IIS Server Security >> General Security Question

by Steven Frank » Tue, 14 Oct 2003 23:14:41 GMT

I am running a Win2k machine dedicated to the role of a web server. This
server is running a single public web site. The web site in question has a
secure area. What I mean by secure, is that it requires a username/password
to get in.

As I do not have a need for overly-strict security for the site (and other
reasons), I have opted to use Basic Authentication. In general, I have no
problems with this setup. I have created users, set up the Basic Auth in
IIS and have set the appropriate level of security on the folders in
question via the OS. When a user accesses the "secure" area of the site, he
is correctly prompted for his username/password and everyone is happy.

My question/concern is this; as I have to create an OS user account for each
web site user, this would seem to give them at least some access to the box
in general due to the fact that "Everyone" has certain rights to some
resources of the box. These "users" do not need any access to the box, not
do I want them to have any. I suppose I could comb the directory structure
and remove/restrict the "Everyone" access, but that seems like a very
onerous task to say the least. Are there any other options of am I
misunderstanding the situation at all?

TIA



IIS Server Security >> General Security Question

by levinson_k » Wed, 15 Oct 2003 21:07:25 GMT


There are a number of articles out there on NTFS permissions to change
to improve security on IIS, and you can also find and edit the various
Group Policy template files within windowsroot\security\templates and
available for download from www.microsoft.com/download such as
hisecweb. These files can be edited either using Notepad or MMC.EXE /
Add/Remove Security Templates Snap-In. You can choose to apply just
the NTFS portions or the whole thing. Some people do encounter
problems when they apply the entire hisecweb template without knowing
what it does or how to undo it, so be careful.

The following sites also have hardening checklists and/or information
on NTFS permissions that you might change:

www.microsoft.com/technet/security
www.nsa.gov
www.iisfaq.com
http://securityadmin.info/faq.htm #harden

Regarding your specific question about how to change permissions for
these users, it might be better to create a group containing these
users, and Deny permissions to the entire hard drive paritition for
this group, then remove the deny permission for the web folders. If
you did this, you would need to be careful that you never put the
server administrators or system into this folder, or else you will be
denied access and have big problems. Deny permission overrides any
other permission granted elsewhere, even for admininstrators. Note
that AFAIK, simply putting users into the Guests group really does
nothing much to change those users permissions.

If you run into any problems, see the articles from Microsoft and
www.iisfaq.com on minimum default NTFS permissions needed for IIS to
run, and/or use Windows auditing on file access failures to see who
was denied permission to what. Note that there are folders within the
windowsroot folder and program files folder that these users might
need access to.

http://securityadmin.info/faq.htm #auditing

Similar Threads

1. General, Security, and Advanced Questions for IIS 6.0 and Publishi

2. Question on how ASP communicates and general questions

How does ASP communicate with the end user? Does it leave 
the connection open as long as the user has the page 
opens? Are there articles stating this on Microsoft's 
site? Also when did ASP first enter the world and in what 
product? Thank you

3. general security settings - IIS Server Security

4. General question about ASP .NET and HTML integration

Hi All,

Just a bit of a general question. I've heard that in ASP .NET projects using 
Visual Studio, you jave little or no control over the way the HTML is 
presented? Is this true? it seems a little unrealistic to me. I have many 
years experience with Old ASP but I'm about to start a new project and am 
looking at ASP .NET. I'd be keen to hear what others experiences are WRT 
this.

Thanks for the potential heads up
Al 


5. General question about persistence - ASP

6. General procedural question regarding passing data

I have the following pages...

page1.asp
page2.asp
page3.asp
page4.asp
page5.asp

The following variables are given values on page1.asp:

FirstName
LastName
Address1
Address2
City
State
Zip

The values are not used in pages 2-4, but are used in page5.asp.

Should I put the values in session variables?  Or should I put them in form
post data?  Or does it really matter?



7. Add to Cart - General Question - ASP

8. general questions: best practices

Yesterday, I posted a problem which, by the way, I haven't been able to
solve yet. But in Aaron's reply, he questioned why I did several things the
way I did. My short answer is that I have a lot to learn, but now I'd like
to ask anyone who reads this, including Aaron, for some clarification. I
imagine others might benefit, too.

"Aaron Bertrand - MVP" < XXXX@XXXXX.COM > wrote
> A few suggestions.

> (3) why do you constantly set rs = createobject("ADODB.Recordset") but

> never destroy any of them?


I went back and took care of it with this: set rs = nothing

My question is, is this enough?


> (4) why are you allowing values from request.querystring into your SQL

> statements unchecked? Have you tried something like...

> DisplaySortableTickets.asp?strStatus=a';DELETE%20TKT_STATUS;SELECT%20' b


Never thought of that. Is that really an issue for an Intranet, though?

> (5) why are you using ADODB.Recordset at all? These all seem to be

> forward-only, static recordsets.


I don't really understand this question/statement. Is there another kind of
recordset?


> Here is a rewrite of the first portion.

> <!-- #INCLUDE FILE="includes/functions.asp" -->
> <!-- #INCLUDE FILE="includes/argodbinc.asp" -->
> <!-- #INCLUDE FILE="includes/colors.inc" -->
> <%
> function fixVal(s)
> s = replace(request.QueryString(s), "'", "''"))
> end function

Does this just take the apostrophes from the querystring? Is that just to
keep it from being used by a malicious person who would put an evil SQL
statement?