The Tall IT Guy: 2014

Thursday 4 September 2014

Allowing an IIS web page to execute permissions-restricted scripts using a Scheduled Task

What do you do if you need to make a webpage that runs batch files (For example .bat, .cmd, .vbs, .ps files)? And to run them with a different security context than IIS, or with access to resources that you don't want to expose to IIS directly?

A while back I had a task that I needed to be able to trigger from a web page. In this particular case the task involved running a few different scripts & command line operations – some of which had to be done with particular permissions (such as accessing a share on a different server).

What I didn’t want to do was give those permissions to the IIS process to allow the page to execute these commands directly, as I was worried that a mistake might happen that will allow the page to do a lot more than I wanted and become an easy attack vector.

Realizing that I could encapsulate all of the steps of the task and their necessary permissions into a Windows Scheduled Task, I then set out to see how I can kick off a specified task in the scheduler from an ASP page. This is what I came up with. It has three basic steps:

Create your scheduled task that calls the script(s) that you want to run.
Open up the folder where the task file is saved and change permissions on it so that the IIS process can run it.
Create the web page that will access & run your task.

It’s actually a very simple process, but I’ll spell it out in detail here – because of that it may seem more complicated than it really is.

Create the Scheduled Task

The first step is to create the scheduled task, so log into your IIS webserver and open up the Windows Task Scheduler.

In this example, I’ve created a separate sub-folder called “WebTasks” (select & then right-click on Task Scheduler Library” in the left panel –> New Folder) for organization purposes.

I have a prepared script that I want to run called “mytask.bat” located in a folder at “E:\Scripts\”. So lets start the Create Task dialog (right panel) to set up a task to run it, that we’ll call “IIS_Task”

Enter the General parameters for the task, including setting up the appropriate user credentials that the task needs to run properly using the “Change User or Group” button. The sample is called IIS_Task	In the Triggers tab, we’ll leave this blank in the example. A Trigger is a schedule that will activate the task. We will only run this task manually, so this isn’t needed.
In the Actions tab, click the New button…	… and create an action to run the script we want – in this case “E:\Scripts\mytask.bat”
Switching to the Settings tab, make sure that the “Allow task to be run on demand” setting is checked. Click OK to save it.

Set Permissions on the Task

Next we have to change the permissions on this task so that the IIS process can run it. To do this go to the folder that the task files are saved in, by default that's:

C:\Windows\System32\Tasks\

In our case, since we earlier created this task in a sub-folder called “WebTasks”, we go here:

C:\Windows\System32\Tasks\WebTasks

You should see our new task in a file called “IIS_Task” (or whatever you named your version). Right-click on it & select Properties. Then add Read & Execute permissions for the IUSR account (the default account that IIS uses). If your install of IIS uses a different account, apply that one instead. Apply the change & close the dialog.

Now our task is created, and it’s permissions are changed so that the IIS process can call it, and IIS hasn’t been granted any unneeded permissions such as creating/changing tasks, or access to any of the resources that our task will use.

Create the web page

Finally, it’s time to create the web page that will do this.

I’ve actually looked to see how to call the Task Scheduler from .NET, but couldn’t find the reference in my brief poking around, but did see how to do it in VBScript, so this page is done in “Classic ASP”, rather than ASP.NET. Also, since it’s just an example, there is no security or controls on this demo page:

<%

Dim vRun, vMsg

vMsg = ""
vRun = Trim(Request("run"))    'get form input

'If form value was submitted, run the task
If vRun = "Run Task" Then

   RunJob

End If

'Routine to execute our task
Sub RunJob

    Dim objTaskService, objRootFolder, objTask 

    'create instance of the scheduler service
    Set objTaskService = Server.CreateObject("Schedule.Service")    
    
    'connect to the service
    objTaskService.Connect            

    'go to our task folder, use just "\" if you saved it under the root folder
    Set objRootFolder = objTaskService.GetFolder("\WebTasks")    
    'reference our task
    Set objTask = objRootFolder.GetTask("IIS_Task")            

    'run it
    objTask.Run vbNull

    vMsg = "Submitted"
    
    'clean up
    Set objTaskService = Nothing    
    Set objRootFolder = Nothing
    Set objTask = Nothing

End Sub

%>
<html>
<body>

<form method="post" action="runtask.asp">

  <p>Click to run the task: <input type="submit" value="Run Task" name="run" /></p>

  <p>[<%= run %>]</p>

  <p style="font-weight:bold; color:#006600;"><%= vMsg %></p>

</form>

</body>
</html>

Save that as runtask.asp in your wwwroot folder & try it out.

As you can see, the code to actually run our task is really simple, the real work is done in only five lines of code in the RunJob subroutine.

Hope this helps.

Wednesday 27 August 2014

SQL Server: Inline Queries Across Linked Servers

I’ve had to run a scheduled T-SQL query from one database to another linked server for an import operation. I'm finding that I have to do some comparisons between the result of two subqueries in order to get the proper value for one column. So the results I want would correspond to something like this:

Insert into localTable (columns)

Select col1, col2, col3,

CASE 
      WHEN subquery1result > subquery2result THEN subquery1result
      ELSE subquery2result

END As col4

From server.schema.dbo.table1

Where [stuff]

Note the reference to the linked server… First you have to set up the Linked Server in SQL Server, then you can reference the external database table as [LinkedServerName].[SchemaName].[DataBaseOwner].[TableName]

To flesh that out a little more, if I filled in those subqueries in-line:

Insert into localTable (columns)Select col1, col2, col3,

CASE 
    WHEN (select MAX(T2.datecol) from server.schema.dbo.table2 T2 where T2.id = T1.id) > 
         (select MAX(T3.datecol) from server.schema.dbo.table3 T3 where T3.id = T1.id) 
    THEN (select MAX(datecol) from server.schema.dbo.table2 T2 where T2.id = T1.id) 
    ELSE (select MAX(T3.datecol) from server.schema.dbo.table3 T3 where T3.id = T1.id) 

END As col4

From server.schema.dbo.table1 T1

Where [stuff]

But that doesn’t work – using subqueries in a CASE statement like that won’t fly.
I would normally do these subqueries as user-defined scalar functions, but I can't seem to make one that queries tables in a linked server. And I'm not allowed to modify the schema of the database on the linked server (vendor system).

Any ideas on another way of doing this? I suppose I should copy all relevant values into a holding table (on the local server) & then run the import from there instead of importing directly from the linked server. I was just hoping I could keep it as a straight 'Insert Into... Select From' query in a single step.

I think I stumbled upon a "good enough" solution (which suitably horrify a proper SQL-Ninja):

Insert into localTable (columns)

Select col1, col2, col3,
(Select MAX(DC) From 
   (
      select MAX(T2.datecol) as DC from server.schema.dbo.table2 T2 where T2.id = T1.id
      UNION
      select MAX(T3.datecol) as DC from server.schema.dbo.table3 T3 where T3.id = T1.id 
   ) as U
) As col4

From server.schema.dbo.table1 T1

Where [stuff]

It seems to work, though the query is a bit on the slow side (7 seconds to return ~2K rows). Well within reason for a nightly batch job though. Basically the UNION of multiple inline queries forms a set of it’s own, which we can further query from. In this case we’re choosing the Maximum value returned from two different queries.

Friday 1 August 2014

My .NET app is really slow on one PC, fine on all others

So I had this small .NET Windows Forms application that has been running on a large number of our lab computers with no issues. Not that it matters, but this program would run in the background and record logins to each lab computer against the booking system for reserving the labs.

One such computer was recently upgraded to Windows 7 from XP as a result of the end-of-life support of XP (and a bit of common sense, which is known to happen once in a while).

So once the computer was freshly wiped and had Windows 7 installed & patched, my little program was installed... and it was dog slow.

I mean it was really slow. Where it used to go from launch to actually doing anything (such as becoming visible) in under a second, it was now taking 10 to 15 minutes before there was any evidence of it running. On the same machine.

Looking at the installed .NET frameworks on a working PC and the problem one, they were both the same (at the time, 4.5.1), and earlier versions were not installed side-by-side on either machine. The application was written in Visual Studio 2010 and targeted the 4.0 .NET framework.

Now keep in mind that the older machines used to have older versions of the framework which were then upgraded over time (2.0 -> 3.0 -> 3.5 -> 4.0 -> 4.5). However, being a clean install, the re-installed machine was set up with just .NET 4.5.1 without having passed through any of the earlier versions.

Turns out that was the problem.

Removing .NET, then re-installing it with 4.0 only, and then allowing it to update to 4.5.1 afterward on the problem machine fixed it. I don't know what the mechanism is that causes this, but when a .NET app is targeting an earlier framework than was ever installed on the destination PC, problems like this can happen.