none
Access Denied to system32 folder, writing to file

    Question

  •  

    I have a web aplication with a custom dll in the gac. My aplication writes to a file that is held in the system32 folder. When the web aplication is run. an error message stating access denied occurs. I need to be able to write to the file and the file cannot move location.

     

    Any help would be fantastic

    Thanks

    Thursday, September 06, 2007 3:23 PM

Answers

  •  

    Hello.

     

    Good news got it to work.

     

    By accident i opened my code  for my test webapplication that writes to the xml file in system32 and basically it crashed during conversion from 2003 code. Also i need to be able to have 2003 and 2005 web applications that are able to write to the xml file.

     

    I ended up with 2003 and 2005 versions of my application and using procmon i saw that when i ran the 2005 version of my application it looked to the right place but  had the correct error of acess denied.

     

    In order to use the 2005 code i had to install the .netframework 2 that also seemed to correct the 2003 version, which started to look to the right place.

     

    Usin IIS i am trying to getit so both versions can run. If you run them seperatly they both work.

     

    The end configiration i ended up with was

     

    If iis 6 use NETWORK SEVICE on the file

    IF iis 5 use ASPNET on the file.

     

    I was working with a microsoft guy through an msdn subscription the company i work for has and if you only apply the full controll to the file its self it is not a security risk.

     

    Thanks for everyones help, and ideas would be great.

     

    Monday, October 01, 2007 4:41 PM

All replies

  • What type of authentication is your web application configured for? Is it enabled for impersonation?

     

    Thursday, September 06, 2007 5:15 PM
  • thanks for your reply.

     

    it uses annonymous authenticaiton, impersonation is not enabled.

     

     

    Friday, September 07, 2007 8:28 AM
  • you right click C:\windows\ system32 folder >properties > security and add write permission for anonymous user

    or else.. your web app anonymous has to be associated with some local user account.. give permission for that...

    I dont remember, because I used to work with IIS long ago...

    Best instant solution is to remove all security settings for system32, then just add only everyone.. and give full control..
    Its a lot risky, but works !!
    Friday, September 07, 2007 10:17 AM
  • I'm not convinced that granting everyone permissions is a workable solution...

    Change the solution architecture so that it becomes possible to write somewhere else instead of your %System% folder and then grant appropriate permissions on that other location...
    Friday, September 07, 2007 10:51 AM
  •  

    I so agree that it isnt a good idea having full permissions to that folder, however there are to many aplications that have to write to that folder so moving it isnt optional im afraid.

     

    Strange thing is that i can write to a file that already exists in the folder system32 i can write to it, but like with my web aplication access is denied. The aplication needs to write a new file into the system32 folder

    Friday, September 07, 2007 11:30 AM
  •  

    Thanks for your reply.

     

    I tried using annoymous user with the write permmisions on the system32 folder but it didnt work.

    Can you explain what you mean by "your web app anonymous has to be associated with some local user account.. give permission for that..."

     

    Thanks for help

    Friday, September 07, 2007 11:57 AM
  • Check your local user list
    using lusrmgr.msc at RUN

    and see if there are users names prefixed with IIS_ or IIS
    give permission to that account
    Friday, September 07, 2007 11:59 AM
  • I ran the command in run and i dont have any users starting with IIS_ or IIS. The uses i have are

     

    Administrator

    ASPNET

    Guest

    IUSR_VMTEST01

    IWAM_VMTEST01

    SUPPORT_388945a0

     

    thanks for help

    Friday, September 07, 2007 12:33 PM
  • If impersonation is not enabled then you want to provide sufficient permissions to the ASPNET (or NetworkService) account. This would be the account that all ASP.NET application processes would execute under by default.

    Friday, September 07, 2007 12:48 PM
  • IUSR_VMTEST01
    ASPNET

    Its either one of em..
    Please TnE and tell us the results
    Friday, September 07, 2007 12:55 PM
  • Thanks

     

    I added the code shown below to my web.config file in my web aplication folder then added IUSR_Computername with full controll to C:\, windows and system32 yet i still cant get it to work.

     

    <system.web>

     <identity impersonate="true"/>
    </system.web>

    Friday, September 07, 2007 1:09 PM
  • thanks

     

    I have tried both ASPNET and IUSR_Computername added to C;, windows and system32 with full controll and then tried them individual. they still bring no sucess Sad

     

     

    Friday, September 07, 2007 1:13 PM
  • If you move the file to a different location does the error persist? I just want to make certain that the "access denied" error is related to the file in question and not another file. You could also try using the Process Explorer or Process Monitor utilities to try and nail this down.

    Friday, September 07, 2007 1:49 PM
  •  

    If you move the file to a different location or if you point the program directly to the system32 folder the error does not occur.

     

    I used the proccess explorer. When i run my aplication w3wp.exe starts to run and is not disable unless i end the process in the task manager.

     

    thanks

    Friday, September 07, 2007 1:54 PM
  • Another perhaps simpler way to get the answer is to enable security auditing on the system32 folder.  Then you will get an event log entry saying "UserX failed to write to file Y".  Then it is a simple matter to grant UserX access write access to the folder.

     

    However I have to agree with previous poster this is a recipie for disaster.  Granting anonymous users the ability to write to the system32 folder violates basic security principles.  Sooner or later some hacker will discover this hole in your system and exploit it.

     

    I would fashion a solution in a more robust fashion as follows:

     

    1. Web page uses some API to perform the action that you expose.  Call this the WriteToFile API action.  The WriteToFile API only allows user to pass minimum information to it.  This is your first defense in depth measure.

     

    2. WriteToFile API is hosted in some other context that impersonates a specific user that is granted right to perform the operation.  Code is written to ensure it only writes to certain files and has lots of security boundary checks, considers all inputs suspect, etc...

     

    If the operation does not have to be synchrononous, I would consider having the anonymous request write some record to a database and have some other batch process perform the operation (read from database then perform the operation).

    Friday, September 07, 2007 9:29 PM
  • Just out of interest why does the web apllication that runs look to the folder inetsrv and not system 32?

     

    any ideas?

     

    thanks

    Wednesday, September 26, 2007 8:34 AM
  • Look to the folder for what? The file you are writing to?

     

    Could you post some code so that we can see what you are doing?

     

     

    Wednesday, September 26, 2007 12:33 PM
  • Been expermimenting and found the following out.

     

    The web application is written in stuido 2003 code and writes to a file in system32 folder. For some reason when this runs, using filemon i can see that it looks for the path system32/inetsrv/35.

     

    The file im trying to rite to is an xml file in the system32 directory.

     

    I have no idea why it does this.

     

    However if the exact same code is copyied into a visual studio 2005 web application and .netframework 2 is installed the program works. It writes to system32 where the file is stored.

     

    Any ideas to why the 2003 code with the .netframework 1 points to the inetsrv folder?

     

    Thanks

    Phil

    Friday, September 28, 2007 8:35 AM
  •  

    Hello.

     

    Good news got it to work.

     

    By accident i opened my code  for my test webapplication that writes to the xml file in system32 and basically it crashed during conversion from 2003 code. Also i need to be able to have 2003 and 2005 web applications that are able to write to the xml file.

     

    I ended up with 2003 and 2005 versions of my application and using procmon i saw that when i ran the 2005 version of my application it looked to the right place but  had the correct error of acess denied.

     

    In order to use the 2005 code i had to install the .netframework 2 that also seemed to correct the 2003 version, which started to look to the right place.

     

    Usin IIS i am trying to getit so both versions can run. If you run them seperatly they both work.

     

    The end configiration i ended up with was

     

    If iis 6 use NETWORK SEVICE on the file

    IF iis 5 use ASPNET on the file.

     

    I was working with a microsoft guy through an msdn subscription the company i work for has and if you only apply the full controll to the file its self it is not a security risk.

     

    Thanks for everyones help, and ideas would be great.

     

    Monday, October 01, 2007 4:41 PM