Microsoft Security Advisory: Elevation of privilege using Windows service isolation bypass

The Windows Service Isolation feature that is described in this advisory does not correct a security vulnerability. Instead, it is a defense-in-depth feature that may be useful for some customers. For example, service isolation enables access to specific objects without the need to run a high-privilege account or weaken the security protection of the object. By using an access control entry that contains a service SID, a SQL Server service can restrict access to its resources.



To manually configure the Worker Process Identity (WPI) for application pools in IIS, follow these steps.

For IIS 6.0

1. In IIS Manager, expand the local computer, expand Application Pools, right-click the application pool, and then select Properties.
2. Click the Identity tab, and then click Configurable. In the User name and Password text boxes, type the user name and password of the account under which you want the worker process to operate.
3. Add the selected user account to the IIS_WPG group.

For IIS 7.0 and later versions

1. At an elevated command prompt, open the following folder:
   
   
   %systemroot%\system32\inetsrv
   
   For more information about how to run a command with elevated privileges, visit the following Microsoft Web page:
   
   
   http://windows.microsoft.com/en-US/windows7/Command-Prompt-frequently-asked-questions
2. 
   
   Type the APPCMD.exe commands, and press ENTER after each command:
   
   
   
   appcmd set config /section:applicationPools /
   [name='string'].processModel.identityType:SpecificUser /
   [name='string'].processModel.userName:string /
   [name='string'].processModel.password:string
   
   Note You must adjust the syntax in the commands, depending on the following:
   
   
   
   • string is the name of the application pool
   • userName is the user name of the account that is assigned to the application pool
   • password is the password for the account