Allow web service running in IIS permission to start/stop services

[Kntx]

Hello,

I have a web service running in IIS on a Windows 2003 server. I want it to be able to run a batch file that starts and stops windows services.

My batch file looks a little like this...

net stop "service name"
-- run some processes that require the service to be stopped
net start "service name"

edit: I guess I want to know how to assign "NETWORK SERVICE" the proper permissions to start and stop windows services.

 

[GoatMonkey]

I've never tried anything like that. But it seems like you would need to give IIS_WPG permission in the registry on something like HKLM/System/Service/CurrentControlSet/Services/*YourServiceName* if you're trying to start a windows service from a web service.

But from what you said, you're running batch files that do that part, so you would need IIS_WPG to have access to the directory where your .bat files run.

Are you actually seeing your batch files start to run?

I guess you're trying something like process.start("c:\path\filename.bat") or something like that?

 

[Markbnj]

I basically have to refer to MS docs every time I confront an issue like this. Too damn complex to remember all the pieces. If I recall correctly, the web service's thread will be executing in the context of either IUSR_<MachineName> or a specific user (with Windows authentication). So giving that user the right permissions at the OS level is one part of the solution.

Then there is the trust level of the application itself. You don't say what version of IIS you're running on, but you should check the level of trust the application runs under. You'd need full trust for this, I'm pretty sure.

 

[imported_Dhaval00]

Here is the best technique I have come across for such tasks:

1) Create a user on your machine that will be allowed to start/stop the services you're interested in.
2) Add this user to IIS_WPG group on your machine.
3) Create a new AppPool in IIS and set its identity to the user above.
4) Set your Website to run using the custom AppPool from step #2.

These steps are specific to W2K3, but you can tweak them for WinXP.

 

[drebo]

In order to run a batch file from within IIS, or indeed execute any command, whichever user that is associated as the "owner" of the IIS process will need execute permissions to the "command.com" file in the Windows\System32 folder.

Obviously, there's some innate security risks in this, so make sure you know who your target audience is and that you've got your security measures all squared away.

 

[Kntx]

Got it all set up. Thanks for the responses.