RE: IIS anonymous access
From: Wei-Dong XU [MSFT] (v-wdxu_at_online.microsoft.com)
Date: 05/20/04
- Previous message: hks: "passwords?"
- In reply to: Rusted: "IIS anonymous access"
- Next in thread: Yan-Hong Huang[MSFT]: "RE: IIS anonymous access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 20 May 2004 03:31:53 GMT
Hi,
Since your asp page only needs to read the file from the unix folder, I'd suggest you can only grant the read permission to this domain account on
this folder so that all the request with this domain account will be limited. Then the writing, editing, deleting request sent in this domain account
will be denied.
I don't know how you add the unix box into the domain or open the folder to the windows domain, via Samba ? Or some other ones? As I know, if
your folder can be accessed with one windows domain account, this means the domain account permission management on this folder should be
the same to one windows folder. The samba or other utilities (which connects the unix with windows) should perform one permission mapping from
the Windows style to the Unix style, which is the internal implentation of Samba or other. You should only need to configure the permssion on the
folder as the same on the windows. In this scenario, please only grant the read permssion to this account on the folder.
Furthermore, since the ASP page will use this account, for keeping secure, I'd also suggest you can check how many resources in yoru domain this
account can access and control. If lots of important data in your domain can be accessed via this account, this will involve the hidden security
threat to your domain; using one domain admin will be the same which is more dangerous for this one has the full permission to the domian.
So I'd recommend you can create one domain account(for example, domain\folderReader ) only for accessing this folder; then in the web
application, you still use the default asp page account to run the asp application. For the asp page accessing the file folder, you cna impersonate
to the acount domain\folderReader for reading the files; after the working, impersonate back. This way, you can only configure the permission for
this account domain\folderReader in the folder which is very easy for your system maintenance. This kb article 248187 will show you how to
perform the impersonation in ASP page.
HOWTO: Impersonate a User from Active Server Pages
http://support.microsoft.com/?id=248187
In addition, I'd also suggest you can read the manual of the samba or other applications, which connects the Unix and windows , for any specific
security setting you should note.
If my understanding is not correct to your scenario, please feel free to let me know if any question. Look forward to your reply.
Best Regards,
Wei-Dong Xu
Microsoft Product Support Services
Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
- Previous message: hks: "passwords?"
- In reply to: Rusted: "IIS anonymous access"
- Next in thread: Yan-Hong Huang[MSFT]: "RE: IIS anonymous access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
