Message when you try to run a CGI application in IIS: "Access denied" (160422)
The information in this article applies to:
- Microsoft Internet Information Server 1.0
- Microsoft Internet Information Server 2.0
- Microsoft Internet Information Server 3.0
- Microsoft Internet Information Server 4.0
- Microsoft Internet Information Services 5.0
- Microsoft Internet Information Services version 5.1
- Microsoft Internet Information Services version 6.0
This article was previously published under Q160422 We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site: SYMPTOMSWhen you try to run a CGI application in IIS, you receive the following message: Access deniedCAUSE
The problem occurs when the Anonymous account does not have rights to
the CGI. When you try to launch the CGI application, IIS uses the
Anonymous user. Because the account does not have rights to the file,
the process fails to run and an error message is returned via STDOUT.
However, to IIS the process appears to launch and terminate normally.
Because the Access Denied error message is placed in STDOUT, IIS has
no way of knowing that the process failed. Therefore, it does not try
any other authentication methods because the Anonymous account was
able to launch the process. IIS uses the createprocessasuser API
call to launch the CGI application. Createprocessasuser will
terminate normally if the user does not have NTFS rights to that
CGI/ISAPI application.
WORKAROUND
Use one of the following methods. Warning Using Registry Editor incorrectly can cause serious, system-wide
problems that may require you to reinstall Windows NT to correct them.
Microsoft cannot guarantee that any problems resulting from the use of
Registry Editor can be solved. Use this tool at your own risk.
Note The following is the full path to the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
W3SVC\Parameters
- Modify the registry to run all applications as the system.
Under the W3SVC/Parameters, place the value CreateProcessAsUser
as a REG_DWORD and give it a value of 0. This causes the CGI to
be ran with the CreateProcess API and run in the system context.
This has serious security implications because CGI scripts will
have much greater access to the system than they normally would.
Note All users would be able to launch CGI no matter what user
they are authenticated as.
- You can also run the CGI/ISAPI from a secured web page. If you
run it from a secured web page, you will have to either be
authenticated by Basic or NT Challenge. When you click the URL
for the CGI/ISAPI, it will pass the REMOTE_USER environment
variable, and the CreateProcessAsUser API will use that user to
run the CGI. Anonymous will not be used in that instance because
a user account has already being passed to the server.
- Turn off Anonymous access to the server, and use only Basic or NT
Challenge.
Modification Type: | Major | Last Reviewed: | 6/9/2006 |
---|
Keywords: | kbprb KB160422 |
---|
|