Windows Named-Pipe ACL under IIS

Question

I am trying to connect a CGI process to my windows service with a named pipe. My code runs fine using another server on my development machine, but on IIS there are security issues when I call CreateFile() in the CGI process.

The Windows service is the Named Pipe Server and so the CGI process is trying to connect to that named pipe as a client.

I have dug up some code that creates a Global security descriptor with the flag SECURITY_WORLD_SID_AUTHORITY by calling:

  InitializeAcl()
  AddAccessAllowedAce()
  SetSecurityDescriptorDacl()

But I dont really understand the concept. I am assuming that the Pipe Server CreateNamedPipe() must be called with this ACL in the SECURITY_ATTRIBUTES structure but what about the Named Pipe client?

Do I create another Global security descriptor and call CreateFile() with that?

Do I inherit it with

 SecurityAttributes.bInheritHandle   = TRUE;

Do I just pass Null in the CreateFile() call?

Answer 1

Since the pipe is created by the server, only the server needs to specify the ACL, the client uses NULL for the ACL.

Inheritance only applies if the named pipe is created in one process and that processes creates a new process in which you want that spawned process to have direct access to the handle (it doesn't reopen the handle, rather it gets the value some other way, like a command line).

You can use the Process Explorer on sysinternals to view named pipes open in a process and then look at the ACL.