{"id":145,"date":"2006-10-06T14:50:11","date_gmt":"2006-10-06T21:50:11","guid":{"rendered":"http:\/\/kennyw.com\/indigo\/145"},"modified":"2006-10-06T14:50:11","modified_gmt":"2006-10-06T21:50:11","slug":"vista-and-http-services","status":"publish","type":"post","link":"https:\/\/kennyw.com\/?p=145","title":{"rendered":"Vista and Http services"},"content":{"rendered":"<p><a href=\"http:\/\/www.microsoft.com\/windowsvista\/\">Vista<\/a> is coming soon, and one of its <a href=\"http:\/\/www.microsoft.com\/windowsvista\/features\/foreveryone\/security.mspx#more\">new security features<\/a> bears special mention due to its effect on the execution of Http-based services.  <a href=\"http:\/\/www.microsoft.com\/technet\/windowsvista\/security\/uac.mspx\">User Account Control<\/a> is a new feature that will have many former administrators running as a &#8220;standard user&#8221; by default. Running as a non-admin, developers can hit a permissions issue when opening an Http standalone service:<\/p>\n<blockquote><p><code>AddressAccessDeniedException: HTTP could not register URL http:\/\/+:80\/myService\/.  Your process does not have access rights to this namespace (see http:\/\/go.microsoft.com\/fwlink\/?LinkId=70353 for details).<\/code><\/p><\/blockquote>\n<p>That is because <a href=\"http:\/\/msdn.microsoft.com\/library\/default.asp?url=\/library\/en-us\/http\/http\/http_api_start_page.asp\">http.sys<\/a> restricts the root namespace (i.e. &#8220;\/&#8221;) to administrators only.  By using the http.sys <a href=\"http:\/\/msdn.microsoft.com\/library\/default.asp?url=\/library\/en-us\/http\/http\/namespace_reservations_registrations_and_routing.asp\">namespace security mechanism<\/a>, you can delegate portions of the global namespace to be accessible by different groups (i.e. all local Users, Power Users, a single user such as REDMONDkennyw, etc).  Traditionally this security integration would be done by your setup program at install time.<\/p>\n<p>System.Net does not currently expose any managed APIs to manipulate http.sys security reservations, but <a href=\"http:\/\/pluralsight.com\/blogs\/keith\/\">Keith<\/a> has posted some <a href=\"http:\/\/pluralsight.com\/blogs\/keith\/archive\/2005\/10\/17\/15632.aspx\">sample code<\/a> on using these APIs from managed code.<\/p>\n<p>In addition, on Vista administrators also have access to a brand new <a href=\"http:\/\/technet2.microsoft.com\/WindowsServer\/en\/library\/fd1e2fbe-15a6-413b-b712-28afb312c92f1033.mspx?mfr=true\">netsh<\/a> extension.  This extension is <strong>very<\/strong> useful for both diagnostics and configuration issues such as namespace delegation. It also takes care of simple SDDL conversion, so you can now have commands such as:<\/p>\n<blockquote><p>netsh http add urlacl url=http:\/\/+:80\/myService user=DOMAINuser<\/p><\/blockquote>\n<p>Rather than having to use oh so readable SSID strings like <code>D:(A;;GX;;;S-1-5-20)<\/code>.<\/p>\n<p>Note that your code which is running either the netsh extension or the configuration APIs needs to be running under an administrator account in order to setup this reservation. Once the <strong>reservation<\/strong> (ACL delegation) has been made, future <strong>registrations<\/strong> (usages) of your URI can occur while running under any account that was authorized by the reservation.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Vista is coming soon, and one of its new security features bears special mention due to its effect on the execution of Http-based services. User Account Control is a new feature that will have many former administrators running as a &#8220;standard user&#8221; by default. Running as a non-admin, developers can hit a permissions issue when [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"class_list":["post-145","post","type-post","status-publish","format-standard","hentry","category-indigo"],"_links":{"self":[{"href":"https:\/\/kennyw.com\/index.php?rest_route=\/wp\/v2\/posts\/145","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kennyw.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kennyw.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kennyw.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/kennyw.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=145"}],"version-history":[{"count":0,"href":"https:\/\/kennyw.com\/index.php?rest_route=\/wp\/v2\/posts\/145\/revisions"}],"wp:attachment":[{"href":"https:\/\/kennyw.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=145"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kennyw.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=145"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kennyw.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=145"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}