Windows Server 2003 SP 1 & XP SP 2 Tighten COM+\DCOM Permissions - IIsCertDeploy & IIS

Recently, a IIS customer was attempting to use the IIsCertDeploy utility that is part of the IIS 6.0 Resource Kit Tools to backup certificates across their enterprise.  In their case, they were attempting to connect remotely to the server via script and execute the appropriate command to start the backup process.  It was failing…

NOTE:  IF NOT FAMILIAR WITH IISCERTDEPLOY.VBS, REVIEW THE FOLLOWING WEBCAST IN THE IIS WEBCAST SERIES TO UNDERSTAND WHY YOU SHOULD BE USING IT.

Disaster Recover and IIS 6.0: Metabase Backups in a Nutshell

With Windows XP Service Pack 2 & Windows Server 2003 Service Pack 1, there are many, many things that used to “just work” that simply will begin to fail leaving you out of luck.  This is happening to a lot of customers running IIS as web applications are often using some aspect of COM & DCOM.  The major changes that occurred in the component services (COM) space were what one can do when attempting to access items remotely.  In the above case, IIsCertDeploy calls a built-in COM object aimed at talking to the Crypto API.  This worked with no problem when attempted locally on the server, though, failed everytime when attempting to run from a remote location.

In this example, a failure was occurring because the permissions for the IIsCertDeploy COM object lacked the permissions to execute when done so remotely.  This is the difference between running an action interactively (at the desktop) vs. running it remotely (typically anonymously, unless specifically authenticated.)

To correct this problem, the following had to be done -

  1).  To see the COM+ settings (as well as DCOM), click start—>Run—>Type ‘dcomcnfg’

  2).  Navigate by double-clicking on Component Services, then My Computer, and then locate DCOM Config and expand

  3).  This will expose all the COM objects that are loaded in the registry (CLSID)

  4).  In this case, the customer located the IIsCertDeploy and right-click and chose properties

  5).  Under security, you will find the key change between RTM & SP 1 and that is under access permissions

  6).  You will notice that clicking ‘Customize’, then Edit brings up the permission

The view here should look familiar (think security permissions) though instead of the things such as Read, Write, etc. you see “Local Access” & “Remote Access.”  If the object does not have the “Allow” right for Remote Access, then any call from the remote computer will fail with a error.

Every admin, and even developer, should become intermittingly knowledgeable of the “Book of SP 1” which outlines the changes that occurred in SP 1 (and SP 2 for XP).  These changes will not go away as these are our (MS) approach to reducing the attack surface of Windows out of the box.

Good References:

~Chris

No Comments