Re: Security in hosted environment

From: Bernard (qbernard_at_hotmail.com)
Date: 11/29/03 

Date: Sat, 29 Nov 2003 11:05:58 +0800

I used to setup different account for each website owner.
then configure ACL based on their user account.
I have limited number of user, so it's not that hard to control.

Since your case you have thousands of them, you might want
to utilize user groups to go together with the user accounts. 

-- 
Regards,
Bernard Cheah
http://support.microsoft.com/
Please respond to newsgroups only ...
"PL" <pblse2@yahoo.se> wrote in message
news:#rMw3patDHA.684@TK2MSFTNGP09.phx.gbl...
> We are providing hosting for our members on an IIS6/W2k3 standard server,
> we are now considering offering scripting support but I seem to run in to
numerous
> security issues with this.
>
> The problem here is that each member does not have it's own virtual dir,
we already
> have thousands of members and it's not really feasable to try and change
this.
>
> All member sites are in a folder called members, we created a virtual dir
called
> members under our main site. We then created a separate app pool for the
member
> virtual dir and created two new user accounts, IUSR_MEMBERS and
IWAM_MEMBERS
> which we entered as the anonymous user accounts on the app pool and the
member virtual dir.
>
> So far so good.
>
> Now, we set the security on all folders so the IUSR and IWAM_members have
read and
> write permissions in the member folders and nowhere else, this is because
we want them for
> example to be able to run access db's (which would need write to update
properly).
>
> Here the problem starts, even though they can't write outside the member
dir they can still write
> to other members folders !
>
> I thought I could fix this issue by setting permissions on the reg keys
for the FileSystemObject
> and that worked fine, the problem is just the other objects with save
capabilities which we need
> like for example the SaveAs in ADODB.Recordset or the ServerXML objects
methods, we can't
> disable everything because then there would be no point in offering
scripting support.
>
> Exactly how do I do this ? Any pointers or ideas would be appreciated.
>
> PL.
>
>

Relevant Pages

  • Re: User Login
    ... the domain group called Domain Users is a member of the local Users group on all computers; this is usually why any domain user can logon at any domin member computer. ... Policies, User Rights Assignment, Deny log on locally - add the group containing the "email only" user accounts. ...
    (microsoft.public.windows.server.active_directory)
  • Re: User Login
    ... For a domain user account to be used to logon at a domain member, that user account must have the "logon locally" right. ... the domain group called Domain Users is a member of the local Users group on all computers; this is usually why any domain user can logon at any domin member computer. ... Policies, User Rights Assignment, Deny log on locally - add the group containing the "email only" user accounts. ...
    (microsoft.public.windows.server.active_directory)
  • Re: User rights assignment in XP Pro
    ... > So why not use the MMC to get true control of the user accounts? ... Now it says Fred is a member of "Power Users". ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Identifying users and groups
    ... I need to know what user accounts are defined on our Sun ... is more complex depending on what you need the info for... ... member of, but again, its not the whole truth depending on why you want ... groups wont allow, and file access might also ...
    (comp.unix.solaris)
  • Re: How do I eliminate the network logon screen in Windows XP Pro
    ... that was once a member of a domain. ... is to format the drive and clean-install Windows. ... Computer Name tab); 2) create local user accounts; 3) delete domain ...
    (microsoft.public.windowsxp.network_web)
Loading