[wix-users] How to config DCom permissions for IUsers group (ASP.NET app)

Phill Hogland phill.hogland at rimage.com
Thu Mar 31 05:52:06 PDT 2016


>>>If you find a way to get the process context right, I'd really like to know.

I am not sure if this helps your process context concern but I think I figured out how to configure the DCom permissions.  At the moment I have a very crude test case working, and I need to do more research before I refactor it into a production solution.  But the basic steps are:

1) Look at the code in Wix 3.10.2 source at dutil\srputil.cpp::InitializeComSecurity and I basically implemented something similar in an Immediated CA for testing, excluding the call to CoInitializeSecurity.
2) In my case I wanted to add the IIS_IUsrs well-known group so (for experimentation I left the rest of the implementation as it is, but I will eventually remove the explicit setting of NetworkService and LocalService to simplify and improve my security footprint since I am not targeting pre-Win7).  I made these changes:
     a) modified:  	EXPLICIT_ACCESS ea[6] = { 0 };
     b) added:
	ULONGLONG rgSidIUSRS[(SECURITY_MAX_SID_SIZE + sizeof(ULONGLONG) - 1) / sizeof(ULONGLONG)] = { 0 };
.......	
// Create a IUsrs group security identifier (SID).
	cbSid = sizeof(rgSidIUSRS);
	if (!::CreateWellKnownSid(WinBuiltinIUsersSid, NULL, rgSidIUSRS, &cbSid))
	{
		ExitWithLastError(hr, "Failed to create IUsers group SID for system restore.");
	}
........
	//::ZeroMemory(&ea[4], sizeof(EXPLICIT_ACCESS));
	ea[5].grfAccessPermissions = COM_RIGHTS_EXECUTE | COM_RIGHTS_EXECUTE_LOCAL | COM_RIGHTS_EXECUTE_REMOTE | COM_RIGHTS_ACTIVATE_LOCAL | COM_RIGHTS_ACTIVATE_REMOTE;
	ea[5].grfAccessMode = SET_ACCESS;
	ea[5].grfInheritance = NO_INHERITANCE;
	ea[5].Trustee.pMultipleTrustee = NULL;
	ea[5].Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
	ea[5].Trustee.TrusteeForm = TRUSTEE_IS_SID;
	ea[5].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
	ea[5].Trustee.ptstrName = (LPTSTR)rgSidIUSRS;  //IUsers group

To add a named principal I think you would change the EXPLICIT_ACCESS.Trustee.TrusteeForm  to TRUSTEE_IS_NAME and EXPLICIT_ACCESS.Trustee.ptstrName = "domain\name", but I did not go that route.

3) Rather than serializing the &sd (resulting from SetSecurityDescriptorDacl ) to one of the DCom binary registry values like LaunchPermission by casting as a LPBYTE (which does not work because the SD is in "absolute" format meaning it has pointers to the ACEs and the actual ACE will be missing from the registry value) what needs to happen is a conversion to a "self-relative" SD.  Look at code in Wix 3.10.2 source in dutil\aclutil.cpp::AclCreateSecurityDescriptorFromDacl for an example.

Also if the need is to preserve the existing registry setting and only merge in new settings, I have not done this yet, but I think the steps are to read the binary registry Bytes into a SECURITY_DESCRIPTOR, validate and then convert it back to an Absolute format (MakeAbsoluteSD) and then get the DACL (GetSecurityDescriptorDacl).  At that point if a valid 'old' DACL is recovered then set  EXPLICIT_ACCESS.grfAccessMode to GRANT_ACCESS.  But if the old DACL is null then SET_ACCESS must be used or SetEntriesInAcl returns ERROR_INVALID_PARAMETER (87) when a null is passed instead of the old DACL.

I hope this helps.  I have more research and proving to do on some of this, but there is light at the end of the tunnel.

________________________________________
From: wix-users <wix-users-bounces at lists.wixtoolset.org> on behalf of John Cooper <JoCooper at jackhenry.com>
Sent: Wednesday, March 30, 2016 12:48 PM
To: WiX Toolset Users Mailing List
Subject: Re: [wix-users] How to config DCom permissions for     IUsers  group   (ASP.NET app)

You can do it through the WMI API.  Basically, you are doing the same thing I was doing except on a third part as opposed to IIS object.

--
John Merryweather Cooper
Senior Software Engineer | Integration Development Group | Enterprise Notification Service
Jack Henry & Associates, Inc.® | Lenexa, KS  66214 | Ext:  431050 |JoCooper at jackhenry.com




-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Phill Hogland
Sent: Wednesday, March 30, 2016 12:44 PM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Subject: Re: [wix-users] How to config DCom permissions for IUsers group (ASP.NET app)

The e-mail below is from an external source.  Please do not open attachments or click links from an unknown or suspicious origin.

>>Are you using it to backdoor IIS security?
Not as far as I know, but if I need to push back on the developer that wrote the ASP.NET app and get him to take another approach I am happy to do that.  In fact, while researching this issue I read some stuff about IClient SecurityBlanket and asked him to evaluate wheterh he needed to make some changes.

The story here is we have an ASP.NET app with a third-party desktop app that provides a DCOM interface. The ASP.NET app consumes the DCOM object as an out of process server.  So I have always had to use dcomcnfg  (or in the old setup dcomprem.exe) to add the apppool identity to the DCOM object's launch and access permissions.  I find that adding the builtin IUsers group is as effective as adding a specific identity like NetworkService, because IIS adds the app pool identity to the IUsrs group only when the identity needs access/Activate permissions.  The ASP.NET app and DCOM interface have been deployed for some time, starting back on xp, but this conversion from InstallScript setup to an MSI is one of the last major hurdles on my journey to eliminate all of our InstallScript setups. (Yeh! Thanks WiX team!!!).

Thanks for your comments, and any further suggestions.

________________________________________
From: wix-users <wix-users-bounces at lists.wixtoolset.org> on behalf of John Cooper <JoCooper at jackhenry.com>
Sent: Wednesday, March 30, 2016 12:13 PM
To: WiX Toolset Users Mailing List
Subject: Re: [wix-users] How to config DCom permissions for IUsers      group   (ASP.NET app)

Are you using it to backdoor IIS security?

I have a single product that needs IIS wrapped in DCOM with the permissions of a particular user so that user can spawn additional sites, app pools, and applications.

It's easy enough to execute use either a C# or C++ custom action.  The problem comes with the need for an affinity between the affected process and the DCOM object.  Since custom actions are launched independent of the installing process, it's very unlikely that process will work.  Indeed, I could get the DCOM service setup, but it was for the wrong process context.

Ultimately, for that one product, we use a post install PowerShell script.  If you find a way to get the process context right, I'd really like to know.

--
John Merryweather Cooper
Senior Software Engineer | Integration Development Group | Enterprise Notification Service Jack Henry & Associates, Inc.® | Lenexa, KS  66214 | Ext:  431050 |JoCooper at jackhenry.com




-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Phill Hogland
Sent: Wednesday, March 30, 2016 11:56 AM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Subject: [wix-users] How to config DCom permissions for IUsers group (ASP.NET app)

The e-mail below is from an external source.  Please do not open attachments or click links from an unknown or suspicious origin.

I need to configure a DCom object's LaunchPermission and AccessPermission to include the IUsrs group for access by a ASP.NET app.  I am just wondering how other folks have approached this issue.

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information.
Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies.


____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

NOTICE: This electronic mail message and any files transmitted with it are intended
exclusively for the individual or entity to which it is addressed. The message,
together with any attachment, may contain confidential and/or privileged information.
Any unauthorized review, use, printing, saving, copying, disclosure or distribution
is strictly prohibited. If you have received this message in error, please
immediately advise the sender by reply email and delete all copies.


____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/


More information about the wix-users mailing list