Vista is coming soon, and one of its new security features bears special mention due to its effect on the execution of Http-based services. User Account Control is a new feature that will have many former administrators running as a “standard user” by default. Running as a non-admin, developers can hit a permissions issue when opening an Http standalone service:
AddressAccessDeniedException: HTTP could not register URL http://+:80/myService/. Your process does not have access rights to this namespace (see http://go.microsoft.com/fwlink/?LinkId=70353 for details).
That is because http.sys restricts the root namespace (i.e. “/”) to administrators only. By using the http.sys namespace security mechanism, you can delegate portions of the global namespace to be accessible by different groups (i.e. all local Users, Power Users, a single user such as REDMONDkennyw, etc). Traditionally this security integration would be done by your setup program at install time.
In addition, on Vista administrators also have access to a brand new netsh extension. This extension is very useful for both diagnostics and configuration issues such as namespace delegation. It also takes care of simple SDDL conversion, so you can now have commands such as:
netsh http add urlacl url=http://+:80/myService user=DOMAINuser
Rather than having to use oh so readable SSID strings like
Note that your code which is running either the netsh extension or the configuration APIs needs to be running under an administrator account in order to setup this reservation. Once the reservation (ACL delegation) has been made, future registrations (usages) of your URI can occur while running under any account that was authorized by the reservation.