|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Giving Inetrnet Guest account full access to foldersOneof our developers wants to give Internet guest account (IUSR) and IIS
Process Account (IWAM) accounts full access to some of the folders on a windows 2000 advanced server. Is this a good practice? Please let me know. Why does the developer want to do this? is probably the first question I
would ask. Full Control allows not just Read/Write/Execute/Delete (RWD), but also "Change Permissions", "Take Ownership" etc - are those additional permissions required? Lastly, allowing the configured anonymous user account this type of access means that if there's a bug your application, any person out there on the 'net, can use your application to write arbitrary content (or delete content) on your website (e.g. delete your entire website, or replace the homepage, or write/add any type of file they want) Cheers Ken Show quoteHide quote "Luke" <L***@discussions.microsoft.com> wrote in message news:B07ED17E-CFC9-4037-BAC0-DDF5DF397203@microsoft.com... : Oneof our developers wants to give Internet guest account (IUSR) and IIS : Process Account (IWAM) accounts full access to some of the folders on a : windows 2000 advanced server. Is this a good practice? Please let me know. Thank you for your quick reply. IS there any documentation I can read more
about IIS security? According to the developer the application needs to have access to some of the folders. They also use one of the userid for anonymous access. Show quoteHide quote "Ken Schaefer" wrote: > Why does the developer want to do this? is probably the first question I > would ask. Full Control allows not just Read/Write/Execute/Delete (RWD), but > also "Change Permissions", "Take Ownership" etc - are those additional > permissions required? Lastly, allowing the configured anonymous user account > this type of access means that if there's a bug your application, any person > out there on the 'net, can use your application to write arbitrary content > (or delete content) on your website (e.g. delete your entire website, or > replace the homepage, or write/add any type of file they want) > > Cheers > Ken > > -- > IIS Blog: www.adopenstatic.com/cs/blogs/ken/ > Web: www.adopenstatic.com > > > "Luke" <L***@discussions.microsoft.com> wrote in message > news:B07ED17E-CFC9-4037-BAC0-DDF5DF397203@microsoft.com... > : Oneof our developers wants to give Internet guest account (IUSR) and IIS > : Process Account (IWAM) accounts full access to some of the folders on a > : windows 2000 advanced server. Is this a good practice? Please let me know. > > > Hi,
This isn't IIS security per se - it's general Windows NTFS security permissions. This is covered in most books on managing Windows servers. What makes this situation potentially more dangerous is that: a) you are doing this on a webserver, and webservers are accessible by remote users b) you are doing this for the special IIS anonymous user account - this account is there so that remote users do not need to supply Windows credentials to access the server. So, such a remote user might be able to get write (or delete) access to your server without having to supply valid Windows username/password *if* your application doesn't adequately protect your server. So, the question is, *why* do your developers need this access. You still haven't answered that question. Perhaps there is no other possible way of accomplishing what they want to do, and you will need to put your efforts into ensuring that their application is robustly coded. Or maybe there is an alterante, less risky way to achieve what they want. Cheers Ken Show quoteHide quote "Luke" <L***@discussions.microsoft.com> wrote in message news:CC8643BB-86AE-40AE-9948-25A5EA4C7CD7@microsoft.com... : Thank you for your quick reply. IS there any documentation I can read more : about IIS security? According to the developer the application needs to have : access to some of the folders. They also use one of the userid for anonymous : access. : : "Ken Schaefer" wrote: : : > Why does the developer want to do this? is probably the first question I : > would ask. Full Control allows not just Read/Write/Execute/Delete (RWD), but : > also "Change Permissions", "Take Ownership" etc - are those additional : > permissions required? Lastly, allowing the configured anonymous user account : > this type of access means that if there's a bug your application, any person : > out there on the 'net, can use your application to write arbitrary content : > (or delete content) on your website (e.g. delete your entire website, or : > replace the homepage, or write/add any type of file they want) : > : > Cheers : > Ken : > : > -- : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/ : > Web: www.adopenstatic.com : > : > : > "Luke" <L***@discussions.microsoft.com> wrote in message : > news:B07ED17E-CFC9-4037-BAC0-DDF5DF397203@microsoft.com... : > : Oneof our developers wants to give Internet guest account (IUSR) and IIS : > : Process Account (IWAM) accounts full access to some of the folders on a : > : windows 2000 advanced server. Is this a good practice? Please let me know. : > : > : > On Thu, 30 Jun 2005 19:05:03 -0700, "Luke"
<L***@discussions.microsoft.com> wrote: >Thank you for your quick reply. IS there any documentation I can read more It probably needs Modify, not Full Control. The documentation is>about IIS security? According to the developer the application needs to have >access to some of the folders. They also use one of the userid for anonymous >access. basic Windows NTFS permissions, any decent administration book should help. An example of this is using an Access database. The MDB file that is the database needs Modify permissions or nothing can be written to the database. The folder also needs the same security, because Access creates a lock file when it opens the database. It's not an unusual request, it's just that you should understand the risks and mitigate them as best you can while providing functionality. Jeff Show quoteHide quote >"Ken Schaefer" wrote: > >> Why does the developer want to do this? is probably the first question I >> would ask. Full Control allows not just Read/Write/Execute/Delete (RWD), but >> also "Change Permissions", "Take Ownership" etc - are those additional >> permissions required? Lastly, allowing the configured anonymous user account >> this type of access means that if there's a bug your application, any person >> out there on the 'net, can use your application to write arbitrary content >> (or delete content) on your website (e.g. delete your entire website, or >> replace the homepage, or write/add any type of file they want) >> >> Cheers >> Ken >> >> -- >> IIS Blog: www.adopenstatic.com/cs/blogs/ken/ >> Web: www.adopenstatic.com >> >> >> "Luke" <L***@discussions.microsoft.com> wrote in message >> news:B07ED17E-CFC9-4037-BAC0-DDF5DF397203@microsoft.com... >> : Oneof our developers wants to give Internet guest account (IUSR) and IIS >> : Process Account (IWAM) accounts full access to some of the folders on a >> : windows 2000 advanced server. Is this a good practice? Please let me know. >> >> >> 
Other interesting topics
iis + win2k adv server problem
Trying to understand this behavior, Ports in IIS IIS/Windows Permissions/Rights Domain-based IUSR and IWAM accounts IIS/NTFS persmissions help Resetting IUSR user token IIS6 / W2K3 / Client Certificate - Urgent help required! SSL Site showing Page not found Is MBSchExt.xml a legitimate schema file ? Classic ASP Page not running under IIS6.0 |
|||||||||||||||||||||||
