RE: Security configuration steps for multiple site hosting

From: Basil Cheng (kokc@online.microsoft.com)
Date: 07/11/02 

From: kokc@online.microsoft.com (Basil Cheng (MS))
Date: Wed, 10 Jul 2002 22:13:46 GMT

Hi Brian

you wrote:

Hello,

I'm hosting multiple sites for several clients and they want to use ASP
on their site. I'm concerned about the security risks involved with
this, such as if they do something stupid in their code it will affect
the rest of the site, eg:

While not rs.EOF
   Response.Write rs("field1")
Wend

This will cause an infinite loop until the script times out. Or what if
they use the Scripting.FileSystem object? They can delete files, etc.
And if they have access to a shared SQL Server implementation, could
they use a SQL call to execute arbitrary code?

How can I make this safe so that each site is completely isolated and
eliminate (ok, reduce) any chances of security breaches or performance
drags? Is there an "IIS Security for Dummies" book available? Most of
what I've seen describes how to set things up assuming there's only ONE
site on the server, or that all sites are controlled by the same person.

Thanks!

REPLY:

In order to isolate webapplications (in your case in different sites), you
may want to run the web application under high isolation (this is a feature
in windows 2000, IIS5)

Documentation on this could be found in the iishelp pages within IIS, ie
http://localhost/iishelp

In addition, here is a link on how to security for IIS
http://microsoft.com/technet/treeview/default.asp?url=/technet/security/Defa
ult.asp

Thanks

Basil

This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2001 Microsoft Corporation. All rights
reserved.

Relevant Pages

  • Re: TS on a domain controller
    ... What do you all think about the benefits of user management from ... security risks inherent to AD and TS being on the same box? ... running on a domain controller poses security risks. ...
    (microsoft.public.windows.terminal_services)
  • MAP Internal and DMZ Servers
    ... What are the security risks? ... Should I deny the security request? ... Audit Security and Risk Management Group ...
    (Security-Basics)
  • Re: Anybody use Linux? For old hardware, which distro?
    ... assuming the hardware still works) but that so many security issues will ... would cause it to be 'dangerous' to run some 5 year old linux distro today. ... That would be - name some mid-2005 linux distro security risks. ...
    (alt.comp.hardware.pc-homebuilt)
  • Re: Help please: problem with slow KDE and programs
    ... houghi wrote: ... Please elaborate about the security risks. ... there are security patches and others that are only ...
    (alt.os.linux.suse)
  • Re: Mac Server Hacked In Less Than 6 Hours
    ... Windows has RAS, and for it is built in since NT 3.1 ... | A typical IIS box and this Mac are not the same thing so the comparison ... IIS has been subject to quite a few bugs and so have ... Security isn't a proprietary attribute. ...
    (sci.crypt)