Re: File System Object Lockdown...possible?

• Previous message: Jason: "Re: File System Object Lockdown...possible?"
• In reply to: David Wang [Msft]: "Re: File System Object Lockdown...possible?"
• Next in thread: David Wang [Msft]: "Re: File System Object Lockdown...possible?"
• Reply: David Wang [Msft]: "Re: File System Object Lockdown...possible?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 3 Oct 2005 07:48:08 -0700

More info for you

When I simply add the IUSR account to the folder and DENY write acess, then
it doesn't let the file write. But if the IUSR user isn't listed at all,
then it does allow me to write a file when executing the ASP script. I can't
write a file from any other mechanism other then ASP, but it does work if I
don't explicitly deny write access.

"David Wang [Msft]" wrote:

> If there is no Authentication protocol enabled for his application other
> than Anonymous, then the only user accounts he can use are:
> 1. Your configured Anonymous user account, which you control
> 2. The process identity of the Application Pool running the application,
> which you control
> 3. A NT user that he has on the system, which you may/not control
>
> Your situation pretty much has to fit into one of those three categories.
>
> At which point, you need to provide the exact ACLs that are placed on the
> directories of interest, and hopefully we will see what is going on.
>
>
> global.asa and IWAM have very little to do with the situation. Just think
> about that statement for a moment -- why in the world would IIS specially
> impersonate IWAM just to run global.asa ??? What is more likely going on in
> that situation is this -- on IIS4/5, when an application is configured to
> run as medium/high isolation, code is executed in dllhost.exe which uses
> IWAM as the process identity. Now, for some ASP events, a request is NOT
> associated (i.e. like the OnEnd() event), so ASP has no impersonated
> identity from the request to use (i.e. IUSR for the anonymous authenticated
> requests), so it can ONLY use the process identity (in this case, IWAM since
> it is medium/high isolation). This leads to apparently both IUSR and IWAM
> identity being used to execute an ASP page.
>
> Is that the situation here? Nope. On IIS6 worker process isolation mode,
> everything is running in w3wp.exe, whose process identity is controlled by
> the Application Pool. This means that the only identity available to an ASP
> page are the impersonated identity (since you only have anonymous
> authentication enabled, then only IUSR), process identity (Network Service
> by default), or a local NT user identity that the app custom logins.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
> "Jason" <Jason@discussions.microsoft.com> wrote in message
> news:2C68B091-07E4-4C05-9A9C-57B42E2183EE@microsoft.com...
> David,
>
> Thanks for the info. In this case, he is uploading a file used the
> annonymous user. It is actually a banner management system he created for
> his site so all he needs to do is log in to his system using his own custom
> login system then upload a file. Therefore, there is no NT authenticate
> allowing him to run his script other then with the annonymous user. I have
> also verified that his site does use the IUSR account to run as annonymous.
> Now I did read somewhere that if the site uses a global.asa file, the site
> uses the IWAM account for annonymous access but I don't think that's the
> case. Either way, I have checked and verified that the site runs annonymous
> using the IUSR account. BTW, this is on IIS 6 using Windows 2003. I also
> checked the application pool the site uses and the identity for that uses
> the
> pre-defined "Network services" setting.
>
> Any other ideas?
>
> "David Wang [Msft]" wrote:
>
> > FileSystemObject depends on NTFS ACLs for lockdown.
> >
> > If a developer is able to create a file in a folder outside his website,
> it
> > means that you have misconfigured the server. If IUSR does not have
> > permissions to write to that folder, it means that the
> developer/application
> > is NOT running as IUSR when writing the file.
> >
> > You should know what identity that developer/application is using and make
> > sure to ACL appropriately.
> >
> > In this case, your system's security depends heavily on how you configure
> it
> > and "lock down" completely depends on you.
> >
> > --
> > //David
> > IIS
> > http://blogs.msdn.com/David.Wang
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > //
> > "Jason" <Jason@discussions.microsoft.com> wrote in message
> > news:48243F72-0C75-45E2-A383-6BAF58B4EF3B@microsoft.com...
> > Is it possible to lock down a developers access to server files? I know
> > using NTFS, I can lock down the IUSR_MACHINENAME account to not have
> access
> > to certain folders and files but even with that, I have found that a
> sloppy
> > developer was actually able to create a file in a folder up one from his
> > website without the IUSR user having permissions to. Anyone know how I
> can
> > stop it?
> >
> > In case more information is needed, the develop was writing some code to
> > allow users to upload files to a folder on his site. In doing so, we was
> > saving the files to the wrong folder, which was the parent folder of his
> > website....which the IUSR account does not have any rights specified. I
> had
> > him correct the problem but I don't know why he was able to or how to stop
> > him or another developer from doing the same thing...or worse yet, write
> > files to another websites folder.
> >
> > Thanks in advance!
> >
> >
> >
>
>
>

• Previous message: Jason: "Re: File System Object Lockdown...possible?"
• In reply to: David Wang [Msft]: "Re: File System Object Lockdown...possible?"
• Next in thread: David Wang [Msft]: "Re: File System Object Lockdown...possible?"
• Reply: David Wang [Msft]: "Re: File System Object Lockdown...possible?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]