Re: Filesystemobject security IIS question...

From: Agustin (agustinchernitskyNOSPAM_at_hotmail.com)
Date: 11/20/03 

Date: Thu, 20 Nov 2003 11:48:51 -0300

Hi David,

Thanks for the reply...

My second question, is: IIS anon web sites run as IUSR user. Is it best to
change that user to an already created system user? For example:

c:\webs\dir1 >> userA has permisions to RXW
c:\webs\dir2 >> userB has permisions to RXW

If I change in IIS the user in the web site for dir1 from IUSR to userA,
that will prevent userA seeing dir2. is this correct? Is this safe?

Thanks!!!

"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:OR#bcM1rDHA.2060@TK2MSFTNGP10.phx.gbl...
> Well, FileSystemObject is legacy code, so no development will happen on
it.
>
> Directory Bind does not make sense because it is a Policy definition and
not
> a Feature. Thus, it makes sense for a web-app or its administrator to
> define valid areas of access by Policy, and all code running within that
> area must obey policy. Sort of like the way FileAccess works in .Net.
>
> I do not fully understand your other question considering anonymous
> accounts. If you give an anonymous user account for every user on your
> system, that certainly allows you to define which user can read/execute
what
> by fine-grained ACL.
>
> As for "riskiness" -- If you are not running IIS6, you really have no
choice
> on the process identity in the inproc case (any code that runs
> RevertToSelf() will become localsystem), so you need to control what code
> people can upload and run.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "Agustin" <agustinchernitskyNOSPAM@hotmail.com> wrote in message
> news:bpfq8s$1o5bmc$1@ID-48235.news.uni-berlin.de...
> Hi David,
>
> The script I tested this with uses full path (ie: c:\inetpub\dir1). So
> turning parent paths won´t work.
>
> If I Deny List Data / Read Data for IUSR in inetpub, would that work? To
> what other directories should I deny IUSR read? I was thinking of C:\
>
> There should be a directory bind for FSO (ie binding the FSO only to
> c:\inetpub\ and higher).
>
> Thanks a lot David!
>
> "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
> news:OcEQXbprDHA.2304@tk2msftngp13.phx.gbl...
> > Make sure the identity that the script runs as does not have Read
> > permissions where it shouldn't.
> >
> > Why do you have Everyone:F on inetpub -- remove it. You can set
IUSR:Deny
> > on inetpub if you then reset the include directory to allow IUSR:R . In
> > particular, turn off ASPParentPaths if you don't want ASP pages being
able
> > to read any file it can access on the hard drive.
> >
> > --
> > //David
> > IIS
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > //
> > "Agustin" <agustinchernitskyNOSPAM@hotmail.com> wrote in message
> > news:bpe1hu$1lh816$1@ID-48235.news.uni-berlin.de...
> > Hi Guys,
> >
> > I have the following problem. My IIS dir structure is as follows:
> >
> > c:\inetpub\site1
> > c:\inetpub\site2
> > c:\inetpub\siten
> >
> > The inetpub folder has this permissions:
> > EVERYONE: Full - this folder, sub folders and files
> > INTERACTIVE: RX - this folder, sub folders
> > NETWORK: RX - this folder, sub folders
> > SYSTEM: RX - this folder, sub folders
> >
> > And for some sites (in general):
> > IUSR: RX - this folder, sub folders
> > IUSR: R - Files only
> > System: F
> > Administrators: F
> > User: RXW - this folder, sub folders
> > User: RW - Files
> >
> > I uploaded a directory browsing script and found out that I could
browser
> my
> > entire hard disk.
> >
> > Can someone point me out what NTFS permissions I have to place and where
> to
> > stop this script from browsing out of its boundaries or listing the root
> dir
> > (ie inetpub and below)?
> >
> > I placed IUSR deny List Data / Read Data in c:\inetpub, but this gave me
> > problems with include files....
> >
> > Any ideas??
> >
> > Thanks!
> >
> > Agustin
> >
> >
> >
> >
> >
> >
> >
> >
>
>
>

Relevant Pages

  • Re: Anonymous Account not working
    ... the Iusr_ you are using may have been defined before the final ... IIS install on that box. ... I think the problem may be with the local account. ... built the server there was another server that was named WEB02, ...
    (microsoft.public.inetserver.iis.security)
  • Re: IWAM out of sync (DCOM error) 10004
    ... password that is cached in the IIS Metabase for the IWAM and IUSR accounts. ... This should show you whether the password is being changed in the metabase. ... If you reset the password on the domain account, ... and IIS is set to control the IUSR password? ...
    (microsoft.public.inetserver.iis.security)
  • Re: Experiencing Sporadic HTTP Error 401.1 - Unauthorized errors on IIS
    ... I created a user identical to IUSR and set this user as the anonymous user ... account in IIS Web Sites. ... All web sites and web pages now return 401.1. ... Access to all IIS resources ...
    (microsoft.public.inetserver.iis)
  • Re: OWA - Bilder werden nicht angezeigt
    ... Hallo und vorab vielen Dank für die Anfrage von Hr. Aigenbauer. ... Da der IUSR_ nicht vorhanden war, installierte ich den IIS erneut. ... Nach der IIS-Neuinstallation existierte dann der IUSR_, ... > ist der iusr der eingetragen ist, lokaler user auf dem anderen server? ...
    (microsoft.public.de.exchange)