Re: Network service default permissions (Final Considerations)

Hi Folks,

Altought it seems that nobody is reading this post any longer, I'll
update it anyway.
I just finished the tests with a total fresh and clean Windows Server
2003 installation and comproved that "network service" does have write
permission on folders, despite of what was said before. It appears that
Network Service belongs to "Authenticated Users" group and by consequence to
the "Users" group, allowing it to create files and folder by default. Once
created the resource it has fullcontrol over it as creator owner, which
means that it can execute files created by itself. The effective permissions
was checked with AccessCheck utility from sysinternals and the "Advanced
Security" form of Windows Explorer, and tests suceffuly made with a very
simple ASP.NET page under default installation comproved that.
In resume, by default, "Network Service" user can create folders in any
partition (C: D: etc) and, in a lot of other folders including C:\INETPUB,
it can create files and folders. It cannot create files under wwwroot since
this folder preventes inheritence from parent folder permission, and
overrides the defaults to "Read & Execute" only.
Again, I'm not implying that IIS is insecure "out-of-the-box" or
anything else, but it does mean that IIS doesn't run as "low privileged" as
said. Also, in my opinion, some explicit advices could be made with the
Microsoft's recomendations regarding IIS configurations. For example, it is
recomended to use a diferent partition to store content and log files
without any hints regarding default permissions having the "Users" group. In
most scenarios, I guess, Users group could be safely removed from those
partitions, and explicit permissions be assigned to the IIS_WPG group or
similar.

Cheers,

Eric.


.

Relevant Pages

  • Re: permissions issue on mounted volume...
    ... I've come across an odd permissions issue with a mounted volume and am ... This partition is accessed using ... For some reason I am unable to delete folders on this mounted ... Disk Management and assign a drive letter to this partition I am able to ...
    (microsoft.public.windowsxp.general)
  • Re: NTFS Security Question.
    ... A subordinate object DOES not inherit the PARENT perms (in ... will assume "Nebulous" permissions that refer to the LINK ... The trick is to PROPOGATE to all FILES (not Folders and Files - that would ... Since Windows 2000 deny NTFS permission does not work ...
    (microsoft.public.windowsxp.security_admin)
  • RE: ISA 2004 REPORT FAILURE
    ... Did as you suggested and turned auditing on for the system and folders ... that is setting the wrong permissions of the folders ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: permissions issue on a mounted volume...
    ... AFAIK this is how it has been since mounting to a path was ... I've come across an odd permissions issue with a mounted volume (Windows ... partition created on my computer that I have full control over and I am ... For some reason I am unable to delete folders on this mounted ...
    (microsoft.public.security)
  • Re: permissions issue on mounted volume...
    ... They suggested assigning a drive letter to ... applying desired permissions and then remounting it. ... partition created on my computer that I have full control over and I ... For some reason I am unable to delete folders on this ...
    (microsoft.public.windowsxp.general)