Re: Access Control Best Practices for shared hosting seem at odds with Web Site Starters

From: M. M. Rafferty (mmr_at_vistagrande.com)
Date: 09/06/05 

Date: Mon, 5 Sep 2005 23:56:02 -0700

Hi Jeff,

Thanks for your comments. However, they don't really address my questions.

The practical implementation of security measures is an exercise for the
reader -- but best practices is not.

For what it is worth, we have not allowed anonymous modify/write under the
web root. Access database files for instance, can be put outside the web.
By removing anonymous access from the admin or management folder, a site
owner could then authenticate as they would with FrontPage or FTP and upload
content via their browser. Usually, with the ASP applications, we have had
alternatives which meet the guidelines.

 I don not understand what you mean by
> Only if you install Community Server in a folder directly off the
> root. It's an anomaly with the Windows file system.

With respect to DotNetNuke and the Community Server, yes, these are not
Microsoft products. However MS has recommended them to shared hosting
providers.

Since I am attempting to administrate a shared hosting server, I cannot be
dependent on the code that the clients bring to be written securely. We
also must isolate clients so that they can not gain access to another's code
or even know who else is hosted on that box. I'd rather take extra time up
front to work with clients on finding a securely configured solution than
hours later sorting out an exploited application.

I'm not writing these apps nor am I the one picking them. I'm just tying to
make sure that we are following best practices with our IIS 6 config and
will be able to make appropriate decisions about the requests our hosting
clients make. If there is a subtle distinction between the anonymous write
which is not to be allowed and the anonymous write which appears to be
needed for the community server apps and so forth, I would like to have that
spelled out so I cannot mistake one for the other.

mmr

"Jeff Cochran" <jeff.nospam@zina.com> wrote in message
news:43220efd.216431625@msnews.microsoft.com...
> On Mon, 5 Sep 2005 17:53:26 -0700, "M. M. Rafferty"
> <mmr@vistagrande.com> wrote:
>
> >The MS Shared Hosting Deployment Guide lists among best practices:
> > Ensure strong permissions are used on Web content
> > Use separate anonymous (IUSR) accounts for each Web site
> > Never allow anonymous user (IUSR) Write permission
> >
> >The document also describes Isolated Shared Web Hosting where each
customer
> >has their own application pool with a unique identity. It states that
the
> >host should "Ensure that the Customer-specific identity has the minimal
> >necessary permissions to system resources" but exactly what that means in
> >terms of ACLs apparently has been left as an exercise for the reader.
>
> Of course it's left to the reader. My users may need write
> permissions because the app requires it or I use an Access database.
> Yours may not. Permissions would be different for both our users, but
> I only need MODIFY access, not FULL CONTROL as my minimum.
>
> >And therein lies the problem. Or at least part of it.
> >
> >We are looking at the web site starter kits -- DotNetNuke and the
Community
> >Server. It appears that both require write access for the application
pool
> >identity below the web root. This has also come up in a few other
> >applications such as shopping carts we have encountered. Usually, the
> >requirement is to allow content management features, generally image
> >uploads, via the browser.
> >
> >How is this not anonymous write access? Why would Microsoft recommend
this
> >to its hosting partners?
>
> First off, neither DotNetNuke nor Community Server is Microsoft
> product. Best practices will rarely be the actual practices. All
> security is a balance between security and functionality.
>
> >Also, another quirk that appears to be the case, at least from what we
> >encountered in some experiments with the Community Server applications,
is
> >that one seems to require the application pool identity have list
permission
> >starting at the root of the drive all the way down to the web folder.
This
> >seems like a bit of a privacy breach at best since it would rely only on
> >security through obscurity in our folder naming.
> >
> >Can someone explain this apparent contradiction?
>
> Only if you install Community Server in a folder directly off the
> root. It's an anomaly with the Windows file system.
>
> >Ideally, can someone lay out the recommended ACLs for this scenario for a
> >web host to have in place so that customers' sites are secured and
> >isolated... and still able to run real ASP.NET applications?
>
> Take a look at the Microsoft shared hosting environment. Keep in mind
> that running .NET apps does not require anonymous write access. Some
> apps may require write access to specific folders for the identity
> they're running under, but that's not necessarily anonymous. Also, if
> you can't actually run code under an identity that has access, then
> that identity have certain permissions really isn't a risk.
>
> If you're uncomfortable running an app because of the required
> permissions, don't run it.
>
> Jeff

Relevant Pages

  • RE: Any way to remove ADMIN$ only?
    ... The different recommendations or best practices are pretty much just ... the time in the basics of setting up security. ... NTFS permissions are where you do the real work, ... Any way to remove ADMIN$ only? ...
    (Focus-Microsoft)
  • Re: ASP.Net Permissions
    ... I simply want to assign permissions to that service and I don't know how. ... > ASPNET windows account and grant it permissions in the database since ... There is an excellent asp.net security best practices ...
    (microsoft.public.sqlserver.security)
  • Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)
    ... ** The r00t of the problem is a failure to follow best practices from ... > server; security HAS to come second to that. ... > As for how many are protected - not enough, which is again a cost issue. ...
    (Full-Disclosure)
  • Re: [fw-wiz] Wireless
    ... Like every other security "problem", best practices is layered defenses. ... Strong authentication - companies like netmotion, columbitech, funk have ... >> spoofing, wandering unauthorized users, etc. to prevent access to all ...
    (Firewall-Wizards)
  • RE: Microsoft technologies. By default, non-HIPAA compliant?
    ... Anything But Microsoft wrote: ... > security practices are a federally mandated requirement. ... Customer service reps may need web access to look up local doctor's ...
    (Bugtraq)