv directory (which is work dir for inetinfo.exe)

Any one can advise me how to make it work from my specific directory?

(on win2k with IIS5 it work fine)

Thx.

Re: IIS6 on Win 2003 server ISAPI loadLibrary security problem

Based on your description, I suspect you are talking about an ISAPI Filter
loading DLLs.

Actually, security permissions has always worked the same between IIS5 and
IIS6 for ISAPIs. So really, there's no problem here...

You just happen to use some haphazard behavior which worked on IIS5; we are
forcing you to intentionally make it work on IIS6 for security reasons.
Breaking code like this is generally good for security, even if it means
extra work comes out of it -- we are forcing the user to think and deal with
security because it is definitely not something just for the OS to worry
about:

http://blogs.msdn.com/david.wang/archive/2005/06/29/IIS_User _Identity_to_Run_Code_Part_2.aspx
http://blogs.msdn.com/david.wang/archive/2005/09/30/Thoughts _on_IIS_Security_vs_Apache.aspx
http://blogs.msdn.com/david.wang/archive/2005/10/01/Thoughts _on_IIS_Security_vs_Apache_Part_2.aspx

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"Laco" wrote in message
news:1141668866.758220.101210@i40g2000cwc.googlegroups.com.. .
> Hi,
>
> I have an ISAPI which need load other DLL, which load other dlls. If
> this dll is in some directory, which is indicated in system PATH
> environment variable I obtain every time
> access denied error after loadLibrary call. I tryed set IUSR_ ..
> account with even full control on dll directory still no way to make it
> work. It work only if all necessary dlls are in
>
> ..\system32\inetsrv directory (which is work dir for inetinfo.exe)
>
> Any one can advise me how to make it work from my specific directory?
>
> (on win2k with IIS5 it work fine)
>
> Thx.
>

Re: IIS6 on Win 2003 server ISAPI loadLibrary security problem

Thx, for respond.

Nop, it is not a ISAPI fiter. It is regular ISAPI extension, Which use
other regular dlls for its internal data processing. There is no
problem to load ISAPI from IIS. it work fine, problem starts later,
when loaded ISAPI need to call one regular dll ( i wrote it ) and this
dll use third party dlls to work on images.

Let me explain better. I have ISAPI: HxIMGServerISAPI.dll just
extend IIS for WebGis procesing
then i have HxJPGServer.dll which i use in all my programs for JPG
management (not only web based) this dll call
many others dlls when work with images.

When i call HxIMGServerISAPI.dll, to process my request, it load
HxJPGServer.dll. Then HxJPGServer.dll loads all other dlls to work.

I wanted to put my HxJPGServer.dll with other dlls in one dir (
different from ...\system32\intesrv) to have some order in things on my
server. And it wan't work, only if all dlls are in ..\system32\inetsrv
it works fine. It seems that command LoadLibrary, which i call to load
HxJPGServer.dll dont make search in dirs which are in PATH system
variable.

laco.

Re: IIS6 on Win 2003 server ISAPI loadLibrary security problem

I believe path resolution is documented to be changed on Windows Server 2003
for security reasons.

I'm not certain that system32\inetsrv matters because it's not in the PATH.

ISAPI Extension runs as impersonated identity (comes from authentication -
see my blog entries in the prior response) so all your DLLs need to be
accessible to that identity.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"Laco" wrote in message
news:1141722850.215368.140070@z34g2000cwc.googlegroups.com.. .
> Thx, for respond.
>
> Nop, it is not a ISAPI fiter. It is regular ISAPI extension, Which use
> other regular dlls for its internal data processing. There is no
> problem to load ISAPI from IIS. it work fine, problem starts later,
> when loaded ISAPI need to call one regular dll ( i wrote it ) and this
> dll use third party dlls to work on images.
>
> Let me explain better. I have ISAPI: HxIMGServerISAPI.dll just
> extend IIS for WebGis procesing
> then i have HxJPGServer.dll which i use in all my programs for JPG
> management (not only web based) this dll call
> many others dlls when work with images.
>
> When i call HxIMGServerISAPI.dll, to process my request, it load
> HxJPGServer.dll. Then HxJPGServer.dll loads all other dlls to work.
>
> I wanted to put my HxJPGServer.dll with other dlls in one dir (
> different from ...\system32\intesrv) to have some order in things on my
> server. And it wan't work, only if all dlls are in ..\system32\inetsrv
> it works fine. It seems that command LoadLibrary, which i call to load
> HxJPGServer.dll dont make search in dirs which are in PATH system
> variable.
>
> laco.
>

Re: IIS6 on Win 2003 server ISAPI loadLibrary security problem

Thx, for interest, i like your glog. :)

Re: IIS6 on Win 2003 server ISAPI loadLibrary security problem

Thx, for interest, i like your blog. :)