executing wshell.run() on asp / iis6 / w2k3 - permission denied

[acidkewpie]

Hi,

I need an ASP page to be able to run a simple ping command on an IIS 6.0 server. I have been trying to use the wshell.run() method, but due to access rights, this is denied execute. I have found various similar problems through google, but most either end up suggesting giving everyone involved admin rights on the system, or providing anonymous access and giving the anonymous user account admin rights.... both these are not an option at all. Is there a less drastic way to let a locally non-priveledged network user just run this one function without destroying the security of the entire server?

[if anyone knows any other ways to ping an address automaticlaly i'd be interested for a reply too... in the past i've used the AspPing.dll package, but i think it was responsible for causing some errors on the server, so would rather avoid it.]

Thanks

Chris

 

[DreXor]

simplest answer, if you must open up a hole, put the hole by itself, make a virtual folder which points to something well outside your internet tree, with exec permissions ONLY for everyone, no write read or delete, i think best way is in iis to set the exec permissions there instead of altering the folder at a system level. and only put into this folder what is directly necessary in order to do the tasks at hand.

make sure if you have any form of upload scheme in your website that you put in specific hard code exceptions to not allow uploading to the virtual folder in discussion and also exclude server.mappath(virtual) folder as a double fold security cover. just in case someone gets wise or bright ideas of trying to throw something of an unfun nature into your folder.

DreX
aKa - Robert

 

[acidkewpie]

Hmm, yes that has got it working, but it's still kinda worrying me. the actual line of code in use is:

wshell.run "cmd /c ping " & ip_address & " > ping.txt"

without the cmd call the ping just doesn't execute at all, even with an absolute path to the ping exe file within our isolated directory. with cmd.exe copied to that directory too, it does work. but of course this means that through this app, anyone can not only ping (big whoops!) but access cmd too. (hmmm...)

 

[acidkewpie]

I have now got this running, however after 30 minutes of server uptime (brand new server 2003 installation, with real low usage) the call to cmd.exe starts spitting out errors that the application (cmd.exe) failed to initialise, error code 0xc0000142. I've seen a few small things from google and msdn saying that the SQL server might be interfering with some memory space or other, but i've been unable to get any relief from the fixes they suggest.

This isn't all that relevant to the original post, but i figured as there was more info here already about the situation it was appropriate.

thanks

Chris

 

[DreXor]

if this is something rather important, you may want to look into AspExec ( from serverobjects.com )

it's a component to shell programs a little more securely from in code. but requires an asp page to drive it.

DreX
aKa - Robert