Re: IUSER and Write Access Problem

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Kristofer Gafvert (kgafvert_at_NEWSilopia.com)
Date: 02/05/05

• Next message: Ken Schaefer: "Re: How to SSL individual pages / subdirectories"
• Previous message: Kristofer Gafvert: "Re: I can't install any ASp.Net application on my IIS"
• In reply to: ShootMePlease: "IUSER and Write Access Problem"
• Messages sorted by: [ date ] [ thread ]

---

Date: Sat, 05 Feb 2005 01:43:44 -0800

Hi,

I'm quoting from the "Shared Web Hosting Development Guide"[1], the
"Access Control Best Practices" section:

"Never allow anonymous user (IUSR) Write permission"

Ken explains why in the iis.security newsgroup.

[1]: You can download it from here:
http://www.microsoft.com/serviceproviders/webhosting/default.asp

You need a .NET Passport to sign in (don't ask me why you need to
register...)

-- 
Regards,
Kristofer Gafvert
www.gafvert.info - My Articles and help
www.ilopia.com
ShootMePlease wrote:
> I am having an argument with someone right now about permissions and the
> anonymous IUSER.  This person has insisted that I give the IUSER write
> permissions to a web site he is developing so that he can get his ASP 
code
> to work.  I have compromised by creating a subdirectory for him.  My 
ideal
> setup would be to have his ASP pages in the root of the web, and then 
have
> those pages use this sub-directory to create and write these temporary 
data
> files he needs.  Instead of modifying his code he has simply moved all of
> his ASP pages into that subdirectory to run.
>
> I want to prove to my manager that this is bad and that our developer 
needs
> to secure his code.
>
> Anybody know of a good exploit I can demo?  How can I write a file to 
this
> web site as if I were an anonymous user?  Can I simply rename his ASP 
files
> as the IUSER and prove that I can take down the site?
>
> Any advice would be appreciated, thanks.

---

• Next message: Ken Schaefer: "Re: How to SSL individual pages / subdirectories"
• Previous message: Kristofer Gafvert: "Re: I can't install any ASp.Net application on my IIS"
• In reply to: ShootMePlease: "IUSER and Write Access Problem"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Odd asp page behaviour ... It doesn't seem to matter what is in the asp page, ... it was a permissions problem but I cannot phathom out where it wants ... The default web site and all the folders all have ... (microsoft.public.inetserver.iis.security) Re: Filesystem Object and IIS6 ... When i set the security on the ASP page as an anonymous user (without ... permissions on the remote server then the page is displayed. ... windows security' (and my user has permisions on the directory folder) I ... (microsoft.public.inetserver.asp.general) Change Win2k passwords with ADSI via IIS ... We have a asp page that list all the services and allows ... the web site run as an admin. ... Setting the Web Sites Anonymous User ... This is entirely a Win2k environment. ... (microsoft.public.inetserver.iis.security) Re: IUSER and write permissions ... coding flaw on the part of this developer, someone could rewrite your ASP ... ASP pages themselves do not need write permissions, ... >permissions to a web site he is developing so that he can get his ASP code ... (microsoft.public.inetserver.iis.security) Re: FolderExists and UNC path ... Traditionally ASP uses the IUSR_account so try mapping a drive using that username and password or assigning permissions to that account or changing to a different one if you don't know or can't change the password. ... When I ran this command from the server logged with my user it ... (microsoft.public.scripting.vbscript)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Internet-Server  > microsoft.public.inetserver.iis  > 2005-02