Anonymous Authentic...
 
Notifications
Clear all

Anonymous Authentication to Application Pool Identity for CVE-2018-8202 problems

3 Posts
3 Users
0 Reactions
1,641 Views
Posts: 10
Topic starter
(@polderdijk)
Active Member
Joined: 8 years ago

Hi,
Microsoft has released CVE-2018-8202 (KB4338417, KB4340558 and KB4340559) for a vulnerablility in .Net.
The down effect is I got many "ActiveX component can't create object" errors. See https://stackoverflow.com/questions/51289285/how-do-i-properly-instantiate-32-bit-com-objects-in-classic-asp-after-installing for more people having this problem and some solutions.
The only fix for our users is to go to IIS > Website > Authentication > Anonymous Authentication > Set to 'Application Pool Identity'.
Is there any reasens why SolidCP force IIS to use specific authentication insteed of AppPool?
And can i configure SolidCP so all (new) sites are created with AppPool Identity?
Thanks!

2 Replies
Posts: 1995
Admin
(@m-tiggelaar)
Noble Member
Joined: 9 years ago

Hello,
The reason is that SolidCP allows to use shared application pools, but to keep some form of segregation use the website auth instead (convenient for hosting providers just providing perl / php / etc).
There's currently no option to set it to app pool identity, such setting will have to be designed from scratch.
Though such function i think should only be allowed if you use dedicated application pools, else the server is 1 big security hazard.
Regards,
Marco

Reply
Posts: 2
(@first0ne)
New Member
Joined: 6 years ago

Is anything changed for a past few years? Or its still impossible to use Application Pool Identity by default for newly created sites?

Reply
Share: