To use HTTP.SYS for none administrator users, these must have the right this to do. The rights must be granted with the httpcfg tool (Support Tools for XP/2003). The tool must have two parameters for adding an urlacl
The Parameter –u specified the listen URI. It can be http or an https Scheme the “+” for the hostname means all IP addresses.
The Parameter –a specified in DACL (Part of SDDL) the rights of a specified URI
DACL
The DACL starts with a “D:” and then in parenthesis 6 tokens which defines one ACL.
D:(t1;t2;t3;t4;t5;t6)(t1;t2;t3;t4;t5;t6)(t1;t2;t3;t4;t5;t6)...
t1: ACE Type (A=Alowed/D=Denied)
t2: ACE Flags (can be empty)
t3: Permissions (GA=All;GW=Write;GX=Execute, is necessary to starts an listener)
t4: Object Type (can be empty)
t5: Inherited Object Type (can be empty)
t6: Trustee (contains a SID of an user or group or well-known SIDs (e.g. WD=Everyone)
Syntax SDDL
Examples:
Create Right to open listener for Everyone:
httpcfg set urlacl –u http://+:7777/ -a “D:(A;;GX;;;WD)”
Create Right to open listener for specified User:
httpcfg set urlacl –u http://+:7777/ -a “D:(A;;GX;;;S-3-5-21-1654004503-842923446-725354543-102)”
Show all urlacs on a system.
httpcfg query urlacl
Delete an urlacl on an system
httpcfg delete urlacl –u http://+7777/
There exists a GUI Tool which can be used to create urlacl and ssl rules for HTTP.SYS.
Posted
Aug 02 2006, 09:36 AM
by
Rolf Nebhuth