Re: Filesystemobject security IIS question...
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 11/20/03
- Next message: Tom Pepper Willett: "Re: Confirmation of your reservation with CentralR.com. #202103"
- Previous message: David Wang [Msft]: "Re: IIS 6.0 CGI pipe broken..."
- In reply to: Agustin: "Re: Filesystemobject security IIS question..."
- Next in thread: Agustin: "Re: Filesystemobject security IIS question..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 20 Nov 2003 13:40:43 -0800
Yes, your understanding is correct.
However, if code in dir1 has the ability to call "RevertToSelf()", it can
become the process identity (and if run in Low Isolation, this process
identity is LocalSystem), which may or may not be able to see dir2.
This problem is addressed in IIS6, where we allow you to configure the
process identity as well -- so you can lock an application to an identity no
matter if it's impersonated via authentication (or anonymous) or
RevertToSelf().
-- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // "Agustin" <agustinchernitskyNOSPAM@hotmail.com> wrote in message news:bpik8e$1ot4c0$1@ID-48235.news.uni-berlin.de... Hi David, Thanks for the reply... My second question, is: IIS anon web sites run as IUSR user. Is it best to change that user to an already created system user? For example: c:\webs\dir1 >> userA has permisions to RXW c:\webs\dir2 >> userB has permisions to RXW If I change in IIS the user in the web site for dir1 from IUSR to userA, that will prevent userA seeing dir2. is this correct? Is this safe? Thanks!!! "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:OR#bcM1rDHA.2060@TK2MSFTNGP10.phx.gbl... > Well, FileSystemObject is legacy code, so no development will happen on it. > > Directory Bind does not make sense because it is a Policy definition and not > a Feature. Thus, it makes sense for a web-app or its administrator to > define valid areas of access by Policy, and all code running within that > area must obey policy. Sort of like the way FileAccess works in .Net. > > I do not fully understand your other question considering anonymous > accounts. If you give an anonymous user account for every user on your > system, that certainly allows you to define which user can read/execute what > by fine-grained ACL. > > As for "riskiness" -- If you are not running IIS6, you really have no choice > on the process identity in the inproc case (any code that runs > RevertToSelf() will become localsystem), so you need to control what code > people can upload and run. > > -- > //David > IIS > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "Agustin" <agustinchernitskyNOSPAM@hotmail.com> wrote in message > news:bpfq8s$1o5bmc$1@ID-48235.news.uni-berlin.de... > Hi David, > > The script I tested this with uses full path (ie: c:\inetpub\dir1). So > turning parent paths won´t work. > > If I Deny List Data / Read Data for IUSR in inetpub, would that work? To > what other directories should I deny IUSR read? I was thinking of C:\ > > There should be a directory bind for FSO (ie binding the FSO only to > c:\inetpub\ and higher). > > Thanks a lot David! > > "David Wang [Msft]" <someone@online.microsoft.com> wrote in message > news:OcEQXbprDHA.2304@tk2msftngp13.phx.gbl... > > Make sure the identity that the script runs as does not have Read > > permissions where it shouldn't. > > > > Why do you have Everyone:F on inetpub -- remove it. You can set IUSR:Deny > > on inetpub if you then reset the include directory to allow IUSR:R . In > > particular, turn off ASPParentPaths if you don't want ASP pages being able > > to read any file it can access on the hard drive. > > > > -- > > //David > > IIS > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > // > > "Agustin" <agustinchernitskyNOSPAM@hotmail.com> wrote in message > > news:bpe1hu$1lh816$1@ID-48235.news.uni-berlin.de... > > Hi Guys, > > > > I have the following problem. My IIS dir structure is as follows: > > > > c:\inetpub\site1 > > c:\inetpub\site2 > > c:\inetpub\siten > > > > The inetpub folder has this permissions: > > EVERYONE: Full - this folder, sub folders and files > > INTERACTIVE: RX - this folder, sub folders > > NETWORK: RX - this folder, sub folders > > SYSTEM: RX - this folder, sub folders > > > > And for some sites (in general): > > IUSR: RX - this folder, sub folders > > IUSR: R - Files only > > System: F > > Administrators: F > > User: RXW - this folder, sub folders > > User: RW - Files > > > > I uploaded a directory browsing script and found out that I could browser > my > > entire hard disk. > > > > Can someone point me out what NTFS permissions I have to place and where > to > > stop this script from browsing out of its boundaries or listing the root > dir > > (ie inetpub and below)? > > > > I placed IUSR deny List Data / Read Data in c:\inetpub, but this gave me > > problems with include files.... > > > > Any ideas?? > > > > Thanks! > > > > Agustin > > > > > > > > > > > > > > > > > > >
- Next message: Tom Pepper Willett: "Re: Confirmation of your reservation with CentralR.com. #202103"
- Previous message: David Wang [Msft]: "Re: IIS 6.0 CGI pipe broken..."
- In reply to: Agustin: "Re: Filesystemobject security IIS question..."
- Next in thread: Agustin: "Re: Filesystemobject security IIS question..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
