HOWTO: Run Console Applications from IIS6 on Windows Server 2003
Question:
I need some help on the following: I am trying to exectute the netstat comand in side a PHP script using PHP on a wnidows server 2003. The problem is that i am haveing a problem getting the netstat command to exec since it requires adminstration privage but PHP does not have such privage and runs as anumaliuse user - if i change the PHP to run as a adminstitor it will open up security holes on the system. I have tried to rename the netstat comand to another name and moved it to another folder given the new exec admistrator privages - and then change my script to exec() that file unstead - This solution how ever did not work so what can i do to get around the problem. Anyone have any ideas what and how i should go about doing this and not open my server to interent hackers.
But let me explain - the command netstat is running in a PHP script as a shell exec function but since PHP as a anonymous user - the netstat comand requires administator access we are get file permison problems - ANY IDEAS OR WORK AROUND this one any one have a idea how one can do in Microsoft Server 2003.
> netstat -n | find "66.98.253.115:5000" | find /C "ESTABLISHED"
Answer:
Actually, NetStat.exe, along with most console programs in the Windows System32 directory, does NOT require administrator privileges to execute. For example, I run NetStat.exe as an unprivileged user all the time.
What you are actually observing is a Security enhancement of NTFS ACLs made in Windows Server 2003 against remote anonymous exploitation of the server.
If you look at the ACLs of most console programs in System32 on Windows Server 2003, you will see combinations of the following NTFS ACLs:
- Interactive:R
- Service:R
- Batch:R
- TelnetClients:R
- Administrators:F
- System:F
How this interacts with IIS6 is very simple. IIS runs as an unprivileged user account and performs an unprivileged, non-interactive NETWORK_CLEARTEXT user login for the authenticating user account, and this user identity is used to execute the request. Now, this user identity is usually not included in any of the aforementioned ACLs. This means that if you login via IIS, you MUST be an Administrator to be able to read and execute those programs.
Meanwhile, if you login via the console or remote desktop, it would be considered an interactive login and the Interactive:R ACL will grant that user, even if unprivileged, permission to read and execute those programs.
This is why an unprivileged local console login of the anonymous user can run NetStat.exe while the network login of the same anonymous user cannot run NetStat.exe.
In short, your solutions include:
- Keep File's ACLs the same and somehow run PHP exec() as an Administrator or System
- Change File's ACLs to include your unprivileged user and run PHP exec() as the unprivileged user
Both actions have their pros and cons. You can weigh them and decide the best choice for your situation. The first option is a security vulnerability because your applications needlessly run with elevated privileges all the time. The second option weakens system security by allowing unprivileged remote user ability to run certain console applications on the server. But, such is the security decision that you must make - every permission and program granted to remote anonymous users opens up a new attack surface - IIS6 and Windows Server 2003 merely brings that to your attention front-and-center.
//David