System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) at NetFwTypeLib.INetFwRule.set_RemoteAddresses(String remoteAddrs)

Question

User1027374711 posted

Hello,

I want to add IPs into firwall rule to block access but I get the exception even after added IIS APPPOOL\Account into the DCOM security

System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) at NetFwTypeLib.INetFwRule.set_RemoteAddresses(String remoteAddrs)

What else can be done to solve it?

Thank you

Answer 1

User753101303 posted

Hi,

From what I see, you can give access to that by adding the needed account to the "Network configuration operators" group Not sure what is your current approach with dcomcnfg (you try to configure impersonation ?).

This is a core feature of your app or a one time setup?

Answer 2

User1027374711 posted

1) "Not sure what is your current approach with dcomcnfg (you try to configure impersonation ?)" - yes, I added my app pool account to the Custom permissions

2) "This is a core feature of your app or a one time setup?" - this is a feature of my web app to add IPs to "black list" - on windows firewall

3) " you can give access to that by adding the needed account to the "Network configuration operators" group" - will try and let you know

thank you

Answer 3

User475983607 posted

vozmen

I want to add IPs into firwall rule to block access but I get the exception even after added IIS APPPOOL\Account into the DCOM security

System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) at NetFwTypeLib.INetFwRule.set_RemoteAddresses(String remoteAddrs)

What else can be done to solve it?

In Distributed COM the service can use the Network Services account and impersonation.    The virtual app pool identity that invokes the DCOM app becomes a machine to machine access.  The configuration is network/security admin setting.   

I recommend contacting your system admin for support.  

Answer 4

User1027374711 posted

I'm the admin as well ;)

so have to figure out this myself

Answer 5

User475983607 posted

I'm the admin as well ;)

so have to figure out this myself

Did you verify the two machines can talk to each other?

I typically create VbScript a test app that runs as an admin.    Once you get the test app working then getting the web app to work is usually pretty simple.

Answer 6

User1027374711 posted

"Did you verify the two machines can talk to each other?" - this is the same machine

Answer 7

User475983607 posted

DCOM is distributed COM for executing remote procedures as if the procedure is local.  What exactly are you trying to do?  Perhaps you need to contact support for the DCOM component you are trying to invoke.

Answer 8

User1027374711 posted

i need my web app just simply add IP addresses to local windows firewall rule - kind of "black list"

Answer 9

User475983607 posted

i need my web app just simply add IP addresses to local windows firewall rule - kind of "black list"

I do not see a set_RemoteAddresses only a put_RemoteAddresses in INetFwRule.  What reference documentation are you using?

Answer 10

User1027374711 posted

it is COM Interop.NetFwTypeLib in C# for the FirewallAPI.dll

Answer 11

User1027374711 posted

just in case here is my code:

                    INetFwPolicy2 firewallPolicy = (INetFwPolicy2)Activator.CreateInstance(Type.GetTypeFromProgID("HNetCfg.FwPolicy2"));
                    string ruleName = "Block SPAM IPs";
                    INetFwRule firewallRule = firewallPolicy.Rules.OfType<INetFwRule>().Where(x => x.Name == ruleName).FirstOrDefault();

                    if (firewallRule == null)
                    {
                        firewallRule = (INetFwRule)Activator.CreateInstance(Type.GetTypeFromProgID("HNetCfg.FWRule"));
                        firewallRule.Name = ruleName;
                        firewallRule.Enabled = true;
                        firewallRule.Action = NET_FW_ACTION_.NET_FW_ACTION_BLOCK;
                        firewallPolicy.Rules.Add(firewallRule);
                    }
                    string remote_ip = Request.UserHostName.ToString();
                    if (string.IsNullOrEmpty(firewallRule.RemoteAddresses))
                    {
                        firewallRule.RemoteAddresses = remote_ip;
                    }
                    else if(!firewallRule.RemoteAddresses.Contains(remote_ip))
                    {
                        firewallRule.RemoteAddresses += ","+ remote_ip;
                    }

Answer 12

User753101303 posted

It doesn't seems the primary purpose of this web app so I would rather configure something such as https://docs.microsoft.com/en-us/iis/manage/configuring-security/using-dynamic-ip-restrictions at the IIS level.

If I really wanted to do that my first try would be to add the application pool account to the "Network Configuration Operators" (may need a pool recycle).

Answer 13

User1027374711 posted

"It doesn't seems the primary purpose of this web app so I would rather configure something such as https://docs.microsoft.com/en-us/iis/manage/configuring-security/using-dynamic-ip-restrictions at the IIS level." - I have my own very precise technic of identification of SPAM requests so it can not be solved via the mentioned feature of IIS or any similar

"add the application pool account to the "Network Configuration Operators"" - added, now only need to wait until next spam-request detected

Answer 14

User753101303 posted

Ok, was in case you didn't know about this option. You could also consider doing a quick technical test without wating especially in case it would not be enough for some reason.

Answer 15

User1027374711 posted

adding to the "Network configuration operators" group - did not help :(

any other ideas?

Answer 16

User1027374711 posted

running as EXE under admin account works well

so seems there is no way to implement it beside of using an admin account only

Answer 17

User1027374711 posted

please, pay attention that you may need to reboot your server 

Hi,

From what I see, you can give access to that by adding the needed account to the "Network configuration operators" group Not sure what is your current approach with dcomcnfg (you try to configure impersonation ?).

This is a core feature of your app or a one time setup?