The Ethical Hacker Network

BillV

Hero Member

Offline

Posts: 1892

IIS Problems

« on: March 25, 2010, 06:17:43 AM »

I'm hoping someone will be able to help solve this problem I'm having, because it's driving me absolutely insane. I have been fighting with this for over a week now and cannot for the life of me figure out what setting is not configured properly.

My problem is that my IUSR and IWAM accounts are included in the Administrators group. Big issue, obviously. If I remove them, everything fails. I either can't access the site (IUSR) or the application doesn't work (IWAM). This is what my logs show me for each:

IUSR:

Quote

Logon Failure:
    Reason:      User not allowed to logon at this computer
    User Name:   IUSR_CRA-SRV
    Domain:      CRA
    Logon Type:   8
    Logon Process:   Advapi
    Authentication Package:   Negotiate
    Workstation Name:   CRA
    Caller User Name:   IWAM_CRA-SRV
    Caller Domain:   CRA
    Caller Logon ID:   (0x0,0x755F16)
    Caller Process ID:   7392
    Transited Services:   -
    Source Network Address:   -
    Source Port:   -

IWAM:

Quote

Logon Failure:
    Reason:      User not allowed to logon at this computer
    User Name:   IWAM_CRA-SRV
    Domain:      CRA
    Logon Type:   4
    Logon Process:   Advapi
    Authentication Package:   Negotiate
    Workstation Name:   CRA
    Caller User Name:   CRA$
    Caller Domain:   CRA
    Caller Logon ID:   (0x0,0x3E7)
    Caller Process ID:   8456
    Transited Services:   -
    Source Network Address:   -
    Source Port:   -

The first thing that stood out to me in those errors were the types. A 4 is supposedly a batch job and an 8 is NetworkClearText.

There are a couple of other messages I get when the IWAM is taken out, saying that my application pool is invalid but I think the root cause is the error above.

I have changed user right assignments, passwords, users, permissions as much as I can think to and still haven't been able to get it resolved. Most of the advice I received elsewhere was that I had something out of sync but how would an out-of-sync password/account be the issue if it works with admin privileges? It just seems to me there's another setting that I might be missing somewhere. All I know is that my final solution is about to be taking a bat to the computer

Any suggestions are certainly welcome and greatly appreciated!

Thanks,
Bill


	Logged

Armando

Jr. Member

Offline

Posts: 83

Founder of eLearnSecurity

Re: IIS Problems

« Reply #1 on: March 25, 2010, 08:21:30 AM »

Hi Bill,
What's your setup? IWAM makes me think of IIS 6. Right?

Where are IUSR and IWAM located?
IUSR should be in Users group, while IWAM should ne in IIS_WPG group.

Do you have any ISAPI being loaded by the webserver?


	Logged

Founder and Lead Author of eLearnSecurity
Training for Penetration Testers
http://www.elearnsecurity.com

Founder of HACK.ME Free community based web app security virtual labs
https://hack.me

BillV

Hero Member

Offline

Posts: 1892

Re: IIS Problems

« Reply #2 on: March 25, 2010, 09:22:21 AM »

Hey Armando,

Thanks for the reply. You are correct, IIS6 on a Server 2003 box.

IUSR is actually in both, Users and WPG. IWAM is only in WPG.

There is no ISAPI in use.


	Logged

Armando

Jr. Member

Offline

Posts: 83

Founder of eLearnSecurity

Re: IIS Problems

« Reply #3 on: March 25, 2010, 11:30:32 AM »

Hi Bill,
it's a pleasure if I can help.

IUSR should definitely not be in the WPG group.
You put Pool identities into WPG.

Let's call IUSR_mysite the anon user and IWAM_mysite the pool identity.

Try this setup:

1. Create IUSR_mysite with a pass

2. Go to your website in IIS and pick this user as the anonymous user.
Make sure to re-insert the password at step 1 into IIS for this user
IUSR should have access to the website folder. IWAM should NOT.

3. Create a IWAM user, say IWAM_mysite and assign a password

4. Create an application pool and use the identity at step 3. Use the password at step 3 (password is not automatically gathered by IIS).

5. Go to the Home Directory of your website and select the created application pool

6. If you use PHP, WPG group should have the rights to read the PHP executable and the php.ini (not IUSR).

Let me know if you can figure out what's wrong from the above.

Hope this helps


	Logged

Founder and Lead Author of eLearnSecurity
Training for Penetration Testers
http://www.elearnsecurity.com

Founder of HACK.ME Free community based web app security virtual labs
https://hack.me

BillV

Hero Member

Offline

Posts: 1892

Re: IIS Problems

« Reply #4 on: March 25, 2010, 12:15:11 PM »

Thanks again. I appreciate your suggestions. These are things I have tried, but I did go back through that list and do it again just to be sure. I still receive the same results.

In addition to the errors posted above, which I think is where the underlying issue is (not being able to logon), I also get the below errors in my system log. I don't think it has anything to do with identity's and their passwords, as everything logs in and works perfectly - if they are added to the admin group. If not in the admin group, they can't logon. I even tried a simple 'runas' command to open a prompt as the IUSR and that too failed.

Quote

The identity of application pool, 'DefaultAppPool' is invalid. If it remains invalid when the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.

The identity of application pool 'DefaultAppPool' is invalid, so the World Wide Web Publishing Service can not create a worker process to serve the application pool. Therefore, the application pool has been disabled.

A failure was encountered while launching the process serving application pool 'DefaultAppPool'. The application pool has been disabled.


« Last Edit: March 25, 2010, 12:17:24 PM by BillV »	Logged

Armando

Jr. Member

Offline

Posts: 83

Founder of eLearnSecurity

Re: IIS Problems

« Reply #5 on: March 25, 2010, 12:26:58 PM »

OK.
What is the message that you receive in your web browser?


	Logged

Founder and Lead Author of eLearnSecurity
Training for Penetration Testers
http://www.elearnsecurity.com

Founder of HACK.ME Free community based web app security virtual labs
https://hack.me

BillV

Hero Member

Offline

Posts: 1892

Re: IIS Problems

« Reply #6 on: March 25, 2010, 12:49:36 PM »

Service Unavailable.

The main site/application is run from that Default Application Pool. So if that can't start, the application doesn't work.


	Logged

Ketchup

Hero Member

Offline

Posts: 1021

Re: IIS Problems

« Reply #7 on: March 25, 2010, 08:04:22 PM »

Is uninstalling IIS and reinstalling it an option? It shouldn't be that big of a deal if your data is backed up, unless you have customized application pools.


	Logged

~~~~~~~~~~~~~~
Ketchup

BillV

Hero Member

Offline

Posts: 1892

Re: IIS Problems

« Reply #8 on: March 26, 2010, 05:34:26 AM »

I don't think I can, but I will explore that with our vendor. There are several different application pools (they did all the configurations for their application), so I'm not sure what effort/time would be required to bring those back up.


	Logged

BillV

Hero Member

Offline

Posts: 1892

Re: IIS Problems

« Reply #9 on: March 26, 2010, 08:54:57 AM »

Okay, I believe my problems are beyond IIS... something misconfigured within Windows. I cannot schedule a task to run as a user account, and I cannot even login with a normal user account. If I create a normal user, grant the 'logon locally' privilege and then attempt to login, this is what I get in the system logs:

Quote

Logon Failure:
    Reason:      User not allowed to logon at this computer
    User Name:   tasks
    Domain:      CRA
    Logon Type:   10
    Logon Process:   User32
    Authentication Package:   Negotiate
    Workstation Name:   CRA
    Caller User Name:   CRA$
    Caller Domain:   CRA
    Caller Logon ID:   (0x0,0x3E7)
    Caller Process ID:   6364
    Transited Services:   -
    Source Port:   12309

At login, I receive an error stating "your account is configured to prevent you from using this computer."

So... I'm searching on that one now Huh


	Logged

BillV

Hero Member

Offline

Posts: 1892

Re: IIS Problems

« Reply #10 on: March 26, 2010, 09:31:24 AM »

GOT IT!!!

http://support.microsoft.com/?id=285665

Quote

Disable the following Group Policy setting on either the default domain or the domain controller organizational unit:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shut down your system immediately if unable to log security audits
You can find this policy on the default domain policy, default domain controller policy, and local security policy.

That did it. That damn policy was something I had recently changed per a checklist item. Apparently that's what was causing my issues.

Everything is back to normal and running as non-privileged users.

Armando and Ketchup, thank you both for your help and suggestions!!

Good thing it's Friday, I need a drink Cheesy


	Logged

hayabusa

Hero Member

Offline

Posts: 1633

Re: IIS Problems

« Reply #11 on: March 26, 2010, 10:46:16 AM »

<grin> Have a few for the rest of us, while you're at it... it's been a terrible week!


	Logged

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

OSCE, OSCP , GPEN, C|EH

sgt_mjc

Sr. Member

Offline

Posts: 294

Re: IIS Problems

« Reply #12 on: March 30, 2010, 09:58:13 PM »

Bill,

Check user rights. I found that on my box, IUSR was a member of the guest group and guests where denied access to the system both locally and over the network.


	Logged

Mike Conway
CISSP
CompTia Security +
C|EH

Pages: [1] Go Up

« previous next »