Permissions issue on C:\Windows\System32\inetserv

We have Windows 2012 server with IIS 8 on it.

There is an ASP.NET application running on this server which authenticates via a REST API to a separate application. That separate application responds back with an .XML file named login.xml, which the ASP.NET application by default attempts to place in the local C:\Windows\System32\inetsrv folder. The ASP.NET application doesn't ask for this .xml file, and there doesn't seem to be a way to make it so that this file gets dumped somewhere else.

Because the "IIS AppPool\DefaultAppPool" user, which is the identity of the application pool under which the ASP.NET application runs does not have permissons on this C:\Windows\System32\inetserv folder, the .XML file cannot be written there and an error displays in the browser.

In part, the error displayed in the browser reads:

"Access to the path 'C:\windows\system32\inetserv\login.xml' is denied.

I suspect that typically, giving permissions on the "C:\windows\system32\inetserv\" directory to this "IIS AppPool\DefaultAppPool" user would not be such a hot idea security wise, but in our specific case, this would be okay.

In Googling around earlier for a way to find a resolution for the error displayed in the browser, it seems that many people have been able to successfully grant the needed permissions on the folder. However it also seems that in all the posts I am seeing on the subject, the version of IIS in use is 7 or older.

As the local Administrator, I have unsuccessfully tried adding the neccessary permissions for the user to "C:\windows\system32\inetserv\", and have also tried unsuccessfully to uncheck read-only property on the folder, but have been denied because even the Administrator user does not have the rights to change permissions on the folder. Looking closely at the permissions on the folder, all users have "Read & execute", "List folder contents" and "Read" permissions, but Administrators have no extra permissions.

I haven't found anything on the Internet that specifically says that Microsoft has locked down Windows Server 2012 or IIS 8 to where extra permissions cannot be granted on this folder… Can anybody reading this shed some light on why I cannot grant these permisssions?

Also, a related question – This server is located in AWS, built from an AMI provided by Amazon. Is it possible that Amazon's AMI's are specially hardened in some manner, to deny these kinds of permissions changes, to keep servers hosted by AWS as secure as possible?

Thanks,
Mike

NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)

Best Answer

The default permissions for system32\inetsrv on Server 2012 are:

Administrators have modify permissions, which means either AWS defaults are different or someone else already changed permissions.

The main problem you have is that your ASP.NET application is trying to write into inetsrc, that's a No-No. Contact whoever wrote the app to ask them to fix it.

If you really want to change permissions on inetsrv, you first need to change the ownership to administrators

takeown.exe /F .\inetsrv /R /A

the default owner on 2012 is TrustedInstaller

then you can add modify permissions for the AppPool identity.

As you correctly stated, this weakends security and may compromise the whole server, so really try to fix the app first.

Best Answer

Related Solutions

Security – ASP.net user account permissions in IIS 7 on Windows 2008 server

Continuing permissions issues – ASP.net, IIS 7, Server 2008 – 0x80070005 (http 500.19) error

Related Topic