| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 41055 | 2003-12-28 13:17:00 | IIS on XP Pro - folder security | agent (30) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 203784 | 2003-12-28 13:17:00 | I've got IIS running under Windows XP Pro (located in the standard C:\Inetpub directory), and I seem to have mucked up file and folder security for NTFS (C: is formatted in NTFS). A while ago I locked down my computer against guest access, and part of this involved applying NTFS permissions to deny access to C: - an area where any guest users wouldn't need to go. However, to my misfortune, I inadvertently fogot completely about the IIS guest user (IUSR_hostname). It would appear that due to the security permissions applied, I can no longer even do something as simple as listing the contents of a database using ASP, because the user does not have the correct permissions. Is there any way to revert to the default permissions for the whole Inetpub folder? Anyone also running IIS on XP care to tell me their NTFS permissions for the Inetpub folder (so long as they haven't been tinkered with), and whether to wwwroot folder inherits these permissions or not? It's causing me strife, because even giving full access to everyone doesn't fix the problem... I've tried many permission combinations, and nothing's brought the permissions back to a working state. |
agent (30) | ||
| 203785 | 2003-12-29 07:24:00 | <Bump> I've also tried a few more things. I copied the content I needed to a FAT32 partition (thereby getting rid of any NTFS permissions on the data), and removed IIS from my computer. Then I installed IIS again, moved the location of the content folder to a different NTFS partition (which does not have the strict NTFS permissions that C: has), but still I get the same problem. Adding a full access permission for Everyone on this new folder also does not work. I'm now desperately wanting to find out the default permissions that a wwwroot folder has on it. I've also tried checking out Local Security Policy, which I modified a little to lock my computer down, but there's nothing in there that would imply IUSR_comp and IWAM_comp cannot do what they need to do. |
agent (30) | ||
| 203786 | 2003-12-29 12:51:00 | You do have 'SYSTEM' with full access rights don't you? I've always found its best not to play with permissions on the drive itself, but rather with folders inside the drive. |
aroc (3256) | ||
| 203787 | 2003-12-29 19:34:00 | I assumed that SYSTEM would go along with Everyone. Perhaps I'll just try adding every group... All the same, I'm now hoping on a complete reinstall of Windows in a few days. |
agent (30) | ||
| 203788 | 2003-12-29 20:09:00 | Er, I probably should have done this from the start... but it turns out IUSR_comp creates temporary files using the environment variable TEMP or TMP, which in my case both point to C:\WINDOWS\Temp. So I've given it read/write files and attribute permission, and it now works... Still hoping to reinstall Windows tomorrow though |
agent (30) | ||
| 203789 | 2003-12-29 20:29:00 | When you reinstall windows create a separate partition for the Webroot folder and temp directory to be on. IIS is a known security risk and you'd be best not to risk anything by hosting files off your primary partition. Read through nsa2.www.conxion.com This is from the NSA and relates to IIS 5 (which is IIS for Win2k). There's a number of useful pointers in it if you are considering running IIS for a while. |
paintbuoy (3087) | ||
| 203790 | 2003-12-29 22:23:00 | I'll check that document out (I also read something yesterday about securing IIS - anyweb.kicks-ass.net). Everything used to be sitting in C:\Inetpub, but since trying to get ASP scripts working again I've moved it to a different partition with different folder names. I also do unattended installations of Windows, so my profiles aren't stored in the standard location (next installation of Windows it will be a different folder name on the standard partition though); I'm also moving IIS to a new location (haven't quite decided where, because I don't want too many partitions); and my C:\Windows directory will be moved to a different partition with a slightly obscure folder name. I've also just today created a rough IP group of the NZ IP range and only allowed that access via my firewall (it's not a complete NZ range, and is of course open to international users using a proxy), as I used to regularly get connection attempts on the standard ports. I also run IIS Lockdown Tool thingie... no, I'm not all clued up about securing IIS, but I'm doing as much as I know to make it secure. |
agent (30) | ||
| 203791 | 2003-12-30 04:59:00 | Its even better if you setup a dedicated firewall computer running OpenBSD or a Linux distro and keep right up to date with MS security patches on your IIS box. Most of the breakins I know of have occurred on out of date IIS installs or through back door services and ports. Renaming the Windows directory is of little importance and will probably cause more trouble than its worth. If your system is compromised its fairly easy to search a partition for a specific file name (or use your machine a host for further attacks). |
paintbuoy (3087) | ||
| 1 | |||||