RE: FTP to IIS Web directory security problem
From: David Dietz [MS] (daviddietz@microsoft.com)
Date: 05/30/02
- Next message: Jack Brewster: "Re: very basic questions"
- Previous message: Ernie: "very basic questions"
- In reply to: Eric Au: "FTP to IIS Web directory security problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: daviddietz@microsoft.com (David Dietz [MS]) Date: Thu, 30 May 2002 17:52:38 GMT
Eric,
First of all, it is not recommended to point an FTP virtual directory to
the root of your web site for security reasons. If someone can upload an
executable (like cmd.exe) to a directory with execute permissions set under
IIS they can run that executable through a browser and compromise the
server. A more acceptable solution is to use WebDAV to let people upload
and download files through HTTP.
To answer your question though, the FrontPage Extensions do their own
permissions management and will alter NTFS permissions on files as needed.
The INTERACTIVE, SYSTEM and NETWORK accounts are special groups and should
be left they way they are. The IIS groups are where the issue comes up.
FPSE uses those groups and changes NTFS permission on them to let people
Administer, Author or Browse pages according to the FPSE security
configuration.
In short, there is no easy way to manually manage permissions for you web
content if you are running FrontPage Server Extensions.
For further assistance please post question in the frontpage.extensions
group.
Thank you.
David Dietz -- IIS Technical Lead
Search our online Knowledge Base
http://support.microsoft.com/support/
This posting is provided “AS IS” with no warranties, and confers no rights.
You assume all risk for your use. © 2001 Microsoft Corporation. All rights
reserved
--------------------
|>Subject: FTP to IIS Web directory security problem
|>From: Eric Au <cfau@mindspring.com>
|>Organization: Ahhhh.....
|>Message-ID: <Xns921E5A6BD1D9Cnospamcfaumindspring@207.46.230.185>
|>User-Agent: Xnews/L5
|>Newsgroups: microsoft.public.inetserver.iis.security
|>Date: Thu, 30 May 2002 06:52:36 -0700
|>NNTP-Posting-Host: auching.duc.auburn.edu 131.204.85.143
|>Lines: 1
|>Path: cpmsftngxa07!tkmsftngxs02!tkmsftngp01!tkmsftngp05
|>Xref: cpmsftngxa07 microsoft.public.inetserver.iis.security:7217
|>X-Tomcat-NG: microsoft.public.inetserver.iis.security
|>
|>We're running IIS 5.0 with FrontPage Server Extensions 2002 and .NET
|>framework 1.0.
|>
|>a virtual directory in the IIS ftp server is set to the root of the
default
|>web site, there are lots of sub-webs, assigned to different group of
|>people.
|>
|>Before we install FPSE 2002 and .NET, the user can ftp, and can only read
|>the files they have permission (under web). But now they can access all
|>files within that virtual directory. The most terrible thing is that they
|>can access global.asa, global.asax and all ASP/ASP.NET source code that
|>contains database passwords.
|>
|>We checked the folder permission but only see some strange group like
|>INTERACTIVE, NETWORK, and SYSTEM. Except them there're only IIS groups.
Can
|>someone tell us how to solve the ftp security problem?
|>
|>Sincerely yours,
|>Eric
|>
- Next message: Jack Brewster: "Re: very basic questions"
- Previous message: Ernie: "very basic questions"
- In reply to: Eric Au: "FTP to IIS Web directory security problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
