Article ID: 2264072 - Last Review: June 10, 2011 - Revision: 1.2

Microsoft Security Advisory: Elevation of privilege using Windows service isolation bypass

View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
Support for Windows Vista Service Pack 1 (SP1) ends on July 12, 2011. To continue receiving security updates for Windows, make sure you're running Windows Vista with Service Pack 2 (SP2). For more information, refer to this Microsoft web page: Support is ending for some versions of Windows (http://windows.microsoft.com/en-us/windows/help/end-support-windows-xp-sp2-windows-vista-without-service-packs) .
Expand all | Collapse all

INTRODUCTION

Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. To view the security advisory, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/advisory/2264072.mspx (http://www.microsoft.com/technet/security/advisory/2264072.mspx )

MORE INFORMATION

The Windows Service Isolation feature that is described in this advisory does not correct a security vulnerability. Instead, it is a defense-in-depth feature that may be useful for some customers. For example, service isolation enables access to specific objects without the need to run a high-privilege account or weaken the security protection of the object. By using an access control entry that contains a service SID, a SQL Server service can restrict access to its resources.

To manually configure the Worker Process Identity (WPI) for application pools in IIS, follow these steps.

For IIS 6.0
  1. In IIS Manager, expand the local computer, expand Application Pools, right-click the application pool, and then select Properties.
  2. Click the Identity tab, and then click Configurable. In the User name and Password text boxes, type the user name and password of the account under which you want the worker process to operate.
  3. Add the selected user account to the IIS_WPG group.
For IIS 7.0 and later versions
  1. At an elevated command prompt, open the following folder:
    %systemroot%\system32\inetsrv

    For more information about how to run a command with elevated privileges, visit the following Microsoft Web page:
    http://windows.microsoft.com/en-US/windows7/Command-Prompt-frequently-asked-questions (http://windows.microsoft.com/en-US/windows7/Command-Prompt-frequently-asked-questions)
  2. Type the APPCMD.exe commands, and press ENTER after each command:
    appcmd set config /section:applicationPools /
    [name='string'].processModel.identityType:SpecificUser /
    [name='string'].processModel.userName:string /
    [name='string'].processModel.password:string
    Note You must adjust the syntax in the commands, depending on the following:
    • string is the name of the application pool
    • userName is the user name of the account that is assigned to the application pool
    • password is the password for the account
APPLIES TO
  • Windows 7 Enterprise
  • Windows 7 Home Basic
  • Windows 7 Home Premium
  • Windows 7 Professional
  • Windows 7 Ultimate
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 Service Pack 2, when used with:
    • Windows Server 2008 for Itanium-Based Systems
    • Windows Server 2008 Datacenter
    • Windows Server 2008 Enterprise
    • Windows Server 2008 Standard
    • Windows Web Server 2008
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Windows Web Server 2008
  • Windows Vista Service Pack 2, when used with:
    • Windows Vista Business
    • Windows Vista Enterprise
    • Windows Vista Home Basic
    • Windows Vista Home Premium
    • Windows Vista Starter
    • Windows Vista Ultimate
    • Windows Vista Enterprise 64-bit Edition
    • Windows Vista Home Basic 64-bit Edition
    • Windows Vista Home Premium 64-bit Edition
    • Windows Vista Ultimate 64-bit Edition
    • Windows Vista Business 64-bit Edition
  • Windows Vista Service Pack 1, when used with:
    • Windows Vista Business
    • Windows Vista Enterprise
    • Windows Vista Home Basic
    • Windows Vista Home Premium
    • Windows Vista Starter
    • Windows Vista Ultimate
    • Windows Vista Enterprise 64-bit Edition
    • Windows Vista Home Basic 64-bit Edition
    • Windows Vista Home Premium 64-bit Edition
    • Windows Vista Ultimate 64-bit Edition
    • Windows Vista Business 64-bit Edition
  • Microsoft Windows Server 2003 Service Pack 2, when used with:
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
    • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
    • Microsoft Windows Server 2003, Web Edition
    • Microsoft Windows Server 2003, Datacenter x64 Edition
    • Microsoft Windows Server 2003, Enterprise x64 Edition
    • Microsoft Windows Server 2003, Standard x64 Edition
    • Microsoft Windows XP Professional x64 Edition
    • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
    • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows XP Service Pack 3, when used with:
    • Microsoft Windows XP Home Edition
    • Microsoft Windows XP Professional
Back to the top
Keywords: 
kbexpertiseinter kbinfo kbsecadvisory kbsecurity kbsecvulnerability KB2264072