Re: How Should IIS permissions be set to prevent hacking?

From: StarView (StarView_at_discussions.microsoft.com)
Date: 07/05/04

  • Next message: StarView: "Re: How Should IIS permissions be set to prevent hacking?" 
    Date: Mon, 5 Jul 2004 14:56:01 -0700

    Hi Ken,

    Thank you for the time you are spending replying to my posts. I appreciate it. I've removed the FPSE (checking the box to save data in case FPSE are reinstalled) and then configured them. Those groups are set up and I have the Administrator in the HCPC_Admins group. I'm logged on as the Administrator. In reading the uSoft online help for setting web site permissions, when I try to open the web site, URL http://www.remotedirector.com, a message comes back saying "The folder 'http://www.remotedirector.com' is not accessible. The folder may be located in an unavailable location, protected with a password, or the filename contains a / or \." This is really confounding. I do not know of any defaults that I've changed. Any other advice to share other than what you recommended above?

    "Ken Schaefer" wrote:

    > Hi,
    >
    > A) In the IIS Manager, on the Directory Security tab, you should leave the
    > Anonymous User account as IUSR_<machinename>. This account is used by IIS
    > when someone browsing your website does not supply credentials
    > (username/password). Provided you have *not* changed any other settings,
    > this should work fine.
    >
    > B) To get FPSE web publishing working, you need to get the three FPSE groups
    > created. These are created when you configure the FPSE extensions. I suggest
    > you *uninstall* the FPSE extensions (as I suggested), then reinstall them.
    > When asked if you want to create the three local groups, please choose "yes"
    >
    > C) After installing the FPSE extensions, right-click on the default website
    > and choose (as you've done before) to tighten security - this will reset the
    > NTFS permissions on all the files in your webroot so that publishing will
    > work properly *and* unauthorised users can not alter your files
    >
    > D) In step (b), there are three groups created:
    > <machinename> Admins
    > <machinename> Authors
    > <machinename> Browsers
    >
    > So, if you're machinename is "Starview", the first group will be called
    > "Starview Admins". You can see these groups in the "Computer Management" MMC
    > Snapin (My Computer -> right-click and choose Manage -> Users and Groups ->
    > Groups). You add users to these groups, depending on what permissions you
    > want to give each user account. Any user that should be able to perform all
    > FPSE related activiies goes into the Admins group (by default this is any
    > administrator on the machine). Any user who should just be able to
    > add/update content on the website does into the Authors group, and anyone
    > who should just be able to view the FPSE configuration information goes into
    > the Browsers group.
    >
    > Now, I do not know *what* things you've changed from the defaults on your
    > machine. As Jeff has mentioned *if* you just leave the defaults, everything
    > should work just fine. However, it seems that somethings are wrong, because
    > your friend was able to change your webpages *and* the FPSE authoring groups
    > do not exist on your machine *and* you've changing the Anonymous user
    > account in the IIS Manager. It may be worthwhile going down to your local
    > bookstore, and buying a book on Frontpage Publishing...
    >
    > Cheers
    > Ken
    >
    >
    > "StarView" <StarView@discussions.microsoft.com> wrote in message
    > news:73277BF9-608C-4B8B-9621-FDDE8377E9D3@microsoft.com...
    > : Ken,
    > :
    > : Doing as you suggested: A) Helped me see & set up the groups you
    > mentioned; thank you. B) Is now preventing me from accessing my own remote
    > web server (IIS) even when I log on as administrator. Do I need to just
    > uninstall FP & IIS & start over, or do you see a less painful and time
    > consuming approach I ought to take? BTW, once these groups and users are
    > set up, I'm unclear on what the configuration needs to be in the directory
    > security tab in the default web properties (Up until now, I've had to
    > change the user at this tab from IUSR to administrator for me to be able to
    > open it in FP; then I'd have to remember to change it back to IUSR when I
    > was done. Now logging on as an administrator & setting the above to the
    > administrator user results in FP saying that Sharepoint Services are not
    > installed & it does not let me in.) HELP.
    > :
    > : "Ken Schaefer" wrote:
    > :
    > : > Hi,
    > : >
    > : > What I suggest you do is the following:
    > : >
    > : > Open IIS Manager, right-click and choose to "remove frontpage server
    > : > extensions". Choose the option to keep your metadata in case you wish to
    > : > reinstall FPSE
    > : >
    > : > Now, right-click on the website again, and choose to "configure
    > frontpage
    > : > server extensions". Go through the wizard, and when it gets to the page
    > : > asking if you want to create the local groups *make sure you do*. If you
    > do
    > : > not create these groups /anyone/ can change stuff on your website. The
    > only
    > : > time you would not create these groups is if you already have FPSE on a
    > : > different website on the machine, and you created the groups when you
    > setup
    > : > FPSE previously. Since this is your first (and only) website on this
    > : > machine, you need to choose to create these groups.
    > : >
    > : > Now, by default, all administrator users are placed into the "Admins"
    > group,
    > : > so, your account (assuming it's an admin account) will be able to
    > perform
    > : > all administrative functions related to FPSE (including authoring files
    > on
    > : > the server). As long as someone doesn't guess that username/password
    > you're
    > : > fine.
    > : >
    > : > Cheers
    > : > Ken
    > : >
    > : >
    > : > "StarView" <StarView@discussions.microsoft.com> wrote in message
    > : > news:9087640C-E280-410B-814E-9952AED58464@microsoft.com...
    > : > : Hi - Boy, you've exposed me to a whole new dimension of my computers
    > that
    > : > I need to understand - which I don't completely. I see the two
    > folders -
    > : > users & groups. I do not have a Authors or Browsers group. I have:
    > : > Administrators, Backup Operators, Guests, Network Configurators, Power
    > : > Users, Remote Desktop Users, Replicator, Users, and HelpServicesSupport.
    > : > :
    > : > : I take it that when I need to create (author) & publish web pages, I
    > need
    > : > to be logged on as one user. The rest of the time, I need to be logged
    > on
    > : > as a different user.
    > : > :
    > : > : So, what do you recommend for a user and group for creating &
    > publishing
    > : > web pages, and what do you recommend for a user and group when anonymous
    > : > Internet users to access the web pages, be able to click on a button to
    > : > execute a command in some home automation S/W, allow remote access w/in
    > the
    > : > house from a wireless smart display, yet prevent people from editing the
    > : > website and introducing other nasty things?
    > : > :
    > : > : (BTW - thank you very much for your support so far. I really
    > appreciate
    > : > it.)
    > : > :
    > : > : John.
    > : > :
    > : > : "Ken Schaefer" wrote:
    > : > :
    > : > : > Hi,
    > : > : >
    > : > : > a) If you've already added FPSE, you do not have the option to
    > : > "configure
    > : > : > FPSE" - this option is only there if you have not already added FPSE
    > : > : >
    > : > : > b) I have *no* idea what you've done to your system prior to this
    > point.
    > : > The
    > : > : > instructions below are for setting things up from scratch. If you've
    > : > : > modified other settings, you may have opened other possible methods
    > of
    > : > : > altering content (eg directly via fileshares, via WebDAV etc)
    > : > : >
    > : > : > c) You create the FPSE groups using the "Configure FPSE" option.
    > When
    > : > you
    > : > : > initially added FPSE 2000 you would have been asked if you wanted to
    > : > create
    > : > : > the 3 local groups. If you replied "yes", then these already exist.
    > You
    > : > can
    > : > : > check by right-clicking on "My Computer" and choosing "Manage". In
    > the
    > : > : > "Manage Computer" MMC Snapin, there is a node called "Local Users
    > and
    > : > : > Groups", underneath which are both "users" and "groups". If there
    > are
    > : > groups
    > : > : > called: <machinename> Admins, <machinename> Authors, and
    > <machinename>
    > : > : > Browsers, then these groups have already been created.
    > : > : >
    > : > : > Cheers
    > : > : > Ken
    > : > : >
    > : > : > "StarView" <StarView@discussions.microsoft.com> wrote in message
    > : > : > news:B3606BB9-4B67-4F4A-9FE5-CD546871112B@microsoft.com...
    > : > : > : Hi Ken,
    > : > : > :
    > : > : > : Thank you for the recommendations. I've done (a) thru (c). For
    > (d),
    > : > I do
    > : > : > not have an option to configure FPSE - only to check them. I've run
    > the
    > : > : > "check server extensions," asking if I want to make them as tight as
    > : > : > possible. I replied yes and it corrected what ever problems that
    > were
    > : > : > found. I do not have the option to configure or set up groups of
    > users.
    > : > : > I'm running Win XP Pro SP1, IIS 5.1, FP 2003.
    > : > : > :
    > : > : > : Any further recommendations are very welcome. Thank you.
    > : > : > :
    > : > : > : John.
    > : > : > :
    > : > : > : "Ken Schaefer" wrote:
    > : > : > :
    > : > : > : > Hi,
    > : > : > : >
    > : > : > : > If you followed the defaults you should be fine:
    > : > : > : >
    > : > : > : > a) Ensure that all accounts on your computer have passwords. To
    > do
    > : > this,
    > : > : > : > right-click on "My Computer" and choose "Manage". Expand the
    > Users
    > : > and
    > : > : > : > Groups node, and select the Users folder. For each user account
    > that
    > : > you
    > : > : > : > have created, plus the Administrator account, right-click and
    > choose
    > : > : > "Set
    > : > : > : > Password". Make sure you are not use EFS (Encryptable File
    > System),
    > : > or
    > : > : > that
    > : > : > : > you have the necessary password reset disks etc.
    > : > : > : >
    > : > : > : > b) Install IIS, including FPSE
    > : > : > : >
    > : > : > : > c) Goto windowsupdate.microsoft.com and get all the necessary
    > : > updates
    > : > : > : >
    > : > : > : > d) Open IIS Manager, right-click on your website, All Tasks,
    > : > Configure
    > : > : > FPSE
    > : > : > : >
    > : > : > : > e) Add the FPSE extensions, and *ensure* that you choose to
    > create
    > : > the
    > : > : > three
    > : > : > : > local groups
    > : > : > : >
    > : > : > : > f) Now, in the Users & Groups section you used previously under
    > : > Computer
    > : > : > : > Management (in (a) above), add users into the various groups you
    > : > created
    > : > : > in
    > : > : > : > (e). Basically, all user accounts who should be able to author
    > : > documents
    > : > : > go
    > : > : > : > into the Authors group
    > : > : > : >
    > : > : > : > g) Now, your FPSE publishing is only as secure as your
    > passwords. If
    > : > you
    > : > : > : > friend can guess your password, they can still get in - because
    > FPSE
    > : > has
    > : > : > no
    > : > : > : > idea whether it's really you, or someone pretending to be you
    > :-)
    > : > : > : >
    > : > : > : > <shameless plug>
    > : > : > : > Grab my IIS 6.0 security book if you want more information on
    > IIS
    > : > : > security
    > : > : > : > stuff. There's a free chapter on my website:
    > www.adopenstatic.com.
    > : > The
    > : > : > book
    > : > : > : > deals with IIS 6.0 security, but some of the stuff overlaps with
    > IIS
    > : > : > 5.0.
    > : > : > : > </shameless plug>
    > : > : > : >
    > : > : > : > Cheers
    > : > : > : > Ken
    > : > : > : >
    > : > : > : >
    > : > : > : > "StarView" <StarView@discussions.microsoft.com> wrote in message
    > : > : > : > news:053E1007-F7AF-4DB2-B3E1-28D5F21A3688@microsoft.com...
    > : > : > : > : I friend today demonstrated how he was able to modify my
    > default
    > : > page.
    > : > : > He
    > : > : > : > suggested coming here. What/where/how do I need to configure
    > the
    > : > : > : > permissions in my IIS (in WinXP Pro) such that I can update my
    > pages
    > : > : > (using
    > : > : > : > FP), and allow Internet users to read the pages, yet prevent
    > anyone
    > : > from
    > : > : > : > changing them or adding malicous code?
    > : > : > : >
    > : > : > : >
    > : > : > : >
    > : > : >
    > : > : >
    > : > : >
    > : >
    > : >
    > : >
    >
    >
    >

  • Next message: StarView: "Re: How Should IIS permissions be set to prevent hacking?"