Security-Related Changes in Access Control
Updated: August 22, 2005
Applies To: Windows Server 2003, Windows Server 2003 with SP1
IIS 6.0 improves security by changing access control requirements for executables and CGI processes. These changes can affect existing applications that might require less restrictive permissions.
Access Is Restricted for Executables
Windows Server 2003 requires a user to be a member of the Administrators group to run most command-line executables in the System folder, so remote access is limited to administrators. This might affect you if your application uses command-line tools from a Web page. To work around this issue, change the ACL for the executable by using an ACL editing tool, such as the cacls command. For more information about ACLs and ACL editing tools, see Access Control in IIS 6.0.
Access Is Restricted for Nondefault Identities for CGI Processes
IIS 6.0 worker processes use the CreateProcessAsUser API to start CGI processes. The CreateProcessAsUser API must have the SE_ASSIGNPRIMARYTOKEN_NAME and SE_INCREASE_QUOTA_NAME user rights to succeed. The Network Service, Local Service, and LocalSystem user accounts have these user rights. If you change the identity of a worker process and want to run CGI processes, ensure that the new identity has these two user rights. You can assign user rights using the Local Security Settings snap-in in Windows Server 2003.
For more information about configuring user rights for identities that run CGI processes, see Configuring User Rights for Nondefault Identities to Run CGI Processes.