Re: IIS Anonymous Security Issue

From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
Date: Tue, 11 Sep 2007 06:01:32 -0700

It sounds to me that this is entirely a failure in the design of
your provider's hosting and services model. IIS 6 is completely
capable of safely/securely hosting content without opening it up
to problems that, as you note, do arise from allowing the accounts
used on the IIS backside to have write permissions on the content,
and yet also allow you to have accounts (different) that do have
that ability. They are just passing the buck saying that they are
waiting for Windows to solve their poor service model.

Roger

"Reda Zeid" <RedaZeid@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:94D4801C-E466-4F17-A91A-AA0AD784A55C@xxxxxxxxxxxxxxxx

Hi,

We're using content editor (as a backend) to update our website frontend
contents (WYSIWYG). The problem is that when we try to update the contents
through this backend, the server is denied and gives us the following
message:

" r.a.d.editor5.6.0 Another process is using the resource (ascx/aspx file)
you are trying to update or the ASPNET user (IIS5) / NETWORK SERVICE
account
(IIS6) has no write privileges for this file. The changes were not
applied"

When we contacted the hosting company, they replied that we have to give
write privileges to the IIS Anonymous user on our server so we can solve
this
issue, but this will cause another problem, is that this action will
effect
negatively on the server security, and therefore the hackers can hacking
our
website easier. They said that this is a Windows Server bug and no
solution
for it yet. Kindly, reply to me with what we should do and are the above
info
are correct that it can't be solved in right way?

We're using Windows Server 2003 Standard Edition and the page that we're
trying to update through the content editor is an ASPX.

Regards,

Prev by Date: Re: how to create IIsWebDirectory without mapping them to physical
Next by Date: Re: IIS Anonymous Security Issue
Previous by thread: Re: how to create IIsWebDirectory without mapping them to physical dir
Next by thread: Re: IIS Anonymous Security Issue
Index(es):
- Date
- Thread

Relevant Pages

Re: Host Company web on SBS 2003
... you believe 1) IIS is insecure or 2) custom applications on IIS may be ... If you believe you can't even host static web pages on SBS, ... for not hosting on SBS. ... Sharepoint, Sql Server, ISA server or any of the other products ...
(microsoft.public.windows.server.sbs)
Re: SMTP Relay problems
... We hosting our email with another company ... Also we will create an MX record with theirs DNS server ... > via MS Outlook the Email stay in IIS Queue Dir ... > and not move forward to the IP Relay. ...
(microsoft.public.inetserver.iis.smtp_nntp)
Re: Cheap asp.net web host?
... of course I have my own IIS and database... ... is Brinkster still providing free asp.net hosting for developer as ... >> .NET, Access DB, SQL Server, and a generous disk space. ...
(microsoft.public.cert.exam.mcad)
Re: Cheap asp.net web host?
... of course I have my own IIS and database... ... is Brinkster still providing free asp.net hosting for developer as ... .NET, Access DB, SQL Server, and a generous disk space. ... Most of the review sites I get from google are bogus (or at least they look ...
(microsoft.public.cert.exam.mcad)
[NT] Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise
... This patch eliminates a newly discovered vulnerability affecting Internet ... in IIS 4.0 and 5.0, and could likewise be used to overrun heap memory on ... allowing code to be run on the server. ... * Microsoft has long recommended disabling HTR functionality unless there ...
(Securiteam)