Re: IIS permissions + scripts etc

From: Steven Burn (somewhere_at_in-time.invalid)
Date: 03/02/05 

Date: Wed, 2 Mar 2005 19:45:51 -0000

It's the multiple account part thats got me confused....... lol

How does one set different IUSR accounts for different site's? 

-- 
Regards
Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk
Keeping it FREE!
"Kristofer Gafvert" <kgafvert@NEWSilopia.com> wrote in message news:xn0dza94x4em33a00j@news.microsoft.com...
> Hello,
> 
> You can use NTFS permissions. IIS (or scripts) does not by-pass the file 
> system security, so if the user the ASP-page is running under (maybe IUSR, 
> but could be something else) is denied access to folders outside the 
> customer's folders, it will fail.
> 
> You might also need to have multiple anonymous user accounts (so your 
> customers cannot access each others files).
> 
> -- 
> Regards,
> Kristofer Gafvert
> www.gafvert.info - My Articles and help
> www.ilopia.com
> 
> 
> Steven Burn wrote:
> 
> > I realise this might be a tad OT for this NG and apologise in advance if 
> this is the case (wasn't sure which NG to post this to).
> >
> > Basically what I am wanting to do is allow my server users to upload 
> scripts (CGI, ASP, PHP etc), but restrict the directories and files that 
> their scripts/pages can access. So for example, if they wrote a script 
> that had;
> >
> > <%
> >     Dim objFSO, objFldr
> >     Set objFSO = Server.CreateObject("scripting.filesystemobject")
> >     '// Set to current folder
> >     Set objFldr = objFSO.GetFolder(Server.MapPath("../private"))
> >     Response.Write objFldr.Path
> >     Set objFSO = Nothing
> >     Set objFldr = Nothing
> > %>
> >
> > This would be permitted as the folder is within their account root.
> >
> > However, if they wrote a script that contained for example;
> >
> > <%
> >     Dim objFSO, objFldr
> >     Set objFSO = Server.CreateObject("scripting.filesystemobject")
> >     '// Assume this points to the Windows Update temp folder
> >     '// or the system folder, or someone else's account,
> >     '// or <something they aren't allowed to access>
> >     Set objFldr = objFSO.GetFolder(Server.MapPath("../../../WUTemp"))
> >     Response.Write objFldr.Path
> >     Set objFSO = Nothing
> >     Set objFldr = Nothing
> > %>
> >
> > This would not be permitted to run as it would be attempting to access a 
> folder outside of their account root.
> >
> > NB: I am not familiar with CGI/Perl/PHP so have used ASP/VBScript for 
> the example scripts.
> >
> > I was thinking of using the IUSR permissions, but I do not believe this 
> works on a per-site basis? (all site's will be hosted on one server). I 
> have thus far been unsuccessful in finding any documentation for 
> script/site restrictions on a per-site basis (most of them appear to be 
> global, which would be useless when the server is shared).
> >
> > In a nutshell;
> >
> > - Site 1's scripts can access everything* in Site 1's account root, but 
> cannot access anything else
> > - Site 2's scripts can access everything* in Site 2's account root, but 
> cannot access anything else
> > - etc etc
> >
> > * everything being files, databases etc etc
> >
> > I realise ideally, I should have each site on it's own server, however, 
> I only have one PC connected to the internet (I must apologise in advance 
> if this is confusing).
> >
> > If possible, can anyone point me to doc's that explain how to do this 
> please?.

Relevant Pages

  • Re: File System Object Lockdown...possible?
    ... When I simply add the IUSR account to the folder and DENY write acess, ... > global.asa and IWAM have very little to do with the situation. ...
    (microsoft.public.inetserver.iis.security)
  • Re: File System Object Lockdown...possible?
    ... This leads to apparently both IUSR and IWAM ... authentication enabled, then only IUSR), process identity (Network Service ... also verified that his site does use the IUSR account to run as annonymous. ... > If a developer is able to create a file in a folder outside his website, ...
    (microsoft.public.inetserver.iis.security)
  • Re: 401.1 Question
    ... > At the point where Anonymous Access is enabled, the IUSR_account ... > The IUSR user account is set that the password never expires and that the ... > "WC Justice" wrote in message ... >> The permissions on the site folder are inherited from the WebSites folder ...
    (microsoft.public.inetserver.iis)
  • Re: 401.1 Question
    ... At the point where Anonymous Access is enabled, the IUSR_account ... The IUSR user account is set that the password never expires and that the ... > site) using the wizard, and although I enabled Anonymous Access via IUSR, ... > The permissions on the site folder are inherited from the WebSites folder ...
    (microsoft.public.inetserver.iis)
  • Re: Access local shares when DC is down
    ... Account, is this different that a "normal" user account you would ... When you use the net use command map a user's credentials with it. ... You can do this for each user, which will take a lot of scripts, or you can ... share of the same folder with guest access. ...
    (microsoft.public.windows.server.networking)