IIS 6 and system"s object namespace
IIS 6 and system"s object namespace
am 26.10.2007 23:19:54 von Roger Abell
This is perhaps a bit extreme, but I wonder if anyone might have a hint on
this.
I have to support multiuser/multiowner webs in multiple sites on IIS 6,
which is no problem, except that they also require FPSE/Sharepoint
extensions. As we know, those extensions are lame when it comes to ACLing
content.
So, I have been exploring a new route for content isolate in order to
contain content authors from one another's content and in order to contain
the backend accounts from the areas of other backend accounts on which the
extensions plug grants to Network and Interactive.
In order to break the effect of the excessive grants I am exploring use of
not granting Bypass traverse checking to any of the browsing accounts
(restricted access webs), the authoring accounts, or the backend accounts
(read iusr*/iwam*). Doing this for the browsing, authoring, and iusr*
accounts is no problem. I have in place NTFS failure audit for any failure
by any account on any partition (system and/or content), and am running
clean.
But once Bypass traverse is taken away from the iwam* accounts, when an app
pool needs to spin up it fails.
The eventlog trace of this is:
- a sequence of 5 attempts to start the pool, each failing and recording in
system log
Warning from source W3SVC, category none EventID 1009
Message text is:
A process serving application pool 'EnpubPool' terminated unexpectedly. The
process id was '3440'. The process exit code was '0xffffffff'.
- simultaneous with each of these 5 messages is a failure message in
Application log
Error from W3SVC-WP, category none, EventID 2269
Message text is:
The worker process failed to initialize the http.sys communication or the
w3svc communication layer and therefore could not be started. The data field
contains the error number.
The data is access denied code 80070005
- these are followed by one system log message
Error from W3SVC, category none, EventID 1002
Message text is:
Application pool 'EnpubPool' is being automatically disabled due to a series
of failures in the process(es) serving that application pool.
Again, there are no failures recorded at the NTFS level.
I have used Sysinternals WinObj to set a grant to the iwam* account group of
List + Read Control on \Device\Http in the object namespace, as there were
grants to only System and Administrators (which by the way included a
"Special" that the Advanced view in WinObj does not illuminate, and which I
was not able to grant to the iwam* group). There is a grant on both higher
objects nodes to Everyone.
If I grant Bypass traverse check to the iwam* group all is fine.
So, there is a grant, I had assumed in the Windows object namespace, that is
missing.
In fact, until this I was not aware that Bypass traverse governed access
checks on other than NTFS, but it quite apparently does.
Anyone with any ideas as to where the missing grant might be? or how to
trace into this to find it?
I am not sure that this new approach is less or more of a performance drag
than results from defining unique app pools for each web that is able to
dynamically alter serverside execution (the in IIS 5 parallel to which was
not too bad but IIS 6 is more heavyweight), and recognize that the excess
empowerment of the Interactive and Network grants is only mostly, not
totally, nullified.
But at this point I am just trying to find from where the access denial
arises when Bypass traverse checking is taken away for the iwam* account
group.
Thanks for reading all that, by the way.
Roger
Re: IIS 6 and system"s object namespace
am 28.10.2007 05:01:16 von David Wang
On Oct 26, 2:19 pm, "Roger Abell [MVP]" wrote:
> This is perhaps a bit extreme, but I wonder if anyone might have a hint on
> this.
>
> I have to support multiuser/multiowner webs in multiple sites on IIS 6,
> which is no problem, except that they also require FPSE/Sharepoint
> extensions. As we know, those extensions are lame when it comes to ACLing
> content.
>
> So, I have been exploring a new route for content isolate in order to
> contain content authors from one another's content and in order to contain
> the backend accounts from the areas of other backend accounts on which the
> extensions plug grants to Network and Interactive.
>
> In order to break the effect of the excessive grants I am exploring use of
> not granting Bypass traverse checking to any of the browsing accounts
> (restricted access webs), the authoring accounts, or the backend accounts
> (read iusr*/iwam*). Doing this for the browsing, authoring, and iusr*
> accounts is no problem. I have in place NTFS failure audit for any failure
> by any account on any partition (system and/or content), and am running
> clean.
>
> But once Bypass traverse is taken away from the iwam* accounts, when an app
> pool needs to spin up it fails.
>
> The eventlog trace of this is:
>
> - a sequence of 5 attempts to start the pool, each failing and recording in
> system log
> Warning from source W3SVC, category none EventID 1009
> Message text is:
> A process serving application pool 'EnpubPool' terminated unexpectedly. The
> process id was '3440'. The process exit code was '0xffffffff'.
>
> - simultaneous with each of these 5 messages is a failure message in
> Application log
> Error from W3SVC-WP, category none, EventID 2269
> Message text is:
> The worker process failed to initialize the http.sys communication or the
> w3svc communication layer and therefore could not be started. The data field
> contains the error number.
> The data is access denied code 80070005
>
> - these are followed by one system log message
> Error from W3SVC, category none, EventID 1002
> Message text is:
> Application pool 'EnpubPool' is being automatically disabled due to a series
> of failures in the process(es) serving that application pool.
>
> Again, there are no failures recorded at the NTFS level.
>
> I have used Sysinternals WinObj to set a grant to the iwam* account group of
> List + Read Control on \Device\Http in the object namespace, as there were
> grants to only System and Administrators (which by the way included a
> "Special" that the Advanced view in WinObj does not illuminate, and which I
> was not able to grant to the iwam* group). There is a grant on both higher
> objects nodes to Everyone.
>
> If I grant Bypass traverse check to the iwam* group all is fine.
> So, there is a grant, I had assumed in the Windows object namespace, that is
> missing.
> In fact, until this I was not aware that Bypass traverse governed access
> checks on other than NTFS, but it quite apparently does.
>
> Anyone with any ideas as to where the missing grant might be? or how to
> trace into this to find it?
>
> I am not sure that this new approach is less or more of a performance drag
> than results from defining unique app pools for each web that is able to
> dynamically alter serverside execution (the in IIS 5 parallel to which was
> not too bad but IIS 6 is more heavyweight), and recognize that the excess
> empowerment of the Interactive and Network grants is only mostly, not
> totally, nullified.
>
> But at this point I am just trying to find from where the access denial
> arises when Bypass traverse checking is taken away for the iwam* account
> group.
>
> Thanks for reading all that, by the way.
> Roger
I don't know the answer, but I know the developers who would know the
answer from both the IIS and HTTP.SYS sides, so I will pass your
question onto them.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
Re: IIS 6 and system"s object namespace
am 29.10.2007 07:12:56 von Roger Abell
"David Wang" wrote in message
news:1193544076.689868.13760@v23g2000prn.googlegroups.com...
> On Oct 26, 2:19 pm, "Roger Abell [MVP]" wrote:
>> This is perhaps a bit extreme, but I wonder if anyone might have a hint
>> on
>> this.
>>
>> I have to support multiuser/multiowner webs in multiple sites on IIS 6,
>> which is no problem, except that they also require FPSE/Sharepoint
>> extensions. As we know, those extensions are lame when it comes to
>> ACLing
>> content.
>>
>> So, I have been exploring a new route for content isolate in order to
>> contain content authors from one another's content and in order to
>> contain
>> the backend accounts from the areas of other backend accounts on which
>> the
>> extensions plug grants to Network and Interactive.
>>
>> In order to break the effect of the excessive grants I am exploring use
>> of
>> not granting Bypass traverse checking to any of the browsing accounts
>> (restricted access webs), the authoring accounts, or the backend accounts
>> (read iusr*/iwam*). Doing this for the browsing, authoring, and iusr*
>> accounts is no problem. I have in place NTFS failure audit for any
>> failure
>> by any account on any partition (system and/or content), and am running
>> clean.
>>
>> But once Bypass traverse is taken away from the iwam* accounts, when an
>> app
>> pool needs to spin up it fails.
>>
>> The eventlog trace of this is:
>>
>> - a sequence of 5 attempts to start the pool, each failing and recording
>> in
>> system log
>> Warning from source W3SVC, category none EventID 1009
>> Message text is:
>> A process serving application pool 'EnpubPool' terminated unexpectedly.
>> The
>> process id was '3440'. The process exit code was '0xffffffff'.
>>
>> - simultaneous with each of these 5 messages is a failure message in
>> Application log
>> Error from W3SVC-WP, category none, EventID 2269
>> Message text is:
>> The worker process failed to initialize the http.sys communication or the
>> w3svc communication layer and therefore could not be started. The data
>> field
>> contains the error number.
>> The data is access denied code 80070005
>>
>> - these are followed by one system log message
>> Error from W3SVC, category none, EventID 1002
>> Message text is:
>> Application pool 'EnpubPool' is being automatically disabled due to a
>> series
>> of failures in the process(es) serving that application pool.
>>
>> Again, there are no failures recorded at the NTFS level.
>>
>> I have used Sysinternals WinObj to set a grant to the iwam* account group
>> of
>> List + Read Control on \Device\Http in the object namespace, as there
>> were
>> grants to only System and Administrators (which by the way included a
>> "Special" that the Advanced view in WinObj does not illuminate, and which
>> I
>> was not able to grant to the iwam* group). There is a grant on both
>> higher
>> objects nodes to Everyone.
>>
>> If I grant Bypass traverse check to the iwam* group all is fine.
>> So, there is a grant, I had assumed in the Windows object namespace, that
>> is
>> missing.
>> In fact, until this I was not aware that Bypass traverse governed access
>> checks on other than NTFS, but it quite apparently does.
>>
>> Anyone with any ideas as to where the missing grant might be? or how to
>> trace into this to find it?
>>
>> I am not sure that this new approach is less or more of a performance
>> drag
>> than results from defining unique app pools for each web that is able to
>> dynamically alter serverside execution (the in IIS 5 parallel to which
>> was
>> not too bad but IIS 6 is more heavyweight), and recognize that the excess
>> empowerment of the Interactive and Network grants is only mostly, not
>> totally, nullified.
>>
>> But at this point I am just trying to find from where the access denial
>> arises when Bypass traverse checking is taken away for the iwam* account
>> group.
>>
>> Thanks for reading all that, by the way.
>> Roger
>
>
>
> I don't know the answer, but I know the developers who would know the
> answer from both the IIS and HTTP.SYS sides, so I will pass your
> question onto them.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
Thanks David.
I found it both curious and troublesome.
While one still needs to use unique Iusr/Iwam accounts per web
if one must guarantee full isolation, if this works without excessive
overhead for the lack of bypass then it does make dealing with the
extension's permissioning trivial instead of quite complex.
Roger
Re: IIS 6 and system"s object namespace
am 31.10.2007 01:47:31 von David Wang
On Oct 28, 11:12 pm, "Roger Abell [MVP]" wrote:
> "David Wang" wrote in message
>
> news:1193544076.689868.13760@v23g2000prn.googlegroups.com...
>
>
>
>
>
> > On Oct 26, 2:19 pm, "Roger Abell [MVP]" wrote:
> >> This is perhaps a bit extreme, but I wonder if anyone might have a hint
> >> on
> >> this.
>
> >> I have to support multiuser/multiowner webs in multiple sites on IIS 6,
> >> which is no problem, except that they also require FPSE/Sharepoint
> >> extensions. As we know, those extensions are lame when it comes to
> >> ACLing
> >> content.
>
> >> So, I have been exploring a new route for content isolate in order to
> >> contain content authors from one another's content and in order to
> >> contain
> >> the backend accounts from the areas of other backend accounts on which
> >> the
> >> extensions plug grants to Network and Interactive.
>
> >> In order to break the effect of the excessive grants I am exploring use
> >> of
> >> not granting Bypass traverse checking to any of the browsing accounts
> >> (restricted access webs), the authoring accounts, or the backend accounts
> >> (read iusr*/iwam*). Doing this for the browsing, authoring, and iusr*
> >> accounts is no problem. I have in place NTFS failure audit for any
> >> failure
> >> by any account on any partition (system and/or content), and am running
> >> clean.
>
> >> But once Bypass traverse is taken away from the iwam* accounts, when an
> >> app
> >> pool needs to spin up it fails.
>
> >> The eventlog trace of this is:
>
> >> - a sequence of 5 attempts to start the pool, each failing and recording
> >> in
> >> system log
> >> Warning from source W3SVC, category none EventID 1009
> >> Message text is:
> >> A process serving application pool 'EnpubPool' terminated unexpectedly.
> >> The
> >> process id was '3440'. The process exit code was '0xffffffff'.
>
> >> - simultaneous with each of these 5 messages is a failure message in
> >> Application log
> >> Error from W3SVC-WP, category none, EventID 2269
> >> Message text is:
> >> The worker process failed to initialize the http.sys communication or the
> >> w3svc communication layer and therefore could not be started. The data
> >> field
> >> contains the error number.
> >> The data is access denied code 80070005
>
> >> - these are followed by one system log message
> >> Error from W3SVC, category none, EventID 1002
> >> Message text is:
> >> Application pool 'EnpubPool' is being automatically disabled due to a
> >> series
> >> of failures in the process(es) serving that application pool.
>
> >> Again, there are no failures recorded at the NTFS level.
>
> >> I have used Sysinternals WinObj to set a grant to the iwam* account group
> >> of
> >> List + Read Control on \Device\Http in the object namespace, as there
> >> were
> >> grants to only System and Administrators (which by the way included a
> >> "Special" that the Advanced view in WinObj does not illuminate, and which
> >> I
> >> was not able to grant to the iwam* group). There is a grant on both
> >> higher
> >> objects nodes to Everyone.
>
> >> If I grant Bypass traverse check to the iwam* group all is fine.
> >> So, there is a grant, I had assumed in the Windows object namespace, that
> >> is
> >> missing.
> >> In fact, until this I was not aware that Bypass traverse governed access
> >> checks on other than NTFS, but it quite apparently does.
>
> >> Anyone with any ideas as to where the missing grant might be? or how to
> >> trace into this to find it?
>
> >> I am not sure that this new approach is less or more of a performance
> >> drag
> >> than results from defining unique app pools for each web that is able to
> >> dynamically alter serverside execution (the in IIS 5 parallel to which
> >> was
> >> not too bad but IIS 6 is more heavyweight), and recognize that the excess
> >> empowerment of the Interactive and Network grants is only mostly, not
> >> totally, nullified.
>
> >> But at this point I am just trying to find from where the access denial
> >> arises when Bypass traverse checking is taken away for the iwam* account
> >> group.
>
> >> Thanks for reading all that, by the way.
> >> Roger
>
> > I don't know the answer, but I know the developers who would know the
> > answer from both the IIS and HTTP.SYS sides, so I will pass your
> > question onto them.
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //
>
> Thanks David.
>
> I found it both curious and troublesome.
>
> While one still needs to use unique Iusr/Iwam accounts per web
> if one must guarantee full isolation, if this works without excessive
> overhead for the lack of bypass then it does make dealing with the
> extension's permissioning trivial instead of quite complex.
>
> Roger- Hide quoted text -
>
> - Show quoted text -
I'm waiting for the responses since a couple of the key people
involved with the design/implementation you are asking about have
since moved onto other teams and projects, so it may take a little
while. I can spend some of my "personal brownie points" to get the
answers.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
Re: IIS 6 and system"s object namespace
am 31.10.2007 09:27:11 von Roger Abell
"David Wang" wrote in message
news:1193791651.739344.87830@e9g2000prf.googlegroups.com...
> On Oct 28, 11:12 pm, "Roger Abell [MVP]" wrote:
>> "David Wang" wrote in message
>>
>> news:1193544076.689868.13760@v23g2000prn.googlegroups.com...
>>
>>
>>
>>
>>
>> > On Oct 26, 2:19 pm, "Roger Abell [MVP]" wrote:
>> >> This is perhaps a bit extreme, but I wonder if anyone might have a
>> >> hint
>> >> on
>> >> this.
>>
>> >> I have to support multiuser/multiowner webs in multiple sites on IIS
>> >> 6,
>> >> which is no problem, except that they also require FPSE/Sharepoint
>> >> extensions. As we know, those extensions are lame when it comes to
>> >> ACLing
>> >> content.
>>
>> >> So, I have been exploring a new route for content isolate in order to
>> >> contain content authors from one another's content and in order to
>> >> contain
>> >> the backend accounts from the areas of other backend accounts on which
>> >> the
>> >> extensions plug grants to Network and Interactive.
>>
>> >> In order to break the effect of the excessive grants I am exploring
>> >> use
>> >> of
>> >> not granting Bypass traverse checking to any of the browsing accounts
>> >> (restricted access webs), the authoring accounts, or the backend
>> >> accounts
>> >> (read iusr*/iwam*). Doing this for the browsing, authoring, and iusr*
>> >> accounts is no problem. I have in place NTFS failure audit for any
>> >> failure
>> >> by any account on any partition (system and/or content), and am
>> >> running
>> >> clean.
>>
>> >> But once Bypass traverse is taken away from the iwam* accounts, when
>> >> an
>> >> app
>> >> pool needs to spin up it fails.
>>
>> >> The eventlog trace of this is:
>>
>> >> - a sequence of 5 attempts to start the pool, each failing and
>> >> recording
>> >> in
>> >> system log
>> >> Warning from source W3SVC, category none EventID 1009
>> >> Message text is:
>> >> A process serving application pool 'EnpubPool' terminated
>> >> unexpectedly.
>> >> The
>> >> process id was '3440'. The process exit code was '0xffffffff'.
>>
>> >> - simultaneous with each of these 5 messages is a failure message in
>> >> Application log
>> >> Error from W3SVC-WP, category none, EventID 2269
>> >> Message text is:
>> >> The worker process failed to initialize the http.sys communication or
>> >> the
>> >> w3svc communication layer and therefore could not be started. The data
>> >> field
>> >> contains the error number.
>> >> The data is access denied code 80070005
>>
>> >> - these are followed by one system log message
>> >> Error from W3SVC, category none, EventID 1002
>> >> Message text is:
>> >> Application pool 'EnpubPool' is being automatically disabled due to a
>> >> series
>> >> of failures in the process(es) serving that application pool.
>>
>> >> Again, there are no failures recorded at the NTFS level.
>>
>> >> I have used Sysinternals WinObj to set a grant to the iwam* account
>> >> group
>> >> of
>> >> List + Read Control on \Device\Http in the object namespace, as there
>> >> were
>> >> grants to only System and Administrators (which by the way included a
>> >> "Special" that the Advanced view in WinObj does not illuminate, and
>> >> which
>> >> I
>> >> was not able to grant to the iwam* group). There is a grant on both
>> >> higher
>> >> objects nodes to Everyone.
>>
>> >> If I grant Bypass traverse check to the iwam* group all is fine.
>> >> So, there is a grant, I had assumed in the Windows object namespace,
>> >> that
>> >> is
>> >> missing.
>> >> In fact, until this I was not aware that Bypass traverse governed
>> >> access
>> >> checks on other than NTFS, but it quite apparently does.
>>
>> >> Anyone with any ideas as to where the missing grant might be? or how
>> >> to
>> >> trace into this to find it?
>>
>> >> I am not sure that this new approach is less or more of a performance
>> >> drag
>> >> than results from defining unique app pools for each web that is able
>> >> to
>> >> dynamically alter serverside execution (the in IIS 5 parallel to which
>> >> was
>> >> not too bad but IIS 6 is more heavyweight), and recognize that the
>> >> excess
>> >> empowerment of the Interactive and Network grants is only mostly, not
>> >> totally, nullified.
>>
>> >> But at this point I am just trying to find from where the access
>> >> denial
>> >> arises when Bypass traverse checking is taken away for the iwam*
>> >> account
>> >> group.
>>
>> >> Thanks for reading all that, by the way.
>> >> Roger
>>
>> > I don't know the answer, but I know the developers who would know the
>> > answer from both the IIS and HTTP.SYS sides, so I will pass your
>> > question onto them.
>>
>> > //David
>> >http://w3-4u.blogspot.com
>> >http://blogs.msdn.com/David.Wang
>> > //
>>
>> Thanks David.
>>
>> I found it both curious and troublesome.
>>
>> While one still needs to use unique Iusr/Iwam accounts per web
>> if one must guarantee full isolation, if this works without excessive
>> overhead for the lack of bypass then it does make dealing with the
>> extension's permissioning trivial instead of quite complex.
>>
>> Roger- Hide quoted text -
>>
>> - Show quoted text -
>
>
> I'm waiting for the responses since a couple of the key people
> involved with the design/implementation you are asking about have
> since moved onto other teams and projects, so it may take a little
> while. I can spend some of my "personal brownie points" to get the
> answers.
>
I've need to take the time to port the build concepts to a W2k8 test.
If the same has persisted into IIS7 then perhaps the points could
earn more than spent. As is it has sort of dead-ended my known,
quick ways to dig in further, and the technique is just a convenient
(highly so though) way to deal with part of the containment issue,
but only at added (not reduced) containment overheads.
If I make any motion I'll post here or if very future just a new thread.
Should you hear anything from the initial feelers feel free to ping me
at mvps.org, you know, the email addr is either first or last name there.
Meantime I've been thinking on with whom to follow up from the
non-IIS specific angle of what all is impacted by bypass user right;
its sort of the same how much capital to spend question there too.
Roger