KnowledgeBase Archive

An Archive of Early Microsoft KnowledgeBase Articles

View on GitHub

Q166491: Secure Batch Files Return Access Denied Error Message

Article: Q166491
Product(s): Internet Information Server
Version(s): winnt:2.0,3.0
Operating System(s): 
Keyword(s): kbnetwork
Last Modified: 02-MAY-1999

-------------------------------------------------------------------------------
The information in this article applies to:

- Microsoft Internet Information Server versions 2.0, 3.0 
-------------------------------------------------------------------------------


SYMPTOMS
========

Batch files that are implemented as Common Gateway Interface (CGI) applications
on an Internet Information Server (IIS) computer will always return an Access
Denied error message if they are secured using NTFS file security and the
Anonymous user does not have access rights to the batch files. The Access Denied
error message is returned regardless of the authentication scheme (Basic or
Challenge Response) configured on the IIS server. The following is the error
page returned to the client:

  CGI Error
  The specified CGI application misbehaved by not returning a complete
  set of HTTP headers. The headers it did return are:
  Access is denied.

CAUSE
=====

The error occurs because CGI applications are not access checked before being
executed. IIS relies on the request handler in w3svc to access check a request
and return an error indicating authentication is required to access the
requested object.

In this case, the requested object is a batch file, which is handled differently
than other requests. A batch file requires IIS to run the command interpreter
(Cmd.exe) to process, and requires an extra thread to monitor and return any
output generated by the batch file (CGI Gateway Thread). Because Cmd.exe is not
secure, it will execute without a failure and IIS will start the CGI Gateway
Thread. The error results when Cmd.exe attempts to process the secure batch
file. Cmd.exe fails to process the batch file silently; however, the CGI Gateway
Thread is still waiting for output from the batch file. Eventually the CGI
Gateway Thread fails and returns a Gateway Error to the requesting client with
the Access Denied error message.

WORKAROUND
==========

To work around this problem, you need to first upgrade to IIS 3.0 (if you have
not already done so), install IIS 3.0 Active Server Pages (ASP), and use the new
server-side include "execute" functionality to force a security check before
executing the batch file. To force a security check before executing the batch
file:

1. Install Windows NT 4.0 Service Pack 2, then shut down and restart.

2. Install Active Server Pages (ASP) from the Service Pack 2 CD by running
  iis30\asp\aspsetup.bat.

3. Create an .stm file (for example, Test.stm) for every secure batch file used.
  The .stm file should contain the following text to execute a batch file.

  Example .stm file:
  <!--#exec cgi="/scripts/test.cmd"-->

4. Place the .stm file in the /scripts directory on your server (or another
  directory with execute permissions).

5. Set the NTFS security on the .stm file to match the security on the batch
  file.

6. Call the .stm file from html pages instead of calling the batch files
  directly.

        Example html document:
        <html>
        <form action="/scripts/test.stm" type=get>
        <input type=submit>
        </form>
        </html>

STATUS
======

Microsoft has confirmed this to be a problem in Internet Information Server
versions 2.0 and 3.0. We are researching this problem and will post new
information here in the Microsoft Knowledge Base as it becomes available.


======================================================================
Keywords          : kbnetwork 
Technology        : kbiisSearch kbiis300 kbiis200
Version           : winnt:2.0,3.0
Hardware          : x86
Issue type        : kbbug

=============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Copyright Microsoft Corporation 1986-2002.