IIS Server Security, Security implications of giving F access to directory

microsoft.public.inetserver.iis.security - About IIS Web Server Security Issues


IIS Server Security >> Security implications of giving F access to directory

by U3Bvb2s » Tue, 25 Nov 2003 13:46:04 GMT

Hi

My ASP based website relies heavily on an MS Access database to display it's content. The database is outside the root directory of my site, so it cannot be accessed via the web, and a System DSN has been set up on the server.
This worked fine, until the security of my database became an issue. Other users of the server could call up a list of the available DSN's on the server quite easily, and access my database, so i had it arranged that the odbc.ini file was blocked. Now people cannot see a list of the DSN's but they can still guess it to gain access.
So i put a password on the database, and that stops people from getting to the database through the DSN

The problem i face is that i have to give the database folder full permissions in order for my webpage to function properly (i was getting 80004005 errors before i changed permissions). Which is quite annoying really, in order to protect my data i have to give the anonymouse user more rights..

I was wondering if anyone could advise me to the security issues i now face. To my understanding my database is secure from people trying to access it through the DSN, but what are the implications of giving the directory full rights? How easy would it be for someone to wreak havok

thanx in advance.

Top

IIS Server Security >> Security implications of giving F access to directory

by Ken Schaefer » Tue, 25 Nov 2003 14:10:47 GMT


a) You only need to give the anonymous user "Change" permissions

b) No one should be able to logon interactively as the anonymous internet
user (they shouldn't have the password)

c) You don't need to give normal users any other permissions to the folder
that the Access database is in, so they shouldn't be able to reach it
(unless they are administrators and can change the NTFS permissions).

d) Only administrators should be logging onto your server anyway. And you
need to trust your admins.

Lastly, Access is designed as a single-user database. It doesn't have robust
multi-user/security options. Use MSDE/SQL Server or similar if you need
that.

Cheers
Ken



: Hi,
:
: My ASP based website relies heavily on an MS Access database to display
it's content. The database is outside the root directory of my site, so it
cannot be accessed via the web, and a System DSN has been set up on the
server.
: This worked fine, until the security of my database became an issue. Other
users of the server could call up a list of the available DSN's on the
server quite easily, and access my database, so i had it arranged that the
odbc.ini file was blocked. Now people cannot see a list of the DSN's but
they can still guess it to gain access.
: So i put a password on the database, and that stops people from getting to
the database through the DSN.
:
: The problem i face is that i have to give the database folder full
permissions in order for my webpage to function properly (i was getting
80004005 errors before i changed permissions). Which is quite annoying
really, in order to protect my data i have to give the anonymouse user more
rights...
:
: I was wondering if anyone could advise me to the security issues i now
face. To my understanding my database is secure from people trying to access
it through the DSN, but what are the implications of giving the directory
full rights? How easy would it be for someone to wreak havok?
:
: thanx in advance.




Top
Similar Threads

1. Security implications of Virtual Directories vs Root websites?

2. IIS Setting "Enable Parent Path" and security implications

3. to access a page in that directory, you have to give a username and a password - ASP

4. Accessing the catalogue over the network - performance implications 

I need to index around 2,000-5,000 Word documents and PDFs scattered across 
a mapped network drive that totals 600GB.

I would ideally like to do this using a MS Access database (stored on each 
client machine) to query the catalogue stored on our server. Will this cause 
masses of network traffic?

I understand why people use ASP to do this; all of the work is done on the 
server. But I would prefer to use our Access database to programmatically 
query the catalogue and get the results fed back in to it. I just want to 
know if our network will take a beating.

Thanks,

Paul

5. MIcrosoft Access and Asp Pages will only access the database once then gives an error - Adobe Dreamweaver

6. IIS - directory security & virtual directory 

if i set my login at anonymous logon (IIS), i can create folder under 
virtual directory by asp script.

if i do not use my login as anonymous logon and use integrated windows 
security, my login is rejected to create folder under virtual directory.

but i can do it if the folder is not under virtual directory or the virtual 
directory is local folder, not remote server.

it seems the virtual directory at remote server do not accept the creditial 
info passed from IIS server

i prefer the later method but not success

grateful for any help?

Tony

7. Permission denied when using fs.CreateFolder(path) - ASP

8. FS : Content Management Server 2001 - V04-00035 

Full UK retail version of MS Content Management Server Enterprise 2001
1 CPU.

MS Part No. V04-00035 
Price rrp 0000.00 

Ex company sale. Product is used but unregistered and now deleted from
our servers.

Spec: 
Microsoft Content Management Server 2001 is the enterprise Web content
management system that enables businesses to quickly and
cost-effectively deploy dynamic and personalized e-business Web sites.
It dramatically reduces the time required to build and deploy these
e-business applications and provides an enterprise scalable and
reliable solution. By empowering employees with the comprehensive
applications they need to be able to manage their own content,
enterprises benefit through increased productivity, stronger customer
and partner relationships, improved internal communication and
increased revenue.

Paypal or cheque accepted