I am trying to make a site that will execute either a VBS file for a .BAT file on the server when a user clicks a link by using a WScript.Shell object. The problem is i keep getting permission denied whenever i try using the oshell.run command. I have tried almost everything and determined it has to be soemthing within the IIS server permissions. All the files (except the ASP page) work correctly when executed manually.

1) I used %comspec% /c to make sure a window was never opened for user input (found similar problems with this solution).

2) I have put the link, and both executable files within a folder with exacutable permissions.

3) I have given all users executable permissions.

I have read in alot of places that i should change the usr_computername account to be able to run executables. I cant find this account anywhere except locally. Locally we tried giving all account permissions and that didnt work. We use NT Authentication anyway so this shouldnt matter.

I dont know if anyone would have an answer for this problem but i figure i would ask.


On a side note - we are creating a helpdesk site. to get users to stop using e-mail and start using the helpdesk we need to make it easier for them to use the helpdesk than outlook. Everything else is working fine but if someone wants to send us a screenshot then its easier to printscreen+paste into outlook than upload to a server. Since this in an internal site, by using visual basic scripts we have access to all of the computers and can run command line arguments on them with PSExec.

So my idea was to make a vbs file that would check to see if a user has Gadwin Printscreen installed. If it didnt have it then it would install it. It would check the process list for printscreen.exe and psexec.exe and make sure they were not running, if they were they would kill the process. Once all of that is done we PSExec into the users computer (who clicked a "take screeny" link on the helpdesk site) and have gadwin open, take a screenshot, save it to a network directory, insert a file path and the problem id into a database, then close without the user seeing any of this happen. As i said everything works manually so last i need is to let ASP run executables

Okay, let's put the security risks aside.

What version of IIS are you using, or, what operating system? This makes a big difference. Assuming it's Windows Server 2003, and IIS 6. This means the security context your ASP code runs under is configurable, but defaults to NETWORK SERVICE. ( I think. ) Not really advisable, but you could set it to run under a more privileged account ( like yours ), or you could find the account it's running under, make sure the web site is set up to be able to run scripts, and then, finally, give the folder with your batch and script files NTFS permissions for the user IIS is running your code as.

The IUSER_computername is only a local account

create a domain account and set IIS to run under that account

MS Server 2003 Web Edition Sp1
IIS 6.0

What would be the security risk of making iis run under a different account since the site would be in house and users dont really know how to break anything.

Can you set up certain sites/pages to run under this account instead of everything?

Added: I went through IIS and found all the user accounts setting it so everynoe could run scripts (temp. ) and this didnt do anything at all. Are you talking about an AD account? I dont really understand where this account resides.

What is the specific error?

What account are you running under now? It sounds like if you can do things by clicking on them but not through code, you may want to switch the code to run under your AD account. The security risk here is that if your server gets hijacked it can do more damage, but it sounds like that's safe to ignore. This will sit behind a firewall, no?

Try launching the batch files using Process.Start?

Quote:

users dont really know how to break anything.

They're the worst kind

Each site can have a seperate user assigned but not pages. Unless you use NT authentication when you can set permissons (NTFS) at file level.

If the webserver is a AD member server you can set a user account there and have that be the account IIS or each site runs under. This can have some security implication if the webserver is public but for a inhouse setup it won't really be an issue.

ASP isn't running the scripts on the user machine though. All asp is doing is sending the script code to the browser and the code then runs in the user context and will succeed or fail depending on browser settings.
Without knowing what exactly your setup is, I would say that you need to add your intranet site(s) to the trusted site list in IE.
You can do this using Group Policies so you don't have to visit every desktop/laptop and change it.

We do use NT authentication to deal with users logging into the actual site. The site has also been put into everyone's local intranet trusted sites.

If this is what you mean by permissions at the NT File level then this doesnt work either.

Who is the selected user? ( John E Hagan? ) Try granting permission to the file or folder to "everyone."

Also, a screen shot of the error that happens from your code that you're trying to fix would be far more useful here.

Good point, thats another thing i dont understand about this error. It will print out half of the page then just stop when it gets the permission problem.

Code:

<%
           Dim screeny,strComputerName, objShell, intError, exeName
           screeny = Request.QueryString("screeny")
           exeName = "%comspec% /c Executables/screen.bat"
           strComputerName = Request.ServerVariables ("REMOTE_HOST")
           Set objShell = CreateObject ("WScript.Shell")		
       
           If screeny = 1 Then
               response.write strComputerName
               response.write intError
Line50:     intError = objShell.Run(exeName,0,True)
           Else
           %><a href="runPrintScreen.asp?screeny=1">Take Screenshot</a><%
           End %>

My work days over for now but i'll be checking on this tomarrow to see if anyone has any idea's. Thx ppl


Added: just tried giving Eveeryone full ccess and got the same error.

It looks like the error is that your code doesn't have permission to run screen.bat; I'm not sure if it's an NTFS file permission thing, or if the screen capture program it calls demands permissions IIS doesn't want to grant to the machine?

Which file did you give "everyone" access to? The error is provoked by the call to objShell.Run("%comspec% /c Executables/screen.bat"); I'm not exactly sure what the host name is for, but it doesn't seem to be affecting this problem.

I've tried giving permissions to everyone on everything. the entire folder. the page that calls the .bat file, the .bat file itself.

well it seems i got the permissions error to go away but now i still see this error on the same line

'80070002'