DOCUMENT:Q166491 02-MAY-1999 [iis] TITLE :Secure Batch Files Return Access Denied Error Message PRODUCT :Internet Information Server PROD/VER:winnt:2.0,3.0 OPER/SYS: KEYWORDS:kbnetwork ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Internet Information Server versions 2.0, 3.0 ------------------------------------------------------------------------------- SYMPTOMS ======== Batch files that are implemented as Common Gateway Interface (CGI) applications on an Internet Information Server (IIS) computer will always return an Access Denied error message if they are secured using NTFS file security and the Anonymous user does not have access rights to the batch files. The Access Denied error message is returned regardless of the authentication scheme (Basic or Challenge Response) configured on the IIS server. The following is the error page returned to the client: CGI Error The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are: Access is denied. CAUSE ===== The error occurs because CGI applications are not access checked before being executed. IIS relies on the request handler in w3svc to access check a request and return an error indicating authentication is required to access the requested object. In this case, the requested object is a batch file, which is handled differently than other requests. A batch file requires IIS to run the command interpreter (Cmd.exe) to process, and requires an extra thread to monitor and return any output generated by the batch file (CGI Gateway Thread). Because Cmd.exe is not secure, it will execute without a failure and IIS will start the CGI Gateway Thread. The error results when Cmd.exe attempts to process the secure batch file. Cmd.exe fails to process the batch file silently; however, the CGI Gateway Thread is still waiting for output from the batch file. Eventually the CGI Gateway Thread fails and returns a Gateway Error to the requesting client with the Access Denied error message. WORKAROUND ========== To work around this problem, you need to first upgrade to IIS 3.0 (if you have not already done so), install IIS 3.0 Active Server Pages (ASP), and use the new server-side include "execute" functionality to force a security check before executing the batch file. To force a security check before executing the batch file: 1. Install Windows NT 4.0 Service Pack 2, then shut down and restart. 2. Install Active Server Pages (ASP) from the Service Pack 2 CD by running iis30\asp\aspsetup.bat. 3. Create an .stm file (for example, Test.stm) for every secure batch file used. The .stm file should contain the following text to execute a batch file. Example .stm file: 4. Place the .stm file in the /scripts directory on your server (or another directory with execute permissions). 5. Set the NTFS security on the .stm file to match the security on the batch file. 6. Call the .stm file from html pages instead of calling the batch files directly. Example html document:
STATUS ====== Microsoft has confirmed this to be a problem in Internet Information Server versions 2.0 and 3.0. We are researching this problem and will post new information here in the Microsoft Knowledge Base as it becomes available. ====================================================================== Keywords : kbnetwork Technology : kbiisSearch kbiis300 kbiis200 Version : winnt:2.0,3.0 Hardware : x86 Issue type : kbbug ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 1999.