Re: IIS metabase permissions when creating new VirDir's

From: Jason Brown [MSFT] (i-brjaso_at_online.microsoft.com)
Date: 03/22/05

Next message: Jason Brown [MSFT]: "Re: IIS Security Risks & Vulnerabilities"
Previous message: Roger Cox: "IIS Security Risks & Vulnerabilities"
In reply to: Tony D: "Re: IIS metabase permissions when creating new VirDir's"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 22 Mar 2005 10:31:00 +1100

Are you on IIS 6.0?

the way I'd probably do that would be to either lock down the file using IIS
service manager and enable windows authentication - you then run it under
the authenticated account (with impersonation enabled). You could also
create a new application pool which runs under a priveleged account, then
edit the VDir's properties in IIS service manager so that it runs under the
priveleged app pool.

-- 
Jason Brown
Microsoft GTSC, IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
"Tony D" <TonyD@discussions.microsoft.com> wrote in message 
news:EEBEF54A-9781-4718-98C8-018375692864@microsoft.com...
> Thank you for your answer.
>
> Could you please give an example of how to run a Virtual Directory under a
> different user context?
>
> I know that the constructor for System.DirectoryServices.DirectoryEntry
> takes an AuthenticationType parameter.  Is this what you mean?
>
> - Tony
>
>
> "Jason Brown [MSFT]" wrote:
>
>> The queue idea is a good one, but possibly overkill. You could run the
>> individual script or virtual directory under the context of a different 
>> user
>> account, but you'd need to be careful of who can access it, by requiring
>> authentication and locking down the script with NTFS.
>>
>> I'd also recommend you take care and backup before changes, and have a
>> protocol sorted out for rolling back changes, just in case.
>>
>>
>> -- 
>> Jason Brown
>> Microsoft GTSC, IIS
>>
>> This posting is provided "AS IS" with no warranties, and confers no 
>> rights.
>>
>>
>> "Tony D" <TonyD@discussions.microsoft.com> wrote in message
>> news:168FB923-670E-4C0E-97F7-3E1250B962F4@microsoft.com...
>> > Hi,
>> >
>> > Theoretical, architecture-type question here:
>> > -=-
>> > If one wants to have an Asp.Net app programmatically create new 
>> > VirDir's,
>> > how should you implement this?  Open the doors wide-open to the ASPNET
>> > user
>> > account?  (not!)
>> >
>> > Some Background:
>> > -=-
>> > We have an Asp.Net app that we ported from Asp/VB6.  It allowed 
>> > anonymous
>> > IIS users to create new web-sites on-the-fly.  Obviously, our app 
>> > ensures
>> > that only users who are registered and correctly logged-in can do this.
>> > My
>> > point is that as far as IIS is concerned, users are anonymous.
>> >
>> > In the old Asp/VB6 world, this worked because the Asp pages would call 
>> > the
>> > COM+ components, which impersonated as a local machine account.  We
>> > ensured
>> > the local machine account had enough permissions to:
>> > - access the appropriate part(s) of the file system to make the new
>> > web-site
>> > - access the approprate part(s) of the IIS metabase
>> >
>> > Correct me if I'm wrong, but the way I understand impersonation works 
>> > in
>> > .Net isn't the same: it will only work if you use Windows 
>> > Authentication
>> > under IIS, and will then only impersonate the logged-in user.  In our 
>> > app,
>> > we
>> > can't use Windows Authentication.
>> >
>> > We can make the new .Net code work if we allow the ASPNET user access 
>> > to
>> > the
>> > resources I described above, but we would like a better solution.  My
>> > thought
>> > is to have the Aspx page create an MSMQ message, asking to create the 
>> > new
>> > VirDir.  We already have a daemon process written in C# that monitors
>> > MSMQ,
>> > and it runs with LOCALSYSTEM privs, so it could get the job done.
>> >
>> > What is Microsoft's recommendation on this?
>> >
>> > -- 
>> > - Tony D
>>
>>
>>

Next message: Jason Brown [MSFT]: "Re: IIS Security Risks & Vulnerabilities"
Previous message: Roger Cox: "IIS Security Risks & Vulnerabilities"
In reply to: Tony D: "Re: IIS metabase permissions when creating new VirDir's"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Basic Authentication fails with Error 401.2 where Integrated s
... On the IIS directory security tab, anonymous access is disabled, digest ... authentication is disabled, integrated authentication is disabled and basic ... account created has full permissions for the folder and the file that's in it. ...
(microsoft.public.inetserver.iis.security)
Re: Basic Authentication fails with Error 401.2 where Integrated s
... Just as a check I used NET USER /ADD on my test account and as expected ... The password dialog is supposed to appear for Basic authentication ... Thinking more esoterically now -- what are the login rights assigned ... IIS uses a specific login type, ...
(microsoft.public.inetserver.iis.security)
Re: IIS 5 Authentication problem- solved
... Tom Kaminski IIS MVP ... Can you log in using an administrator account, ... >> Subject: Re: IIS 5 Integrated Windows Authentication ... >> case there is no group, it is just the one server, ...
(microsoft.public.inetserver.iis.security)
Re: HELP PLEASE The request failed with HTTP status 401: Access Denied.
... Web Security: Part 2: Introducing the Web Application Manager, Client ... Authentication Options, and Process Isolation ... It introduces the Web Application Manager in IIS that ... logon session, which is dangerous. ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: IIS 6 fails anonymous connection
... It sounded like you configured sub-authentication, which on prior IIS ... The reason that you have to have Integrated authentication enabled along ... so there is some sort of configuration problem specific to ... The resources must also be ACL'd for this user account or else you will get ...
(microsoft.public.inetserver.iis.security)