"PL" <pblse2@yahoo.se> wrote in message
news:#rMw3patDHA.684@TK2MSFTNGP09.phx.gbl...
> We are providing hosting for our members on an IIS6/W2k3 standard server,
> we are now considering offering scripting support but I seem to run in to
numerous
> security issues with this.
>
> The problem here is that each member does not have it's own virtual dir,
we already
> have thousands of members and it's not really feasable to try and change
this.
>
> All member sites are in a folder called members, we created a virtual dir
called
> members under our main site. We then created a separate app pool for the
member
> virtual dir and created two new user accounts, IUSR_MEMBERS and
IWAM_MEMBERS
> which we entered as the anonymous user accounts on the app pool and the
member virtual dir.
>
> So far so good.
>
> Now, we set the security on all folders so the IUSR and IWAM_members have
read and
> write permissions in the member folders and nowhere else, this is because
we want them for
> example to be able to run access db's (which would need write to update
properly).
>
> Here the problem starts, even though they can't write outside the member
dir they can still write
> to other members folders !
>
> I thought I could fix this issue by setting permissions on the reg keys
for the FileSystemObject
> and that worked fine, the problem is just the other objects with save
capabilities which we need
> like for example the SaveAs in ADODB.Recordset or the ServerXML objects
methods, we can't
> disable everything because then there would be no point in offering
scripting support.
>
> Exactly how do I do this ? Any pointers or ideas would be appreciated.
>
> PL.
>
>

> Since your case you have thousands of them, you might want
> to utilize user groups to go together with the user accounts.

"PL" <pblse2@yahoo.se> wrote in message
news:uELGJZqtDHA.560@TK2MSFTNGP11.phx.gbl...
> > Since your case you have thousands of them, you might want
> > to utilize user groups to go together with the user accounts.
>
> The issue is, how to I prevent one member from writing in another
> members dir without having to configure a separate virtual dir and
> separate IUSR and IWAM accounts for each user ?
>
> Seems this is not thought through in IIS, MS relys way to much on
> ACL which does not give enough fine grained control when you
> start to need complicated setups.
>
> All could be solved if there was a simple solution like a setting in IIS
> "only allow file IO in the running asp scripts folder", done ! No editing
> keys in registry to try and prevent users from using certain objects
> or setting separate accounts/virtual folders !
>
> I can't belive that all hosting companys specify separate virtual folders
> and user accounts for each user they setup ? It must quickly become
> unmanagable.
>
> PL.
>
>