Re: General Security Question
From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 15 Oct 2003 06:07:25 -0700
There are a number of articles out there on NTFS permissions to change
to improve security on IIS, and you can also find and edit the various
Group Policy template files within windowsroot\security\templates and
available for download from www.microsoft.com/download such as
hisecweb. These files can be edited either using Notepad or MMC.EXE /
Add/Remove Security Templates Snap-In. You can choose to apply just
the NTFS portions or the whole thing. Some people do encounter
problems when they apply the entire hisecweb template without knowing
what it does or how to undo it, so be careful.
The following sites also have hardening checklists and/or information
on NTFS permissions that you might change:
Regarding your specific question about how to change permissions for
these users, it might be better to create a group containing these
users, and Deny permissions to the entire hard drive paritition for
this group, then remove the deny permission for the web folders. If
you did this, you would need to be careful that you never put the
server administrators or system into this folder, or else you will be
denied access and have big problems. Deny permission overrides any
other permission granted elsewhere, even for admininstrators. Note
that AFAIK, simply putting users into the Guests group really does
nothing much to change those users permissions.
If you run into any problems, see the articles from Microsoft and
www.iisfaq.com on minimum default NTFS permissions needed for IIS to
run, and/or use Windows auditing on file access failures to see who
was denied permission to what. Note that there are folders within the
windowsroot folder and program files folder that these users might
need access to.
"Steven Frank" <email@example.com> wrote in message news:<O$ze$YmkDHA.firstname.lastname@example.org>...
> My question/concern is this; as I have to create an OS user account for each
> web site user, this would seem to give them at least some access to the box
> in general due to the fact that "Everyone" has certain rights to some
> resources of the box. These "users" do not need any access to the box, not
> do I want them to have any. I suppose I could comb the directory structure
> and remove/restrict the "Everyone" access, but that seems like a very
> onerous task to say the least. Are there any other options of am I
> misunderstanding the situation at all?