Any IIS gurus?

U

UltraJounin

Limp Gawd
Joined
Jun 25, 2004
Messages
242
In our environment we use service accounts in AD with domain admin privileges to run specific 3rd party, home grown and MS apps.

Last week via GPO we implemented a policy on those service accounts to deny logon locally rights (RDP) to restrict our in house developers to use those accounts as means of having admin privileges. While there are other ways to do this, for our purposes this method was most efficient. Our domain consists of both server 2000 and 2003.

Once permissions were pushed all was well except for one particular server running server 2000/IIS 5. One of the accounts that W3SVC (IIS) uses to allow communication between the website and the image server was denied access thus causing the service to fail:

Event Type: Warning Event Source: W3SVC Event Category: None Event ID: 100 Date: 02/08/2007 Time: 15:15:53 User: N/A Computer:
Description: The server was unable to logon the Windows NT account '#site_agent' due to the following error: Logon failure: the user has not been granted the requested logon type at this computer. The data is the error code.

This error basically made the site inaccessible for the client.

We noticed that there was one small difference between this 2000/IIS5 box and others, what I’d like to know is why? The security settings for the Default Website in IIS had Integrated Authentication disabled and we resolved the problem enabling it, however we generally leave it disabled, works fine on other 2003/IIS 6 boxes (even after gpo changes).

So what I am really after is an explanation of how 2000/ IIS 5 uses the local login privileges (RDP) in conjunction with enabling/disabling Integrated authentication (NT challenge response security/ NTLM) to “run” a service likeW3SVC?

Thanks in advance.
 
>>we implemented a policy on those service accounts to deny logon locally rights (RDP) to restrict our in house developers

I don't think you are supposed to be messing with logon rights of services. The services may not function correctly if you do that.

Logon locally in my mind means console logons. The "R" in RDP stands for Remote and is not considered a local logon AFAIK.

EDIT: Just wanted to clarify.... I have seen RDP referred to as a local logon, but I have sometimes had error msgs tell me I had to be logged in locally to do something when I was on a RDP connection too. To the best of my knowledge, RDP is not a real local logon.
 
Looks like you need to grant that account the Log On as a Service, and maybe log on as a batch job rights. Also, Windows 2000 doesn't have the Allow Logon Through Terminal Service right.
 
@OP: Look through your security event log on the so-called "image server" and find the failed logon attempt. I don't know how your webserver is accessing this image server, however, my guess is that it would be logon type 3, which is a network logon (to a file/printer share). If so, make sure that the user account, or necessary security group, has permission to "Access this computer from the network."

If you have a bunch of GPOs being applied to the server, or if you think someone may have messed with the local policy settings on that server, use the RSOP tool to determine the end-result setting.

Regardless, check out the security event log to find more information about the type of logon being attempted. You might need to enable security failure logging.

"Last week via GPO we implemented a policy on those service accounts to deny logon locally rights (RDP) to restrict our in house developers to use those accounts as means of having admin privileges. While there are other ways to do this, for our purposes this method was most efficient."

That is an absolute false sense of security, just FYI. As long as your developers have access to a domain admin account, they can do whatever the hell they want with your domain. There are plenty of tools they can use to do this, they don't need to RDP into them. They can use tools like regedit, mmc snap-ins, administrative file shares, and any 3rd party tools, and screw with your servers. Your developers simply should not have access to any administrative account, period, end of story. Anything less than this is a serious security risk.

"So what I am really after is an explanation of how 2000/ IIS 5 uses the local login privileges (RDP) in conjunction with enabling/disabling Integrated authentication (NT challenge response security/ NTLM) to “run” a service likeW3SVC?"

Local logon privileges and Terminal Services logins are two separate rights. You can grant access to Terminal Services without granting local logon permissions. That said, I highly doubt that this service is exercising the right to use Terminal Services (see above). Most likely, it is exercising the network access logon type. See this article for more information on logon types.
 
Thanks for the answers all...

@ pcgeek86
I followed your advice and examined the logs more carefully and determined it was a type 2 logon. In terms of being denied, that makes sense if integrated authentication was off since IIS was expecting that account (type 2 logon) to be interactive. By enabling I.A. IIS was able to accept the connection from the site via a cryptographic exchange of the accounts credentials.

Funny you would mention that false sense of security as this morning we caught one of them doing just that... The main problem is that these "developers" or hackers as we like to call them work directly for our largest highest paying client that constantly needs things fixed and tweaked and our developers use that as leverage for their on the fly changes to production servers with proper protocol. Sadly they have support of upper managment :( We are still working on a plan to slow down their nonsense and todays little incident helps fuel our fire.

@ Spartacus
The change was made via GPO to deny access to non Domain admins to use those service accounts to log into servers via RDP...is that makes sense :)

Thanks again all...
 
You must log in or register to reply here.
Back
Top