Isolating websites in IIS 7.0
in [IIS]
|
From: J055 on 5 May 2010 12:43 Hi I want to setup the following in IIS 7.0: 1. Create a website for anonymous access. 2. Allow the application restricted access to certain folders on the server, i.e. this asp script should give a permissions error: <% response.write ShowFolderList ("c:\windows\") Function ShowFolderList(folderspec) Dim fso, f, f1, fc, s Set fso = CreateObject("Scripting.FileSystemObject") Set f = fso.GetFolder(folderspec) Set fc = f.SubFolders For Each f1 in fc s = s & f1.name s = s & "<BR>" Next ShowFolderList = s End Function %> I created an account called IUSR_Test and added it to the website root folder, then changed the website anonymous user identity to use this specific user. I can still browse to the asp web page and get a list of files in 'c:\windows'. I tried changing the website app pool identity to the same account but I can still browse the windows folder. The IUSR_Test account is not in any groups. What am I doing wrong and what's the best way to set up this kind of website isolation? Many thanks Andrew
From: Ken Schaefer on 6 May 2010 11:32 IUSR_test would be in the built-in Users group. Removing the Read permission for the Users group to c:\windows is probably not advisable. Instead, try adding a specific Deny Read for your test user account, and see if that solves the problem. Cheers Ken http://adOpenStatic.com/blog "J055" <j055(a)newsgroup.nospam> wrote in message news:O1V8AJH7KHA.3196(a)TK2MSFTNGP05.phx.gbl... > Hi > > I want to setup the following in IIS 7.0: > > 1. Create a website for anonymous access. > 2. Allow the application restricted access to certain folders on the > server, i.e. this asp script should give a permissions error: > > <% > > response.write ShowFolderList ("c:\windows\") > > Function ShowFolderList(folderspec) > Dim fso, f, f1, fc, s > Set fso = CreateObject("Scripting.FileSystemObject") > Set f = fso.GetFolder(folderspec) > Set fc = f.SubFolders > For Each f1 in fc > s = s & f1.name > s = s & "<BR>" > Next > ShowFolderList = s > End Function > > %> > > I created an account called IUSR_Test and added it to the website root > folder, then changed the website anonymous user identity to use this > specific user. I can still browse to the asp web page and get a list of > files in 'c:\windows'. > > I tried changing the website app pool identity to the same account but I > can still browse the windows folder. The IUSR_Test account is not in any > groups. > > What am I doing wrong and what's the best way to set up this kind of > website isolation? > > Many thanks > Andrew
From: Pablo A. Allois on 6 May 2010 15:55 The only way that I find is what Ken said. I create a group like RestrictedUsers, added the anonymous users of the web applications to the group, and then start putting Deny to the group in any folder that I can. But, you will have some problems with the denies for example: - For applications of Framework, the anonymouse user must need access to frameworks folders and write access to temporary folders. - Websites that use mdb will need to write in C:\windows\temp - PHP application need to write in C:\windows\temp - .NET will need read in C:\windows\assembly - Some actions with files, will need to Read over the operating system dsk I think that procmon will be a very useful application for this task. After that you will have a worst problem .... the web application can act like the user of the application pool ... so, after you tune the server limiting the anonymouse user, you have to limit the user of the application pool. Saludos! "Ken Schaefer" <kenREMOVE(a)THISadOpenStatic.com> wrote in message news:uuwFmFT7KHA.5476(a)TK2MSFTNGP06.phx.gbl... > IUSR_test would be in the built-in Users group. > > Removing the Read permission for the Users group to c:\windows is probably > not advisable. Instead, try adding a specific Deny Read for your test user > account, and see if that solves the problem. > > Cheers > Ken > > http://adOpenStatic.com/blog > > "J055" <j055(a)newsgroup.nospam> wrote in message > news:O1V8AJH7KHA.3196(a)TK2MSFTNGP05.phx.gbl... >> Hi >> >> I want to setup the following in IIS 7.0: >> >> 1. Create a website for anonymous access. >> 2. Allow the application restricted access to certain folders on the >> server, i.e. this asp script should give a permissions error: >> >> <% >> >> response.write ShowFolderList ("c:\windows\") >> >> Function ShowFolderList(folderspec) >> Dim fso, f, f1, fc, s >> Set fso = CreateObject("Scripting.FileSystemObject") >> Set f = fso.GetFolder(folderspec) >> Set fc = f.SubFolders >> For Each f1 in fc >> s = s & f1.name >> s = s & "<BR>" >> Next >> ShowFolderList = s >> End Function >> >> %> >> >> I created an account called IUSR_Test and added it to the website root >> folder, then changed the website anonymous user identity to use this >> specific user. I can still browse to the asp web page and get a list of >> files in 'c:\windows'. >> >> I tried changing the website app pool identity to the same account but I >> can still browse the windows folder. The IUSR_Test account is not in any >> groups. >> >> What am I doing wrong and what's the best way to set up this kind of >> website isolation? >> >> Many thanks >> Andrew >
|
Pages: 1 Prev: Microsoft Responds to the Evolution of Online Communities Next: IIS failover Cluster |