Secure Batch Files Return Access Denied Error Message (166491)



The information in this article applies to:

  • Microsoft Internet Information Server 2.0
  • Microsoft Internet Information Server 3.0

This article was previously published under Q166491
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

SYMPTOMS

Batch files that are implemented as Common Gateway Interface (CGI) applications on an Internet Information Server (IIS) computer will always return an Access Denied error message if they are secured using NTFS file security and the Anonymous user does not have access rights to the batch files. The Access Denied error message is returned regardless of the authentication scheme (Basic or Challenge Response) configured on the IIS server. The following is the error page returned to the client:
CGI Error
The specified CGI application misbehaved by not returning a complete
set of HTTP headers. The headers it did return are:
Access is denied.

CAUSE

The error occurs because CGI applications are not access checked before being executed. IIS relies on the request handler in w3svc to access check a request and return an error indicating authentication is required to access the requested object.

In this case, the requested object is a batch file, which is handled differently than other requests. A batch file requires IIS to run the command interpreter (Cmd.exe) to process, and requires an extra thread to monitor and return any output generated by the batch file (CGI Gateway Thread). Because Cmd.exe is not secure, it will execute without a failure and IIS will start the CGI Gateway Thread. The error results when Cmd.exe attempts to process the secure batch file. Cmd.exe fails to process the batch file silently; however, the CGI Gateway Thread is still waiting for output from the batch file. Eventually the CGI Gateway Thread fails and returns a Gateway Error to the requesting client with the Access Denied error message.

WORKAROUND

To work around this problem, you need to first upgrade to IIS 3.0 (if you have not already done so), install IIS 3.0 Active Server Pages (ASP), and use the new server-side include "execute" functionality to force a security check before executing the batch file. To force a security check before executing the batch file:
  1. Install Windows NT 4.0 Service Pack 2, then shut down and restart.
  2. Install Active Server Pages (ASP) from the Service Pack 2 CD by running iis30\asp\aspsetup.bat.
  3. Create an .stm file (for example, Test.stm) for every secure batch file used. The .stm file should contain the following text to execute a batch file.

    Example .stm file:
    <!--#exec cgi="/scripts/test.cmd"-->

  4. Place the .stm file in the /scripts directory on your server (or another directory with execute permissions).
  5. Set the NTFS security on the .stm file to match the security on the batch file.
  6. Call the .stm file from html pages instead of calling the batch files directly.
          Example html document:
          <html>
          <form action="/scripts/test.stm" type=get>
          <input type=submit>
          </form>
          </html>
    
    						

STATUS

Microsoft has confirmed this to be a problem in Internet Information Server versions 2.0 and 3.0. We are researching this problem and will post new information here in the Microsoft Knowledge Base as it becomes available.

Modification Type:MinorLast Reviewed:6/23/2005
Keywords:kbbug kbnetwork KB166491