ISAPI Application error does not log to application log.

TheMSsForum.com: The Microsoft Software Forum

We are running an ISAPI web application in IIS6 windows 2003 server. The
websiteâ??s home directory is pointing to a share folder of another server.
Both servers have local accounts â??â??optaweb1wsâ??. Which belong to local
â??usersâ?? group. The web site connects the share folder using this account.

The problem is errors of the ISAPI application are not logging to the Event
log (Application log), but it logs in if it is running in an IIS5 windows
2000 server.

If add â??optaweb1wsâ?? to local administrators group of the IIS6 windows 2003
server. It starts logging.
Or
If copy the home directory to the local hard drive, it starts logging too.

My question is whether I can get the IIS6 ISAPI application logs to the
application log without grant the â??optaweb1wsâ?? account as a local
administrator or move the network share to local hard drive?
Top

Re: ISAPI Application error does not log to application log. by David

David
Tue May 02 06:41:53 CDT 2006

Nope, your question has nothing to do with IIS nor ISAPI.

You are simply looking at security lockdown of access to the Event Log. You
have to tweak some registry key of the Event Log to allow non-privileged
manipulations. I can't quite recall the KB at the moment; would appreciate
it if you found it and reported it.

The main relevant change in IIS6 is that we changed the user identity of the
process that executes ISAPI (for security reasons). We know you can lose
functionality as a result, but we believe the fundamental security
improvements are worth the breaking changes, so we made them.

This means that you get the fun job of figuring it all out and deciding if
you agree or not. And before you complain that we should have let you
"opt-in" to such breaking changes, consider the following:
- 99.99% of users would probably not "opt-in" to changes and we would not
have improved security of Windows nor IIS
- yet those same user would vocally complain that Microsoft should "improve
security"
- so we chose to make the breaking changes and put the work on you to
"opt-out"

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"Jack Wu" <JackWu@discussions.microsoft.com> wrote in message
news:51184788-661A-418A-9A5F-1997B430F95D@microsoft.com...
> We are running an ISAPI web application in IIS6 windows 2003 server. The
> websiteâ??s home directory is pointing to a share folder of another
> server.
> Both servers have local accounts â??â??optaweb1wsâ??. Which belong to
> local
> â??usersâ?? group. The web site connects the share folder using this
> account.
>
> The problem is errors of the ISAPI application are not logging to the
> Event
> log (Application log), but it logs in if it is running in an IIS5 windows
> 2000 server.
>
> If add â??optaweb1wsâ?? to local administrators group of the IIS6 windows
> 2003
> server. It starts logging.
> Or
> If copy the home directory to the local hard drive, it starts logging too.
>
> My question is whether I can get the IIS6 ISAPI application logs to the
> application log without grant the â??optaweb1wsâ?? account as a local
> administrator or move the network share to local hard drive?
>


Top

Re: ISAPI Application error does not log to application log. by JackWu

JackWu
Tue May 02 10:45:03 CDT 2006

Thanks David!
You are right. I would like to share this kb article here!
http://support.microsoft.com/default.aspx?scid=kb;en-us;323076



"David Wang [Msft]" wrote:

> Nope, your question has nothing to do with IIS nor ISAPI.
>
> You are simply looking at security lockdown of access to the Event Log. You
> have to tweak some registry key of the Event Log to allow non-privileged
> manipulations. I can't quite recall the KB at the moment; would appreciate
> it if you found it and reported it.
>
> The main relevant change in IIS6 is that we changed the user identity of the
> process that executes ISAPI (for security reasons). We know you can lose
> functionality as a result, but we believe the fundamental security
> improvements are worth the breaking changes, so we made them.
>
> This means that you get the fun job of figuring it all out and deciding if
> you agree or not. And before you complain that we should have let you
> "opt-in" to such breaking changes, consider the following:
> - 99.99% of users would probably not "opt-in" to changes and we would not
> have improved security of Windows nor IIS
> - yet those same user would vocally complain that Microsoft should "improve
> security"
> - so we chose to make the breaking changes and put the work on you to
> "opt-out"
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
>
> "Jack Wu" <JackWu@discussions.microsoft.com> wrote in message
> news:51184788-661A-418A-9A5F-1997B430F95D@microsoft.com...
> > We are running an ISAPI web application in IIS6 windows 2003 server. The
> > website�s home directory is pointing to a share folder of another
> > server.
> > Both servers have local accounts ââ?¬â??ââ?¬Å?optaweb1wsââ?¬Â?. Which belong to
> > local
> > ââ?¬Å?usersââ?¬Â? group. The web site connects the share folder using this
> > account.
> >
> > The problem is errors of the ISAPI application are not logging to the
> > Event
> > log (Application log), but it logs in if it is running in an IIS5 windows
> > 2000 server.
> >
> > If add ââ?¬Å?optaweb1wsââ?¬Â? to local administrators group of the IIS6 windows
> > 2003
> > server. It starts logging.
> > Or
> > If copy the home directory to the local hard drive, it starts logging too.
> >
> > My question is whether I can get the IIS6 ISAPI application logs to the
> > application log without grant the ââ?¬Å?optaweb1wsââ?¬Â? account as a local
> > administrator or move the network share to local hard drive?
> >
>
>
>
Top