File Uploading and Access Problem

Results 1 to 2 of 2

Thread: File Uploading and Access Problem

  1. #1
    Sukhwinder Singh Guest

    Default File Uploading and Access Problem

    Hello,<BR> This is going to be a long query. I didn&#039t find any help anywhere else so I am posting this message here.<BR><BR>I want to provide my clients a subdirectory under our domain name. So that they can use a domain name like "". This is the same case as geocities etc. I know that short urls they (geocities) provide are not actual subdirectories under the home directory of the site they use some kind of redirection etc. to provide this functionality. <BR><BR>I have written an asp script which accepts a username and a password enters it into the database, maps the path of root directory (for example "") and creates a subdirectory under the home directory of the site having the same name as the username. The user is then allowed to upload files to this directory. <BR><BR>My problem is that our ISP doesn&#039t want to provide "write" access to the root directory (or home directory). He suggests that I should create a subdirectory like "users" under the root directory and then he can provide write access to this directory. Even then two users can delete each other&#039s files using an asp script.<BR><BR>But the main problem is that our clients don&#039t want name like "" they want name like "".<BR><BR>There is no problem if I manually use ftp create a subdirectory under the home directory then upload users files under his directory. But I cannot use this method because users want to manage their own files but they cannot upload files because there is no write permission to home (root) directory and our ISP cannot provide write access to each users directory whenever we add a new user and create a subdirectory for him under root. Same is true when I have to delete a user and his files.<BR><BR>So please help me to find a solution to this problem. How can I solve this problem without risking security?<BR><BR><BR>Thank you.<BR><BR>Sukhwinder Singh<BR>

  2. #2
    Markkk Guest

    Default RE: File Uploading and Access Problem

    For improved HTTP security, I recommend the following:<BR><BR>1. Establish a new Virtual Directory for the web Site (e.g.<BR><BR>2. Make sure that the phyical location of this Virtual Directory is located OUTSIDE the root web directory (outside of C:Inetpub). Make sure that the new "user1" directory is located well outside the Inetpub directory (something like D:user1 works great).<BR><BR>3. Identifiy this new Virtual Directory as as ASP Application. Call the ASP Application something like "user1".<BR><BR>4. Create a new NTFS Account to perform all Anonymous requests for your new Virtual Directory This new NTFS Account could be named something like: "webuser1". This new NTFS Account will be used for all Anonymous requests, instead of the default Account: IUSR_MachineName.<BR><BR>By creating a new unique NTFS Account specifically for your Virtual Directory, your ISP can gain a better control over what anonymous users of Virtual Direcory "user1" can or cannot do. Anonymous users will only be able to do only what the NTFS permissions allow him to do. If the new Anonymous Account only has permissions in the D:user1 directory, then NTFS will prevent IIS from accessing files in other directories. prevent anonymous hackers (and webmasters) from creating hacking scripts that damages files in other people&#039s Virtual Directories.<BR><BR>Using the default IUSR_MachineName Account for more than one virtual directory can open a big security hole. Hacking script in one virtual directory ("user1") can easily CREATE, CHANGE and even DELETE files in other virtual directories ("user2"). This is accomplished because both Virtual Directories have the same default NTFS Account used for Anonymous Authentication. By using a distinct and different NTFS Account for each virtual directory, you eliminate this security risk. <BR><BR>5. Set appropriate NTFS Permsissions on the physical directory (D:user1), its sub-directories nad files. Again, your new NTFS Account ("webuser1") will be used instead of IUSR_MachineName. All permissions granted to IUSR_MachineName must be eliminated! READ permissions to "webuser1" should be given on anything that will be served by IIS. CREATE, CHANGE and DELETE persmissions should be granted only when needed. If you want a particular subdirectory to remain secure (e.g. D:user1private) and never viewed over the web, you may want to remove all permissions granted to NTFS Account "webuser1". Also, you may want to change IIS READ permissions settings as well.<BR><BR>6. Identify the new NTFS Account ("webuser1") as the default Account for Anonymous Authentication in your Virtual Directory (ASP Application).<BR><BR>7. Test your Virtual Directory.<BR><BR>Securing your FTP access to files should pose no problem.<BR><BR>I hope this helps!!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts