Re: Security Question on setting NTFS permission for IIS6.0
From: Bernard (qbernard_at_hotmail.com.discuss)
Date: 12/29/03
- Previous message: Bernard: "Re: Accessing an Access database on a Novell server from a Windows 2000 server"
- In reply to: Tarntanate M.: "Security Question on setting NTFS permission for IIS6.0"
- Next in thread: Tarntanate M.: "Re: Security Question on setting NTFS permission for IIS6.0"
- Reply: Tarntanate M.: "Re: Security Question on setting NTFS permission for IIS6.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 29 Dec 2003 11:40:30 +0800
1) If you are browsing from remotely via network anonymously, iusr a/c will
be a member for this group. refer -
-Network
Represents users currently accessing a given resource over the network (as
opposed to users who access a resource by logging on locally at the computer
where the resource is located). Whenever a user accesses a given resource
over the network, the user is automatically added to the Network group.
-Interactive
Represents all users currently logged on to a particular computer and
accessing a given resource located on that computer (as opposed to users who
access the resource over the network). Whenever a user accesses a given
resource on the computer to which they are currently logged on, the user is
automatically added to the Interactive group.
2) any user access via network will be a member of this special group. and
yes this a risk. the basic rule of NTFS is only assign to those user that
required such permissions. ONLY assign to required users.
3) refer #1
4) refer #2, for web resource directory with purely read access, remove this
as well. if you had different sites with different user upload, then you
might want to include this to allow users to control their own
files/folders.
5) In IIS5.0 isolation mode, iwam is the process identity of out of process
application. e.g. running the dllhost.exe. Network service function the same
which run the w3wp.exe worker processing in the IIS 6.0 WP mode. these are
process identity, you still need iusr a/c for anonymous access.
-- Regards, Bernard Cheah http://support.microsoft.com/ Please respond to newsgroups only ... "Tarntanate M." <toms@access.inet.co.th> ???? news:OneGcNPzDHA.2240@TK2MSFTNGP10.phx.gbl... > I have some question about NTFS permission, I'm using W2k3 Standard Edition > and PHP 4.3.4 > > 1. If I do not add "IUSR_XXXX" user into NTFS permission, but I have > "NETWORK" group which have "Read" permission instead, I can access to my > website. So, is "IUSR_XXX" account is a member of "NETWORK" group? > > 2. If I add "NETWORK" group which have "Read" permission into NTFS > permission rather than exactly "IUSR_XXXX" account, are there any security > risk? > > 3. Do I need to add "INTERACTIVE" group which have only "Read" permission? > Is this group necessary? > > 4. Do I need to have "CREATOR OWNER" and "CREATOR GROUP" which have "Full > Control" permission? Because when I create a new folder for adding new web > site, that folder is automatically have these group on the NTFS permission. > > 5. If my web site contains asp or aspx files, do I need to add "NETWORK > SERVICE" or "IWAM_XXXX" user into NTFS permission? If not, when or in what > situation I need to add those users into NTFS permission? > > Any ideas or suggestions are welcome. > Thank you very much. > >
- Previous message: Bernard: "Re: Accessing an Access database on a Novell server from a Windows 2000 server"
- In reply to: Tarntanate M.: "Security Question on setting NTFS permission for IIS6.0"
- Next in thread: Tarntanate M.: "Re: Security Question on setting NTFS permission for IIS6.0"
- Reply: Tarntanate M.: "Re: Security Question on setting NTFS permission for IIS6.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
