Lock user in website folder

13 Mar 2006 12:10 AM

ttopholm

How can I lock an iusr_ so it can't go out of it's wwwroot folder...

Because I found a script, which can show my whole C-drive with fso in asp,
but I want to disable that so it only can see the wwwroot and not outside
that.

in the php-engine you have open_basedir, do you also have that in IIS.

And is it possible to configure open_basedir for each virtual website in IIS.

I hope you can help.

13 Mar 2006 5:19 AM

Ken Schaefer

Change NTFS permissions on your hard disk.

you don't tell us what OS you are using. For Win2000/XP and 2003 Server,
there are various pre-canned security templates from Microsoft you can apply
to lock down file system permissions.

Cheers
Ken

Show quoteHide quote

"ttopholm" <ttoph***@discussions.microsoft.com> wrote in message
news:43324B07-B1F7-4578-A45B-940A4EE6BFBE@microsoft.com...
: How can I lock an iusr_ so it can't go out of it's wwwroot folder...
:
: Because I found a script, which can show my whole C-drive with fso in asp,
: but I want to disable that so it only can see the wwwroot and not outside
: that.
:
: in the php-engine you have open_basedir, do you also have that in IIS.
:
: And is it possible to configure open_basedir for each virtual website in
IIS.
:
: I hope you can help.

13 Mar 2006 7:50 AM

David Wang [Msft]

To lock iusr so that it cannot go outside of its folder, you simply remove
FileSystem ACLs to the iusr from everywhere that it should not be.

Any other solution simply implement security checks as a layer on top of the
filesystem, which means if someone finds a way to bypass that security by
going directly to the filesystem, you have no security.

FSO is generic server-side functionality that talks directly to the
filesystem APIs, so NTFS ACL is the only security model.

If you want bounded behavior, use ASP.Net, which via CAS gives you a
manageable, bounded behavior in Managed Code which sits on top of the
filesystem.

This is basically what open_basedir() in PHP does as well - it gives you
bounded behavior that sits on top of the filesystem.

But both can obviously be bypassed if you allow direct calls to the
filesystem. So ultimately, if you don't want IUSR to be able to enumerate C:
, then remove read access to IUSR from C: and it won't be able to, no matter
what.

As for open_basedir() behavior: that is a PHP question best asked within PHP
forums.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

Show quoteHide quote

"ttopholm" <ttoph***@discussions.microsoft.com> wrote in message
news:43324B07-B1F7-4578-A45B-940A4EE6BFBE@microsoft.com...
> How can I lock an iusr_ so it can't go out of it's wwwroot folder...
>
> Because I found a script, which can show my whole C-drive with fso in asp,
> but I want to disable that so it only can see the wwwroot and not outside
> that.
>
> in the php-engine you have open_basedir, do you also have that in IIS.
>
> And is it possible to configure open_basedir for each virtual website in
> IIS.
>
> I hope you can help.

13 Mar 2006 9:25 AM

ttopholm

I am using windows 2003..

I have solved the php problem.

But how do I remove the iusr_ from the c-drive, because it doesn't show in
the security tab, and i have removed it from the user group.

/Tue

Show quoteHide quote

"ttopholm" wrote:

> How can I lock an iusr_ so it can't go out of it's wwwroot folder...
>
> Because I found a script, which can show my whole C-drive with fso in asp,
> but I want to disable that so it only can see the wwwroot and not outside
> that.
>
> in the php-engine you have open_basedir, do you also have that in IIS.
>
> And is it possible to configure open_basedir for each virtual website in IIS.
>
> I hope you can help.