共用方式為


HOWTO: Run Console Applications from IIS6 on Windows Server 2003

Question:

I need some help on the following: I am trying to exectute the netstat comand in side a PHP script using PHP on a wnidows server 2003. The problem is that i am haveing a problem getting the netstat command to exec since it requires adminstration privage but PHP does not have such privage and runs as anumaliuse user - if i change the PHP to run as a adminstitor it will open up security holes on the system. I have tried to rename the netstat comand to another name and moved it to another folder given the new exec admistrator privages - and then change my script to exec() that file unstead - This solution how ever did not work so what can i do to get around the problem. Anyone have any ideas what and how i should go about doing this and not open my server to interent hackers.

But let me explain - the command netstat is running in a PHP script as a shell exec function but since PHP as a anonymous user - the netstat comand requires administator access we are get file permison problems - ANY IDEAS OR WORK AROUND this one any one have a idea how one can do in Microsoft Server 2003.

> netstat -n | find "66.98.253.115:5000" | find /C "ESTABLISHED"

Answer:

Actually, NetStat.exe, along with most console programs in the Windows System32 directory, does NOT require administrator privileges to execute. For example, I run NetStat.exe as an unprivileged user all the time.

What you are actually observing is a Security enhancement of NTFS ACLs made in Windows Server 2003 against remote anonymous exploitation of the server.

If you look at the ACLs of most console programs in System32 on Windows Server 2003, you will see combinations of the following NTFS ACLs:

  • Interactive:R
  • Service:R
  • Batch:R
  • TelnetClients:R
  • Administrators:F
  • System:F

How this interacts with IIS6 is very simple. IIS runs as an unprivileged user account and performs an unprivileged, non-interactive NETWORK_CLEARTEXT user login for the authenticating user account, and this user identity is used to execute the request. Now, this user identity is usually not included in any of the aforementioned ACLs. This means that if you login via IIS, you MUST be an Administrator to be able to read and execute those programs.

Meanwhile, if you login via the console or remote desktop, it would be considered an interactive login and the Interactive:R ACL will grant that user, even if unprivileged, permission to read and execute those programs.

This is why an unprivileged local console login of the anonymous user can run NetStat.exe while the network login of the same anonymous user cannot run NetStat.exe.

In short, your solutions include:

  1. Keep File's ACLs the same and somehow run PHP exec() as an Administrator or System
  2. Change File's ACLs to include your unprivileged user and run PHP exec() as the unprivileged user

Both actions have their pros and cons. You can weigh them and decide the best choice for your situation. The first option is a security vulnerability because your applications needlessly run with elevated privileges all the time. The second option weakens system security by allowing unprivileged remote user ability to run certain console applications on the server. But, such is the security decision that you must make - every permission and program granted to remote anonymous users opens up a new attack surface - IIS6 and Windows Server 2003 merely brings that to your attention front-and-center.

//David

Comments

  • Anonymous
    April 21, 2006
    David please help me. We started a site http://www.dreamkeralatourism.com . But it is not getting rank at google.Our site gives idea about kerala tours and kerala travel etc.
    Please suggest a good answer how to get ranked on google.




    Faithfuly,
    Jhony

  • Anonymous
    April 22, 2006
    Jhony - I'd love to be able to help, but I don't even know how and why my blog is getting indexed and ranked by Google... much less how to do this for any website. So, sorry, I cannot help with this...

    //David

  • Anonymous
    April 23, 2006
    Hi David,
    I have a similar problem - creating scheduled tasks from an asp. When i try to create a scheduled tsk frm an asp on Win 2k Server, tsk gets created hassle free; but on Win 2k3 Server the creation fails. I have tried to change the permissions on both system32 dir and schtasks.exe and its still not working.
    Any ideas why this is happening??

  • Anonymous
    April 23, 2006
    The comment has been removed

  • Anonymous
    April 28, 2006
    I finally have enough blog entries about various portions of IIS6 request processing that I can stitch...

  • Anonymous
    April 17, 2008
    David Needed your help - we are trying to run dirquota with command strings from ASP.NET using system.diagnostic method but it seems to do nothing and fail with access denied... Any ideas? Sachin (sduggal@nivio.com)

  • Anonymous
    April 17, 2008
    Hello, thanks for the article. I am also trying to run dirquota from ASP.NET and I am not able to. I am not getting an error, but the quota is simply not set. I have created a batch file, that has other commands (CD. MD) and finally dirquota, but for some reason all the commands are executed except for the dirquota. I tried just to run notepad.exe or CMD.exe and again it is not running without giving any errors. What should I do?

  • Anonymous
    April 18, 2008
    Raffee - please determine the required permissions to run dirquota, and then ensure that ASP.Net executes that command with an account with the necessary permissions. You should find the answers to all those questions in other posts on my blog. //David

  • Anonymous
    April 30, 2012
    Great post! Very useful and reliable, thank you for sharing your knowledge…with us…David please advice how can I improve www.keralatourismmart.com in Google.