Re: IIS folder structure and security.

From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: 04/20/05 

Date: Wed, 20 Apr 2005 17:56:42 GMT

On Wed, 20 Apr 2005 00:35:01 -0700, "Savas"
<Savas@discussions.microsoft.com> wrote:

>I should have read this before posting; is there a through documentation
>available on setting up unique accounts and not letting them access other
>folders?

That's basic Windows security, not limited to IIS so a decent Windows
administration book should cover it. Also take a look at:

http://www.microsoft.com/serviceproviders/microsoftsolutions/sharedhostingguide.asp
http://www.microsoft.com/serviceproviders/webhosting/default.asp

And the forums l,ocated there and at asp.net.

Jeff

>"Jason Brown [MSFT]" wrote:
>
>> Yes, it's possible, with a lax NTFS security scheme, for a user of site1 to
>> access files in other sites with, say, FileSystemObject. This could lead to
>> some shenanigans.
>>
>> The way I'd deal with this would be to add a unique user account for each
>> separate user, and a group which you can add the users to for blanket
>> permissions. then make sure only the appropriate user account has rights on
>> their set of folders. If they then tried to cross the boundary into another
>> site, they'd immediately be denied.
>>
>> It sounds hard to set up at first, but once you get going with it it's
>> really not too hard.
>>
>>
>> --
>> Jason Brown
>> Microsoft GTSC, IIS
>>
>> This posting is provided "AS IS" with no warranties, and confers no rights.
>>
>>
>>
>> <edroszcz@gmail.com> wrote in message
>> news:1113603977.291868.73260@g14g2000cwa.googlegroups.com...
>> Hi,
>>
>> Been browsing for some information about how I should organize our
>> Windows 2003 servers running IIS6. Whith organize I mean which folder
>> structure we should use and to to make it secure.
>>
>> The structure I have atm looks like this:
>>
>> D:\Websites
>> ....
>> D:\Websites\domain1.com
>> D:\Websites\domain1.com\www
>> D:\Websites\domain1.com\db
>> ....
>> D:\Websites\domain2.com
>> D:\Websites\domain2.com\www
>> D:\Websites\domain2.com\db
>>
>> and so on for each domain on the server.
>>
>> In the IIS each site have it's root to the 'www' folder. I.e the site
>> for the domain domain1.com points to the folder
>> D:\Websites\domain1.com\www.
>>
>> The server is a shared webhosting server with all kinds of customers
>> with different domains. I dont use the IIS FTP so I dont have to worry
>> that users can change/delete files from other users directories that
>> way.
>>
>> But what I wonder is, can the user with domain1.com execute a script
>> that he put in D:\Websites\domain1.com\www that in some way could
>> access the files in D:\Websites\domain2.com\www?
>>
>> If so, which would be the best way to fix this? Do I have to create
>> Windows accounts and set NTFS permissions on each customers folder?
>>
>> Any idéas, comments or thoughts on this would be appreciated.
>>
>> Best regards
>> Erik Droszcz
>>
>>
>>