Re: File System Object Lockdown...possible?
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 10/03/05
- Next message: Marcin Okraska: "User authentication problem when accesing ReportServer- very strange"
- Previous message: Jason: "Re: File System Object Lockdown...possible?"
- In reply to: Jason: "Re: File System Object Lockdown...possible?"
- Next in thread: Jason: "Re: File System Object Lockdown...possible?"
- Reply: Jason: "Re: File System Object Lockdown...possible?"
- Reply: Jason: "Re: File System Object Lockdown...possible?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 3 Oct 2005 01:01:56 -0700
If there is no Authentication protocol enabled for his application other
than Anonymous, then the only user accounts he can use are:
1. Your configured Anonymous user account, which you control
2. The process identity of the Application Pool running the application,
which you control
3. A NT user that he has on the system, which you may/not control
Your situation pretty much has to fit into one of those three categories.
At which point, you need to provide the exact ACLs that are placed on the
directories of interest, and hopefully we will see what is going on.
global.asa and IWAM have very little to do with the situation. Just think
about that statement for a moment -- why in the world would IIS specially
impersonate IWAM just to run global.asa ??? What is more likely going on in
that situation is this -- on IIS4/5, when an application is configured to
run as medium/high isolation, code is executed in dllhost.exe which uses
IWAM as the process identity. Now, for some ASP events, a request is NOT
associated (i.e. like the OnEnd() event), so ASP has no impersonated
identity from the request to use (i.e. IUSR for the anonymous authenticated
requests), so it can ONLY use the process identity (in this case, IWAM since
it is medium/high isolation). This leads to apparently both IUSR and IWAM
identity being used to execute an ASP page.
Is that the situation here? Nope. On IIS6 worker process isolation mode,
everything is running in w3wp.exe, whose process identity is controlled by
the Application Pool. This means that the only identity available to an ASP
page are the impersonated identity (since you only have anonymous
authentication enabled, then only IUSR), process identity (Network Service
by default), or a local NT user identity that the app custom logins.
-- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Jason" <Jason@discussions.microsoft.com> wrote in message news:2C68B091-07E4-4C05-9A9C-57B42E2183EE@microsoft.com... David, Thanks for the info. In this case, he is uploading a file used the annonymous user. It is actually a banner management system he created for his site so all he needs to do is log in to his system using his own custom login system then upload a file. Therefore, there is no NT authenticate allowing him to run his script other then with the annonymous user. I have also verified that his site does use the IUSR account to run as annonymous. Now I did read somewhere that if the site uses a global.asa file, the site uses the IWAM account for annonymous access but I don't think that's the case. Either way, I have checked and verified that the site runs annonymous using the IUSR account. BTW, this is on IIS 6 using Windows 2003. I also checked the application pool the site uses and the identity for that uses the pre-defined "Network services" setting. Any other ideas? "David Wang [Msft]" wrote: > FileSystemObject depends on NTFS ACLs for lockdown. > > If a developer is able to create a file in a folder outside his website, it > means that you have misconfigured the server. If IUSR does not have > permissions to write to that folder, it means that the developer/application > is NOT running as IUSR when writing the file. > > You should know what identity that developer/application is using and make > sure to ACL appropriately. > > In this case, your system's security depends heavily on how you configure it > and "lock down" completely depends on you. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "Jason" <Jason@discussions.microsoft.com> wrote in message > news:48243F72-0C75-45E2-A383-6BAF58B4EF3B@microsoft.com... > Is it possible to lock down a developers access to server files? I know > using NTFS, I can lock down the IUSR_MACHINENAME account to not have access > to certain folders and files but even with that, I have found that a sloppy > developer was actually able to create a file in a folder up one from his > website without the IUSR user having permissions to. Anyone know how I can > stop it? > > In case more information is needed, the develop was writing some code to > allow users to upload files to a folder on his site. In doing so, we was > saving the files to the wrong folder, which was the parent folder of his > website....which the IUSR account does not have any rights specified. I had > him correct the problem but I don't know why he was able to or how to stop > him or another developer from doing the same thing...or worse yet, write > files to another websites folder. > > Thanks in advance! > > >
- Next message: Marcin Okraska: "User authentication problem when accesing ReportServer- very strange"
- Previous message: Jason: "Re: File System Object Lockdown...possible?"
- In reply to: Jason: "Re: File System Object Lockdown...possible?"
- Next in thread: Jason: "Re: File System Object Lockdown...possible?"
- Reply: Jason: "Re: File System Object Lockdown...possible?"
- Reply: Jason: "Re: File System Object Lockdown...possible?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
