Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows Server 2003Windows 2000Windows NTSmall Business ServerVirtual ServerExchange ServerIISHost Integration ServerISA ServerSMSWSUSMOMWindows Media ServerSecurityCertification
Related Topics
SQL ServerMS WindowsMS OfficePC HardwareMore Topics ...
Windows Server Forum / IIS / IIS Security / February 2006

Tip: Looking for answers? Try searching our database.

IIS_WPG and NETWORK SERVICE

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Larry - 20 Feb 2006 15:40 GMT
I have an ASP.NET site hosted on an SBS 2003 server.  The server is a day old
and no changes have been made to IIS with respect to user rights, etc.
I have configured IIS_WPG to have the rights necessary to access what needs
to be accessed on my site folder.  I have set this up many times before via
the same script on non-SBS servers.  However, the web app cannot manipulate
the folder as it should be able to based on these rights.  I have verified
this by temporarily giving "everyone" full rights to the folder and the web
app runs fine.
I know that ASP.NET application is running in a pool where NETWORK SERVICE
is the runtime context:
System.Security.Principal.WindowsIdentity.GetCurrent().Name = NT
AUTHORITY\NETWORK SERVICE

I have read a couple articles that explain that on a fresh install of IIS 6,
"NETWORK SERVICE" should be a member of IIS_WPG.  Well, on my new install, it
is not.
So, I opened up the DefaultAppPools node of IIS Mgr and opened the IIS_WPG
Properties and at the "Members" tab, no "NETWORK SERVICE" in the list.  There
is IWAM_machinename, and "SharePoint...bla.bla.".  I attempt to add "NETWORK
SERVICE", but it does not appear to be a user that can be selected from
Active Directory.
I am stuck at this point because either the OS has a bug, SBS 2003 is
"different again" from vanilla servers, the MSDN article is wrong, or I'm
seeing things.
I will be greatly appreciative if someone can tell me which is the case and
set me straight.
Regards,
Larry
Reply to this Message
David Wang [Msft] - 21 Feb 2006 06:36 GMT
SBS2003 is "different again" from vanilla servers. In particular, it has
IIS6 running on the "Domain Controller" machine which causes the
"differences" that you are observing.

Signature

//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

>I have an ASP.NET site hosted on an SBS 2003 server.  The server is a day
>old
[quoted text clipped - 34 lines]
> Regards,
> Larry
Reply to this Message
Ken Schaefer - 21 Feb 2006 11:50 GMT
Hi,

Network Service should be available from the drop-down list of preconfigured
identities (along with Local System and Local Service). I just checked on my
SBS2003 box.

What are the exact preconfigured identities that you are seeing?

Cheers
Ken

:I have an ASP.NET site hosted on an SBS 2003 server.  The server is a day old
: and no changes have been made to IIS with respect to user rights, etc.
[quoted text clipped - 24 lines]
: Regards,
: Larry
Reply to this Message
Larry - 21 Feb 2006 14:08 GMT
I really looked hard.  There is no way to get NETWORK SERVICE to be a member
of the group.  It will not appear in the list of users/group when trying to
add it to the IIS_WPG group, and you cannot type it in.  

Per David Wang's response, I would guess that this has been disabled on a
later (or earlier?) version of SBS2003 than you have.  This is probably the
result of a security patch at some point.

MSFT really makes our lives easy, huh?

Thanks,
Larry

> Hi,
>
[quoted text clipped - 45 lines]
> : Regards,
> : Larry
Reply to this Message
Ken Schaefer - 22 Feb 2006 04:08 GMT
What are you talking about? I am asking you to locate the relevent Web App
Pool in your IIS Manager, right-click choose Properties, and go to the
"Identity" tab. In the "Preconfigured" drop-down list, what options are
available? You said that Network Service was not listed, and that three was
an account "Sharpoint bla bla". What other accounts are listed there?

In terms of adding Network Service to IIS_WPG - that's not possible AFAIK.
That's got nothing to do with a security patch. It's because Network Service
is treated as a foreign security principal from an external trusted domain,
not from your AD domain. However I will ask to see if this is possible to
do.

Cheers
Ken

:I really looked hard.  There is no way to get NETWORK SERVICE to be a member
: of the group.  It will not appear in the list of users/group when trying to
[quoted text clipped - 58 lines]
: > : Regards,
: > : Larry
Reply to this Message
Larry - 22 Feb 2006 12:59 GMT
Thanks Ken, please read inline...

> What are you talking about?

Go to AD - Users & Computers
open IIS_WPG
click the "Members" tab.
---->Can't add "NETWORK SERVICE"
I can do this in Win2003 - non SBS flavors.

> I am asking you to locate the relevent Web App
> Pool in your IIS Manager, right-click choose Properties, and go to the
> "Identity" tab. In the "Preconfigured" drop-down list, what options are
> available?

Yes, I was aware of this and I see what you are probably seeing -

network service
local service
local system

Currently, "network service" is selected and I believe was the default since
I never changed it.

> In terms of adding Network Service to IIS_WPG - that's not possible AFAIK.

It is possible (and the default I think) on Win2003 - non SBS.
Also, what does AFAIK mean?

> That's got nothing to do with a security patch. It's because Network Service
> is treated as a foreign security principal from an external trusted domain,
> not from your AD domain.

I wish I fully understood that statement...:)
Also, another network admin told me that on another install of SBS2003 that
"network service" WAS a member of IIS_WPG, which is why I was wondering if
there was a change or he was seeing things.

>However I will ask to see if this is possible to  do.

This is exactly what I was describing - how it's seemingly impossible to do
this.

> Cheers
> Ken

Thank you for your time!
-Larry
Reply to this Message
Ken Schaefer - 23 Feb 2006 00:53 GMT
: Thanks Ken, please read inline...
:
[quoted text clipped - 5 lines]
: ---->Can't add "NETWORK SERVICE"
: I can do this in Win2003 - non SBS flavors.

Can you do this on a Windows 2003 *Domain Controller*? I wasn't aware that
you could. You should be able to do this on a Windows 2003 member server.

: > I am asking you to locate the relevent Web App
: > Pool in your IIS Manager, right-click choose Properties, and go to the
[quoted text clipped - 14 lines]
: It is possible (and the default I think) on Win2003 - non SBS.
: Also, what does AFAIK mean?

AFAIK - As far as I know.

: > That's got nothing to do with a security patch. It's because Network Service
: > is treated as a foreign security principal from an external trusted domain,
[quoted text clipped - 4 lines]
: "network service" WAS a member of IIS_WPG, which is why I was wondering if
: there was a change or he was seeing things.

Network Service should be part of the IIS_WPG group - I checked on my
SBS2003 box.

Cheers
Ken
Reply to this Message
Larry - 23 Feb 2006 01:39 GMT
> : Thanks Ken, please read inline...
> :
[quoted text clipped - 8 lines]
> Can you do this on a Windows 2003 *Domain Controller*? I wasn't aware that
> you could. You should be able to do this on a Windows 2003 member server.

My test Win2003 box is not a domain controller.

> : > I am asking you to locate the relevent Web App
> : > Pool in your IIS Manager, right-click choose Properties, and go to the
[quoted text clipped - 33 lines]
> Network Service should be part of the IIS_WPG group - I checked on my
> SBS2003 box.

hmmm... it's not on this SBS2003 box...but it was on another, and it is on
yours, and I can't add it...
oh well, there seems to be no clear answer.

Perhaps a Microsoft expert can explain why the variation exists, now that
it's been proven I am not seeing things.

Thanks,
Larry
Reply to this Message
Ken Schaefer - 23 Feb 2006 03:51 GMT
: > : Thanks Ken, please read inline...
: > :
[quoted text clipped - 10 lines]
:
: My test Win2003 box is not a domain controller.

I suspected as much. The reason you can't add Network Service to IIS_WPG on
your SBS2003 box is because it is a Domain Controller, not because it's an
SBS2003 box.

\: > : > That's got nothing to do with a security patch. It's because
Network
: > Service
: > : > is treated as a foreign security principal from an external trusted
[quoted text clipped - 16 lines]
: Perhaps a Microsoft expert can explain why the variation exists, now that
: it's been proven I am not seeing things.

well, if you remove Network Service from the IIS_WPG group, then you won't
be able to add it back in. Or perhaps some error occured during setup, and
it was never added in the first place.

I tried using ADSIEdit to alter the "memberOf" property of the Network
Service account, but you get an error saying that this property is owned by
the System, and can't be modified. Perhaps if you run a script under the
LocalSystem account, you may be able to update the memberOf property of
Network Service, so as to be able to add it to non-built-in Domain Local
groups.

Cheers
Ken

: Thanks,
: Larry
Reply to this Message
Larry - 23 Feb 2006 15:40 GMT
I appreciate your insight and help!
Thanks
Larry
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2010 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.