| Groups | Blog | Home |
iis security : File System Object Lockdown...possible?
using NTFS, I can lock down the IUSR_MACHINENAME account to not have access to certain folders and files but even with that, I have found that a sloppy developer was actually able to create a file in a folder up one from his website without the IUSR user having permissions to. Anyone know how I can stop it? In case more information is needed, the develop was writing some code to allow users to upload files to a folder on his site. In doing so, we was saving the files to the wrong folder, which was the parent folder of his website....which the IUSR account does not have any rights specified. I had him correct the problem but I don't know why he was able to or how to stop him or another developer from doing the same thing...or worse yet, write files to another websites folder.
FileSystemObject depends on NTFS ACLs for lockdown.
If a developer is able to create a file in a folder outside his website, it means that you have misconfigured the server. If IUSR does not have permissions to write to that folder, it means that the developer/application is NOT running as IUSR when writing the file. You should know what identity that developer/application is using and make sure to ACL appropriately. In this case, your system's security depends heavily on how you configure it and "lock down" completely depends on you. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Jason" <Jason@discussions.microsoft.com> wrote in message Is it possible to lock down a developers access to server files? I knownews:48243F72-0C75-45E2-A383-6BAF58B4EF3B@microsoft.com... using NTFS, I can lock down the IUSR_MACHINENAME account to not have access to certain folders and files but even with that, I have found that a sloppy developer was actually able to create a file in a folder up one from his website without the IUSR user having permissions to. Anyone know how I can stop it? In case more information is needed, the develop was writing some code to allow users to upload files to a folder on his site. In doing so, we was saving the files to the wrong folder, which was the parent folder of his website....which the IUSR account does not have any rights specified. I had him correct the problem but I don't know why he was able to or how to stop him or another developer from doing the same thing...or worse yet, write files to another websites folder. Thanks in advance!
David,
Thanks for the info. In this case, he is uploading a file used the annonymous user. It is actually a banner management system he created for his site so all he needs to do is log in to his system using his own custom login system then upload a file. Therefore, there is no NT authenticate allowing him to run his script other then with the annonymous user. I have also verified that his site does use the IUSR account to run as annonymous. Now I did read somewhere that if the site uses a global.asa file, the site uses the IWAM account for annonymous access but I don't think that's the case. Either way, I have checked and verified that the site runs annonymous using the IUSR account. BTW, this is on IIS 6 using Windows 2003. I also checked the application pool the site uses and the identity for that uses the pre-defined "Network services" setting. Any other ideas? [quoted text, click to view] "David Wang [Msft]" wrote:
> FileSystemObject depends on NTFS ACLs for lockdown. > > If a developer is able to create a file in a folder outside his website, it > means that you have misconfigured the server. If IUSR does not have > permissions to write to that folder, it means that the developer/application > is NOT running as IUSR when writing the file. > > You should know what identity that developer/application is using and make > sure to ACL appropriately. > > In this case, your system's security depends heavily on how you configure it > and "lock down" completely depends on you. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "Jason" <Jason@discussions.microsoft.com> wrote in message > news:48243F72-0C75-45E2-A383-6BAF58B4EF3B@microsoft.com... > Is it possible to lock down a developers access to server files? I know > using NTFS, I can lock down the IUSR_MACHINENAME account to not have access > to certain folders and files but even with that, I have found that a sloppy > developer was actually able to create a file in a folder up one from his > website without the IUSR user having permissions to. Anyone know how I can > stop it? > > In case more information is needed, the develop was writing some code to > allow users to upload files to a folder on his site. In doing so, we was > saving the files to the wrong folder, which was the parent folder of his > website....which the IUSR account does not have any rights specified. I had > him correct the problem but I don't know why he was able to or how to stop > him or another developer from doing the same thing...or worse yet, write > files to another websites folder. > > Thanks in advance! > >
If there is no Authentication protocol enabled for his application other
than Anonymous, then the only user accounts he can use are: 1. Your configured Anonymous user account, which you control 2. The process identity of the Application Pool running the application, which you control 3. A NT user that he has on the system, which you may/not control Your situation pretty much has to fit into one of those three categories. At which point, you need to provide the exact ACLs that are placed on the directories of interest, and hopefully we will see what is going on. global.asa and IWAM have very little to do with the situation. Just think about that statement for a moment -- why in the world would IIS specially impersonate IWAM just to run global.asa ??? What is more likely going on in that situation is this -- on IIS4/5, when an application is configured to run as medium/high isolation, code is executed in dllhost.exe which uses IWAM as the process identity. Now, for some ASP events, a request is NOT associated (i.e. like the OnEnd() event), so ASP has no impersonated identity from the request to use (i.e. IUSR for the anonymous authenticated requests), so it can ONLY use the process identity (in this case, IWAM since it is medium/high isolation). This leads to apparently both IUSR and IWAM identity being used to execute an ASP page. Is that the situation here? Nope. On IIS6 worker process isolation mode, everything is running in w3wp.exe, whose process identity is controlled by the Application Pool. This means that the only identity available to an ASP page are the impersonated identity (since you only have anonymous authentication enabled, then only IUSR), process identity (Network Service by default), or a local NT user identity that the app custom logins. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Jason" <Jason@discussions.microsoft.com> wrote in message David,news:2C68B091-07E4-4C05-9A9C-57B42E2183EE@microsoft.com... Thanks for the info. In this case, he is uploading a file used the annonymous user. It is actually a banner management system he created for his site so all he needs to do is log in to his system using his own custom login system then upload a file. Therefore, there is no NT authenticate allowing him to run his script other then with the annonymous user. I have also verified that his site does use the IUSR account to run as annonymous. Now I did read somewhere that if the site uses a global.asa file, the site uses the IWAM account for annonymous access but I don't think that's the case. Either way, I have checked and verified that the site runs annonymous using the IUSR account. BTW, this is on IIS 6 using Windows 2003. I also checked the application pool the site uses and the identity for that uses the pre-defined "Network services" setting. Any other ideas? [quoted text, click to view] "David Wang [Msft]" wrote: > FileSystemObject depends on NTFS ACLs for lockdown. > > If a developer is able to create a file in a folder outside his website, it > means that you have misconfigured the server. If IUSR does not have > permissions to write to that folder, it means that the developer/application > is NOT running as IUSR when writing the file. > > You should know what identity that developer/application is using and make > sure to ACL appropriately. > > In this case, your system's security depends heavily on how you configure it > and "lock down" completely depends on you. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "Jason" <Jason@discussions.microsoft.com> wrote in message > news:48243F72-0C75-45E2-A383-6BAF58B4EF3B@microsoft.com... > Is it possible to lock down a developers access to server files? I know > using NTFS, I can lock down the IUSR_MACHINENAME account to not have access > to certain folders and files but even with that, I have found that a sloppy > developer was actually able to create a file in a folder up one from his > website without the IUSR user having permissions to. Anyone know how I can > stop it? > > In case more information is needed, the develop was writing some code to > allow users to upload files to a folder on his site. In doing so, we was > saving the files to the wrong folder, which was the parent folder of his > website....which the IUSR account does not have any rights specified. I had > him correct the problem but I don't know why he was able to or how to stop > him or another developer from doing the same thing...or worse yet, write > files to another websites folder. > > Thanks in advance! > > >
I understand what you're saying. He is executing his ASP script using the
Anonymous user. What I don't understand is that when I look at the folder he wrote to, the anonymous user is NOT listed as having any security rights. In fact, the user doesn't get listed at all. By default, the user is part of the "guest" group and that group also is not listed at all. I wouldn't take my expertise is a 10 out of 10...more like an 8. So I'm not absolutely brainless when it comes to this. Nonetheless, it doesn't make sense. What way can you suggest to verify access to a particular file. I have tried MS AuthDiag tool which claims the user does not have rights so that's not working for me. At this point, I am thinking that I will add the user to the folder's security and simply deny write access. I just don't get why I should have to do that. [quoted text, click to view] "David Wang [Msft]" wrote:
> If there is no Authentication protocol enabled for his application other > than Anonymous, then the only user accounts he can use are: > 1. Your configured Anonymous user account, which you control > 2. The process identity of the Application Pool running the application, > which you control > 3. A NT user that he has on the system, which you may/not control > > Your situation pretty much has to fit into one of those three categories. > > At which point, you need to provide the exact ACLs that are placed on the > directories of interest, and hopefully we will see what is going on. > > > global.asa and IWAM have very little to do with the situation. Just think > about that statement for a moment -- why in the world would IIS specially > impersonate IWAM just to run global.asa ??? What is more likely going on in > that situation is this -- on IIS4/5, when an application is configured to > run as medium/high isolation, code is executed in dllhost.exe which uses > IWAM as the process identity. Now, for some ASP events, a request is NOT > associated (i.e. like the OnEnd() event), so ASP has no impersonated > identity from the request to use (i.e. IUSR for the anonymous authenticated > requests), so it can ONLY use the process identity (in this case, IWAM since > it is medium/high isolation). This leads to apparently both IUSR and IWAM > identity being used to execute an ASP page. > > Is that the situation here? Nope. On IIS6 worker process isolation mode, > everything is running in w3wp.exe, whose process identity is controlled by > the Application Pool. This means that the only identity available to an ASP > page are the impersonated identity (since you only have anonymous > authentication enabled, then only IUSR), process identity (Network Service > by default), or a local NT user identity that the app custom logins. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "Jason" <Jason@discussions.microsoft.com> wrote in message > news:2C68B091-07E4-4C05-9A9C-57B42E2183EE@microsoft.com... > David, > > Thanks for the info. In this case, he is uploading a file used the > annonymous user. It is actually a banner management system he created for > his site so all he needs to do is log in to his system using his own custom > login system then upload a file. Therefore, there is no NT authenticate > allowing him to run his script other then with the annonymous user. I have > also verified that his site does use the IUSR account to run as annonymous. > Now I did read somewhere that if the site uses a global.asa file, the site > uses the IWAM account for annonymous access but I don't think that's the > case. Either way, I have checked and verified that the site runs annonymous > using the IUSR account. BTW, this is on IIS 6 using Windows 2003. I also > checked the application pool the site uses and the identity for that uses > the > pre-defined "Network services" setting. > > Any other ideas? > > "David Wang [Msft]" wrote: > > > FileSystemObject depends on NTFS ACLs for lockdown. > > > > If a developer is able to create a file in a folder outside his website, > it > > means that you have misconfigured the server. If IUSR does not have > > permissions to write to that folder, it means that the > developer/application > > is NOT running as IUSR when writing the file. > > > > You should know what identity that developer/application is using and make > > sure to ACL appropriately. > > > > In this case, your system's security depends heavily on how you configure > it > > and "lock down" completely depends on you. > > > > -- > > //David > > IIS > > http://blogs.msdn.com/David.Wang > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > // > > "Jason" <Jason@discussions.microsoft.com> wrote in message > > news:48243F72-0C75-45E2-A383-6BAF58B4EF3B@microsoft.com... > > Is it possible to lock down a developers access to server files? I know > > using NTFS, I can lock down the IUSR_MACHINENAME account to not have > access > > to certain folders and files but even with that, I have found that a > sloppy > > developer was actually able to create a file in a folder up one from his > > website without the IUSR user having permissions to. Anyone know how I > can > > stop it? > > > > In case more information is needed, the develop was writing some code to > > allow users to upload files to a folder on his site. In doing so, we was > > saving the files to the wrong folder, which was the parent folder of his > > website....which the IUSR account does not have any rights specified. I > had > > him correct the problem but I don't know why he was able to or how to stop > > him or another developer from doing the same thing...or worse yet, write > > files to another websites folder. > > > > Thanks in advance! > > > > > > > >
More info for you
When I simply add the IUSR account to the folder and DENY write acess, then it doesn't let the file write. But if the IUSR user isn't listed at all, then it does allow me to write a file when executing the ASP script. I can't write a file from any other mechanism other then ASP, but it does work if I don't explicitly deny write access. [quoted text, click to view] "David Wang [Msft]" wrote:
> If there is no Authentication protocol enabled for his application other > than Anonymous, then the only user accounts he can use are: > 1. Your configured Anonymous user account, which you control > 2. The process identity of the Application Pool running the application, > which you control > 3. A NT user that he has on the system, which you may/not control > > Your situation pretty much has to fit into one of those three categories. > > At which point, you need to provide the exact ACLs that are placed on the > directories of interest, and hopefully we will see what is going on. > > > global.asa and IWAM have very little to do with the situation. Just think > about that statement for a moment -- why in the world would IIS specially > impersonate IWAM just to run global.asa ??? What is more likely going on in > that situation is this -- on IIS4/5, when an application is configured to > run as medium/high isolation, code is executed in dllhost.exe which uses > IWAM as the process identity. Now, for some ASP events, a request is NOT > associated (i.e. like the OnEnd() event), so ASP has no impersonated > identity from the request to use (i.e. IUSR for the anonymous authenticated > requests), so it can ONLY use the process identity (in this case, IWAM since > it is medium/high isolation). This leads to apparently both IUSR and IWAM > identity being used to execute an ASP page. > > Is that the situation here? Nope. On IIS6 worker process isolation mode, > everything is running in w3wp.exe, whose process identity is controlled by > the Application Pool. This means that the only identity available to an ASP > page are the impersonated identity (since you only have anonymous > authentication enabled, then only IUSR), process identity (Network Service > by default), or a local NT user identity that the app custom logins. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "Jason" <Jason@discussions.microsoft.com> wrote in message > news:2C68B091-07E4-4C05-9A9C-57B42E2183EE@microsoft.com... > David, > > Thanks for the info. In this case, he is uploading a file used the > annonymous user. It is actually a banner management system he created for > his site so all he needs to do is log in to his system using his own custom > login system then upload a file. Therefore, there is no NT authenticate > allowing him to run his script other then with the annonymous user. I have > also verified that his site does use the IUSR account to run as annonymous. > Now I did read somewhere that if the site uses a global.asa file, the site > uses the IWAM account for annonymous access but I don't think that's the > case. Either way, I have checked and verified that the site runs annonymous > using the IUSR account. BTW, this is on IIS 6 using Windows 2003. I also > checked the application pool the site uses and the identity for that uses > the > pre-defined "Network services" setting. > > Any other ideas? > > "David Wang [Msft]" wrote: > > > FileSystemObject depends on NTFS ACLs for lockdown. > > > > If a developer is able to create a file in a folder outside his website, > it > > means that you have misconfigured the server. If IUSR does not have > > permissions to write to that folder, it means that the > developer/application > > is NOT running as IUSR when writing the file. > > > > You should know what identity that developer/application is using and make > > sure to ACL appropriately. > > > > In this case, your system's security depends heavily on how you configure > it > > and "lock down" completely depends on you. > > > > -- > > //David > > IIS > > http://blogs.msdn.com/David.Wang > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > // > > "Jason" <Jason@discussions.microsoft.com> wrote in message > > news:48243F72-0C75-45E2-A383-6BAF58B4EF3B@microsoft.com... > > Is it possible to lock down a developers access to server files? I know > > using NTFS, I can lock down the IUSR_MACHINENAME account to not have > access > > to certain folders and files but even with that, I have found that a > sloppy > > developer was actually able to create a file in a folder up one from his > > website without the IUSR user having permissions to. Anyone know how I > can > > stop it? > > > > In case more information is needed, the develop was writing some code to > > allow users to upload files to a folder on his site. In doing so, we was > > saving the files to the wrong folder, which was the parent folder of his > > website....which the IUSR account does not have any rights specified. I > had > > him correct the problem but I don't know why he was able to or how to stop > > him or another developer from doing the same thing...or worse yet, write > > files to another websites folder. > > > > Thanks in advance! > > > > > > > >
Seems like IUSR has been added to *some* group that is effectively allowed
write access on the directory. Start looking through groups that *do* have write access on the directory and test for effective membership of IUSR in them. For example, sometimes people add IUSR to Administrators group for "Testing" and later forget to remove it. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Jason" <Jason@discussions.microsoft.com> wrote in message More info for younews:BA5190A7-F1A1-4241-8FF0-98059028040D@microsoft.com... When I simply add the IUSR account to the folder and DENY write acess, then it doesn't let the file write. But if the IUSR user isn't listed at all, then it does allow me to write a file when executing the ASP script. I can't write a file from any other mechanism other then ASP, but it does work if I don't explicitly deny write access. [quoted text, click to view] "David Wang [Msft]" wrote: > If there is no Authentication protocol enabled for his application other > than Anonymous, then the only user accounts he can use are: > 1. Your configured Anonymous user account, which you control > 2. The process identity of the Application Pool running the application, > which you control > 3. A NT user that he has on the system, which you may/not control > > Your situation pretty much has to fit into one of those three categories. > > At which point, you need to provide the exact ACLs that are placed on the > directories of interest, and hopefully we will see what is going on. > > > global.asa and IWAM have very little to do with the situation. Just think > about that statement for a moment -- why in the world would IIS specially > impersonate IWAM just to run global.asa ??? What is more likely going on in > that situation is this -- on IIS4/5, when an application is configured to > run as medium/high isolation, code is executed in dllhost.exe which uses > IWAM as the process identity. Now, for some ASP events, a request is NOT > associated (i.e. like the OnEnd() event), so ASP has no impersonated > identity from the request to use (i.e. IUSR for the anonymous authenticated > requests), so it can ONLY use the process identity (in this case, IWAM since > it is medium/high isolation). This leads to apparently both IUSR and IWAM > identity being used to execute an ASP page. > > Is that the situation here? Nope. On IIS6 worker process isolation mode, > everything is running in w3wp.exe, whose process identity is controlled by > the Application Pool. This means that the only identity available to an ASP > page are the impersonated identity (since you only have anonymous > authentication enabled, then only IUSR), process identity (Network Service > by default), or a local NT user identity that the app custom logins. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "Jason" <Jason@discussions.microsoft.com> wrote in message > news:2C68B091-07E4-4C05-9A9C-57B42E2183EE@microsoft.com... > David, > > Thanks for the info. In this case, he is uploading a file used the > annonymous user. It is actually a banner management system he created for > his site so all he needs to do is log in to his system using his own custom > login system then upload a file. Therefore, there is no NT authenticate > allowing him to run his script other then with the annonymous user. I have > also verified that his site does use the IUSR account to run as annonymous. > Now I did read somewhere that if the site uses a global.asa file, the site > uses the IWAM account for annonymous access but I don't think that's the > case. Either way, I have checked and verified that the site runs annonymous > using the IUSR account. BTW, this is on IIS 6 using Windows 2003. I also > checked the application pool the site uses and the identity for that uses > the > pre-defined "Network services" setting. > > Any other ideas? > > "David Wang [Msft]" wrote: > > > FileSystemObject depends on NTFS ACLs for lockdown. > > > > If a developer is able to create a file in a folder outside his website, > it > > means that you have misconfigured the server. If IUSR does not have > > permissions to write to that folder, it means that the > developer/application > > is NOT running as IUSR when writing the file. > > > > You should know what identity that developer/application is using and make > > sure to ACL appropriately. > > > > In this case, your system's security depends heavily on how you configure > it > > and "lock down" completely depends on you. > > > > -- > > //David > > IIS > > http://blogs.msdn.com/David.Wang > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > // > > "Jason" <Jason@discussions.microsoft.com> wrote in message > > news:48243F72-0C75-45E2-A383-6BAF58B4EF3B@microsoft.com... > > Is it possible to lock down a developers access to server files? I know > > using NTFS, I can lock down the IUSR_MACHINENAME account to not have > access > > to certain folders and files but even with that, I have found that a > sloppy > > developer was actually able to create a file in a folder up one from his > > website without the IUSR user having permissions to. Anyone know how I > can > > stop it? > > > > In case more information is needed, the develop was writing some code to > > allow users to upload files to a folder on his site. In doing so, we was > > saving the files to the wrong folder, which was the parent folder of his > > website....which the IUSR account does not have any rights specified. I > had > > him correct the problem but I don't know why he was able to or how to stop > > him or another developer from doing the same thing...or worse yet, write > > files to another websites folder. > > > > Thanks in advance! > > > > > > > > >
I thought the same thing. Therefore, I first verified the groups the IUSR
user was in then checked the folder to see if the group had rights. It didn't. The IUSR user is only part of the "guests" group, default in Win 2k3. In the directory that should not have been written to, there was nothing specified for either the "guests" group or the IUSR user. I know this makes no sense but that's what it is. I checked for both inherited rights as well as directory specific rights and there was nothing for that user or group. As stated before, the only way I am able to stop him from writing to the folder was sto explicitly add the IUSR user to the folder and deny write access. That did the trick but it shouldn't be that way. I should not have to add deny rights just to stop a user from certain rights. [quoted text, click to view] "David Wang [Msft]" wrote:
> Seems like IUSR has been added to *some* group that is effectively allowed > write access on the directory. Start looking through groups that *do* have > write access on the directory and test for effective membership of IUSR in > them. > > For example, sometimes people add IUSR to Administrators group for "Testing" > and later forget to remove it. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "Jason" <Jason@discussions.microsoft.com> wrote in message > news:BA5190A7-F1A1-4241-8FF0-98059028040D@microsoft.com... > More info for you > > When I simply add the IUSR account to the folder and DENY write acess, then > it doesn't let the file write. But if the IUSR user isn't listed at all, > then it does allow me to write a file when executing the ASP script. I > can't > write a file from any other mechanism other then ASP, but it does work if I > don't explicitly deny write access. > > "David Wang [Msft]" wrote: > > > If there is no Authentication protocol enabled for his application other > > than Anonymous, then the only user accounts he can use are: > > 1. Your configured Anonymous user account, which you control > > 2. The process identity of the Application Pool running the application, > > which you control > > 3. A NT user that he has on the system, which you may/not control > > > > Your situation pretty much has to fit into one of those three categories. > > > > At which point, you need to provide the exact ACLs that are placed on the > > directories of interest, and hopefully we will see what is going on. > > > > > > global.asa and IWAM have very little to do with the situation. Just think > > about that statement for a moment -- why in the world would IIS specially > > impersonate IWAM just to run global.asa ??? What is more likely going on > in > > that situation is this -- on IIS4/5, when an application is configured to > > run as medium/high isolation, code is executed in dllhost.exe which uses > > IWAM as the process identity. Now, for some ASP events, a request is NOT > > associated (i.e. like the OnEnd() event), so ASP has no impersonated > > identity from the request to use (i.e. IUSR for the anonymous > authenticated > > requests), so it can ONLY use the process identity (in this case, IWAM > since > > it is medium/high isolation). This leads to apparently both IUSR and IWAM > > identity being used to execute an ASP page. > > > > Is that the situation here? Nope. On IIS6 worker process isolation mode, > > everything is running in w3wp.exe, whose process identity is controlled by > > the Application Pool. This means that the only identity available to an > ASP > > page are the impersonated identity (since you only have anonymous > > authentication enabled, then only IUSR), process identity (Network Service > > by default), or a local NT user identity that the app custom logins. > > > > -- > > //David > > IIS > > http://blogs.msdn.com/David.Wang > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > // > > "Jason" <Jason@discussions.microsoft.com> wrote in message > > news:2C68B091-07E4-4C05-9A9C-57B42E2183EE@microsoft.com... > > David, > > > > Thanks for the info. In this case, he is uploading a file used the > > annonymous user. It is actually a banner management system he created for > > his site so all he needs to do is log in to his system using his own > custom > > login system then upload a file. Therefore, there is no NT authenticate > > allowing him to run his script other then with the annonymous user. I > have > > also verified that his site does use the IUSR account to run as > annonymous. > > Now I did read somewhere that if the site uses a global.asa file, the site > > uses the IWAM account for annonymous access but I don't think that's the > > case. Either way, I have checked and verified that the site runs > annonymous > > using the IUSR account. BTW, this is on IIS 6 using Windows 2003. I also > > checked the application pool the site uses and the identity for that uses > > the > > pre-defined "Network services" setting. > > > > Any other ideas? > > > > "David Wang [Msft]" wrote: > > > > > FileSystemObject depends on NTFS ACLs for lockdown. > > > > > > If a developer is able to create a file in a folder outside his website, > > it > > > means that you have misconfigured the server. If IUSR does not have > > > permissions to write to that folder, it means that the > > developer/application > > > is NOT running as IUSR when writing the file. > > > > > > You should know what identity that developer/application is using and > make > > > sure to ACL appropriately. > > > > > > In this case, your system's security depends heavily on how you > configure > > it > > > and "lock down" completely depends on you. > > > > > > -- > > > //David > > > IIS > > > http://blogs.msdn.com/David.Wang > > > This posting is provided "AS IS" with no warranties, and confers no > > rights. > > > // > > > "Jason" <Jason@discussions.microsoft.com> wrote in message > > > news:48243F72-0C75-45E2-A383-6BAF58B4EF3B@microsoft.com... > > > Is it possible to lock down a developers access to server files? I know > > > using NTFS, I can lock down the IUSR_MACHINENAME account to not have > > access > > > to certain folders and files but even with that, I have found that a > > sloppy > > > developer was actually able to create a file in a folder up one from his > > > website without the IUSR user having permissions to. Anyone know how I > > can > > > stop it? > > > > > > In case more information is needed, the develop was writing some code to > > > allow users to upload files to a folder on his site. In doing so, we > was > > > saving the files to the wrong folder, which was the parent folder of his > > > website....which the IUSR account does not have any rights specified. I > > had
If using IIS8, IIS6 has an option do disallow acessing parent
directories. You can test to see if it also applies to the filesystem object. ...PC [quoted text, click to view] Jason wrote:
> Is it possible to lock down a developers access to server files? I know > using NTFS, I can lock down the IUSR_MACHINENAME account to not have access > to certain folders and files but even with that, I have found that a sloppy > developer was actually able to create a file in a folder up one from his > website without the IUSR user having permissions to. Anyone know how I can > stop it? > > In case more information is needed, the develop was writing some code to > allow users to upload files to a folder on his site. In doing so, we was > saving the files to the wrong folder, which was the parent folder of his > website....which the IUSR account does not have any rights specified. I had > him correct the problem but I don't know why he was able to or how to stop > him or another developer from doing the same thing...or worse yet, write > files to another websites folder. >
No need to experiment. It doesn't matter.
Parent Directories is an ASP-level concept. FileSystemObject is something completely different and unbounded by ASP. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "P C" <user@nospam.com> wrote in message If using IIS8, IIS6 has an option do disallow acessing parentnews:uXFkR5iyFHA.612@TK2MSFTNGP10.phx.gbl... directories. You can test to see if it also applies to the filesystem object. ...PC [quoted text, click to view] Jason wrote: > Is it possible to lock down a developers access to server files? I know > using NTFS, I can lock down the IUSR_MACHINENAME account to not have access > to certain folders and files but even with that, I have found that a sloppy > developer was actually able to create a file in a folder up one from his > website without the IUSR user having permissions to. Anyone know how I can > stop it? > > In case more information is needed, the develop was writing some code to > allow users to upload files to a folder on his site. In doing so, we was > saving the files to the wrong folder, which was the parent folder of his > website....which the IUSR account does not have any rights specified. I had > him correct the problem but I don't know why he was able to or how to stop > him or another developer from doing the same thing...or worse yet, write > files to another websites folder. > > Thanks in advance!
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |