Re: IIS 6 / FrontPage Group Isolation
From: Scott Muc (smuc_at_paconline.net)
Date: 07/17/03
- Next message: Ken Schaefer: "Re: Accessing internet"
- Previous message: Jason Short: "URLSCAN.INI 0 Bytes in length"
- In reply to: Scott Muc: "Re: IIS 6 / FrontPage Group Isolation"
- Next in thread: David Wang [Msft]: "Re: IIS 6 / FrontPage Group Isolation"
- Reply: David Wang [Msft]: "Re: IIS 6 / FrontPage Group Isolation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 17 Jul 2003 10:26:29 -0700
UGH! I give up! I can't fight this any longer.
I tried creating a website using iisweb.vbs, and it
complained about the UNC path. I hacked the code removing
the UNC checking. I also made it add the IUSR that I
wanted and a couple other things to the website. Guess
what? I was able to install FP on the site without adding
the NETWORK/INTERACTIVE user! WTF? That script is where I
grabbed most of my CreateSite code! The only difference is
how the iisweb.vbs script connects using WMI. iisweb.vbs
uses something called Microsoft.IIsScriptHelper which has
zero documentation (at least from googles perspective).
That object doesn't work on IIS5, so I tried it on the
W2K3 machine... looks like it doesn't translate to ASP
very well because I kept on getting WScript errors.
I think I am going to resort to writing a script that will
remove INTERACTIVE/NETWORK on a nightly basis. Doesn't
look like fun since cacls nor xcacls have any flags to
remove ACE's.
Remind me to make sure my next job is with unix based
servers. Scripting doesn't seem to be such a chore on that
platform.
If I sound grumpy/jaded/pissed it's because I am :-)
Scott Muc
>-----Original Message-----
>>> Just found out something else. Extending FrontPage
>>> extensions puts NETWORK/INTERACTIVE and the custom FPSE
>>> group in the ACL only when the site was created using
my
>>> ASP createsite script.
>>>
>>> If I create the site manually it works fine. Not sure
it
>>> it will help but I'm attaching the code that creates a
>>> website : http://muc-central.com/createsite.txt
>>
>>Hmmm. I do not really understand this behavior.
>>
>
>What's worse is that if I change one line of my script,
>and set the home directory to a local folder, it works
>fine.
>
>>Your script, which by the way is quite similar to
settings
>>that I use, does not do the FP extending (which of course
>>cannot be scripted - only shelled out to owsadm,
>repetitively)
>>
>
>I have an ASP script that installs FP using
WScript.Shell,
>and owsradm.exe. I can post it on-line if you want to
>check it out.
>
>><PS> From the script I see you likely are already using
>>separate iusr accounts (i.e. your iusername). However,
>>as I understand it, to effect similar for the IWAM with
>>IIS 6 you need to have an app pool per distinct authoring
>>ownership (sounds like a performance killer doesn't it ?)
>>Notice how that clarifies earlier response in other post
>>where I was thinking IIS5.
>></PS>
>
>Yes, we are creating seperate IUSRs for every website, and
>creating a seperate application pool for every website. I
>prefer security/stability over performance enhanced
>settings.
>
>
>>> I guess I could create a site with my script, and
>>> another manually and do a diff on the metabase
>>>properties.
>
>>We think alike, after reading this last I just cut out
>>from further up where is now <PS>
>
>Tried this, and the metabase settings were the same.
>
><-- snip -->
>
>.
>
- Next message: Ken Schaefer: "Re: Accessing internet"
- Previous message: Jason Short: "URLSCAN.INI 0 Bytes in length"
- In reply to: Scott Muc: "Re: IIS 6 / FrontPage Group Isolation"
- Next in thread: David Wang [Msft]: "Re: IIS 6 / FrontPage Group Isolation"
- Reply: David Wang [Msft]: "Re: IIS 6 / FrontPage Group Isolation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
