Secure Batch Files Return Access Denied Error Message (166491)
The information in this article applies to:
- Microsoft Internet Information Server 2.0
- Microsoft Internet Information Server 3.0
This article was previously published under Q166491 We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site: SYMPTOMS
Batch files that are implemented as Common Gateway Interface (CGI)
applications on an Internet Information Server (IIS) computer will always
return an Access Denied error message if they are secured using NTFS file
security and the Anonymous user does not have access rights to the batch
files. The Access Denied error message is returned regardless of the
authentication scheme (Basic or Challenge Response) configured on the IIS
server. The following is the error page returned to the client:
CGI Error
The specified CGI application misbehaved by not returning a complete
set of HTTP headers. The headers it did return are:
Access is denied.
CAUSE
The error occurs because CGI applications are not access checked before
being executed. IIS relies on the request handler in w3svc to access check
a request and return an error indicating authentication is required to
access the requested object.
In this case, the requested object is a batch file, which is handled
differently than other requests. A batch file requires IIS to run the
command interpreter (Cmd.exe) to process, and requires an extra thread to
monitor and return any output generated by the batch file (CGI Gateway
Thread). Because Cmd.exe is not secure, it will execute without a failure
and IIS will start the CGI Gateway Thread. The error results when Cmd.exe
attempts to process the secure batch file. Cmd.exe fails to process the
batch file silently; however, the CGI Gateway Thread is still waiting for
output from the batch file. Eventually the CGI Gateway Thread fails and
returns a Gateway Error to the requesting client with the Access Denied
error message.
WORKAROUND
To work around this problem, you need to first upgrade to IIS 3.0 (if you
have not already done so), install IIS 3.0 Active Server Pages (ASP), and
use the new server-side include "execute" functionality to force a security
check before executing the batch file. To force a security check before
executing the batch file:
- Install Windows NT 4.0 Service Pack 2, then shut down and restart.
- Install Active Server Pages (ASP) from the Service Pack 2 CD by
running iis30\asp\aspsetup.bat.
- Create an .stm file (for example, Test.stm) for every secure batch file
used. The .stm file should contain the following text to execute a batch
file.
Example .stm file:
<!--#exec cgi="/scripts/test.cmd"-->
- Place the .stm file in the /scripts directory on your server (or
another directory with execute permissions).
- Set the NTFS security on the .stm file to match the security on the
batch file.
- Call the .stm file from html pages instead of calling the batch files
directly.
Example html document:
<html>
<form action="/scripts/test.stm" type=get>
<input type=submit>
</form>
</html>
STATUS
Microsoft has confirmed this to be a problem in Internet Information
Server versions 2.0 and 3.0. We are researching this problem and will
post new information here in the Microsoft Knowledge Base as it becomes
available.
Modification Type: | Minor | Last Reviewed: | 6/23/2005 |
---|
Keywords: | kbbug kbnetwork KB166491 |
---|
|