Help setting up IIS for security reasons.

Results 1 to 2 of 2

Thread: Help setting up IIS for security reasons.

  1. #1
    Dalan Galma Guest

    Default Help setting up IIS for security reasons.

    Well, here&#039s my problem. My admin for is an idiot, and he&#039s taken away a good amount of ASP functionality because there are "security holes"... for example the FileSystemObject allows manipulation of any file on the system if the server isn&#039t set correctly... it also allows me to read text files into my scripts, which I need. Likewise with Mail, and custom COM components. However, I know that at least in UNIX, you can restrict the scripts from each person&#039s account from touching anything that person dosen&#039t own, and same with mail, etc. Can this be done with IIS? How can i tell him to change the server settings so it will be OK for him to allow me to install my own components, send mail, and install my own components? Right now he&#039s not so much worried about me screwing up the server as allowing other people access to the scripts, but I think if permissions were limited to each user&#039s dirctory things would be safe... any help would be appreciated.

  2. #2
    Markkk Guest

    Default RE: Help setting up IIS for security reasons.

    YES; you should be able to do it on NT/IIS. It&#039s a little more work for System ADMIN people and there may be some limitations (in-process & out-of-process considerations)<BR><BR>The web server ADMIN must create a seperate ASP Application for each web Client. The default NTFS Account (used for Anonymous Authentication) for each of these ASP Applications must be different not use the same default NT Account (IUSR_MachineName) for all ASPM Applications. If you use the same NTFS default Account, then each ASP Application will have permission to READ, WRITE or even CHANGE and DELETE files in other ASP Applications through the FileSystem Object.<BR><BR>What your ADMIN people are doing (probably) is using the same default account for all ASP Applications; namely the IUSR_MachineName account. This allows one ASP Application (Company X) to have the same NTFS permissions as other ASP Applications (Companies A, B and C), because they all use the same default NTFS Account for Anonymous Authentication (the IUSR_MachineName Account).<BR><BR>Your ADMIN people should be able to create a unique NTFS Account for each ASP Application. These uniques NTFS Accounts should then be the default Account used in the IIS ASP Applicatiuon for Anonymous Authentication. This unique NTFS Account should only have NTFS permissions to READ, WRITE, CHANGE, DELETE files under your virtual domain or virtual directory, not the others of other web clients.<BR><BR>With this technique, an Anonymous User hitting ASP Application X (Company X) only has NTFS permission to enter Company X directories and files. The Anonymous User on Company X won&#039t be able to enter the directories ot files of Comapnies A, B or C becuase each of these Companies (ASP Applications) have their <BR>own uniques distinct default NTFS Account. In essence, IIS will be restricted by the NTFS permission to allow an Anonymous Action from ASP Application X (Company X) to interfere with the directories and files in another ASP Application (Cpompany A, B, C).<BR><BR>There may be some drawbacks to this technique regarding in-process and out-of-process activities (e.g. IWAM_machinename permissions). In theory, it should work. I am sad to state that I haven&#039t tried it myself.<BR><BR>I invite other responses to this subject.<BR><BR>I hope this helps.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts