Pregunta

I have a Classic ASP page that configures a port exclusion on the server's windows firewall using the HNetCfg.FwMgr object. On my IIS 6, Win 03 server, I had to add Set/CreateKey/Delete access to the IUSR_machine account to the HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\ registry entry.

When I run on my new Windows Server 2008, IIS 7, I get a Permission Denied. If I change the Anonymous user to Admin, or even a newly created user that is a member of the Users group, I don't get the permission denied, and the updates occur.

I noticed that the location in the registry where the firewall entries are stored has changed. But even if I give IUSR Full Control of my HKLM, it still gets a Permission Denied when attempting to add the port exclusion. It can read the list of port exclusions fine, so I am assuming that access to the HNetCfg.FwMgr is working fine.

Anyone have any ideas how to get IUSR to be able to add an exclusion using that object (HNetCfg.FwMgr)? Rewriting using the new fw policy 2 in not an option at this time.

¿Fue útil?

Solución

You need to run your application pool as an administrative user. If you are worried about security, then run it as a virtual directory that has the admin permissions. You can use xmlhttp from a script not in that virtual directory (one under the control of I_user) to call the script in the (Firewall) virtual directory which has admin sercurity permissions. This way, the url (virtual directory) of your firwall script is not public.

Licenciado bajo: CC-BY-SA con atribución
No afiliado a StackOverflow
scroll top