Re: asp restricted access to resources

• Previous message: Jeff Cochran: "Re: ODBC database on IIS question. Where do I start?"
• Messages sorted by: [ date ] [ thread ]

Date: Tue, 01 Jun 2004 22:48:39 GMT

On 29 May 2004 02:31:18 -0700, soul_kitchen@rediffmail.com (James)
wrote:

>Hi,
>
>I am running a virtual hosting server. The configuration of server is
>as follows:
>
>Windows 2000
>IIS 5.0
>
>All the virtual hosting sites are running as seperate user ie for the
>site www.xxx.com is running under xxxIIS and www.yyy.com is running as
>yyyIIS. I have also taken some precautionary file system security
>measures like the group everyone is not present in c:\ and directories
>corresponding to sites. But at the same time I can not remove everyone
>access from the full system, I will need to keep them in few
>directories.
>This can lead to an asp code that is present on the server to do stuff
>like browsing through the file system, reading the contents of file
>etc. For ex if I have everyone acccess to c:\winnt\system32 then any
>person on the server can write code to view the contents inside
>folder.

Try it. :)

>I want to know if there is any way to restrict the script belonging to
>one virtual hosting site to access only the contents of that site.
>example the site www.xxx.com present inside
>c:\inetpub\wwwroot\www.xxx.com directory and can access only the
>contents inside this and the child directories. Is this possible? I
>searched the on google but could not find any link that gives me any
>information on this. It will really be a valuable information to me.

You're assuming the Everyone group means "Every Account on the
System". It doesn't. It's just a group. Don' give access to areas
you don't want people to have access to. By default, the IUSR
accounts are *not* in the Everyone group.

Jeff

• Previous message: Jeff Cochran: "Re: ODBC database on IIS question. Where do I start?"
• Messages sorted by: [ date ] [ thread ]