|
Home > Archive > IIS FTP Server > February 2004 > FTP Security
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
|
| I'm going round in circles with the NTFS/IIS security. Can't seem to get the
combination right.
My theory was this:
- FTP server set to isolate users
- NTFS security on all drives set to full contol for admin group, system and
creator owner.
- except ftp root which also has users group with full control.
This works ok, but when I try and allow an anonymous account I get problems:
- I selected "allow anonynous connections" with the IUSR_ username and
"allow only anonymous" unchecked
- IUSR_ is in the guests group, and neither the user or the guest group
have NTFS security access to any of the folders under the FTP root
- Despite this, anonymous users can still logon and both read and write
files in the "Public" folder they are isloated to.
To even allow anonymous connections to logon, I was expecting to have to
provide access to the "Public" folder for the IUSR_ account, and then I
thought I could prevent writing using the NTFS security.
It looks like the IUSR_ account used for anonymous access is actually using
the permissions from the users group, despite it not being in this group?
Can anyone explain what is going on?
| |
|
| The IUSER account inherits from the Everyone Group. If you are using IIS 5.0
the Everyone Group has FULL control of every drive which all subdirectories
inherit from.
"James" <replytogroup@nospam.com> wrote in message
news:ehdYciN9DHA.2656@TK2MSFTNGP11.phx.gbl...
> I'm going round in circles with the NTFS/IIS security. Can't seem to get
the
> combination right.
>
> My theory was this:
> - FTP server set to isolate users
> - NTFS security on all drives set to full contol for admin group, system
and
> creator owner.
> - except ftp root which also has users group with full control.
>
> This works ok, but when I try and allow an anonymous account I get
problems:
> - I selected "allow anonynous connections" with the IUSR_ username and
> "allow only anonymous" unchecked
> - IUSR_ is in the guests group, and neither the user or the guest group
> have NTFS security access to any of the folders under the FTP root
> - Despite this, anonymous users can still logon and both read and write
> files in the "Public" folder they are isloated to.
>
> To even allow anonymous connections to logon, I was expecting to have to
> provide access to the "Public" folder for the IUSR_ account, and then I
> thought I could prevent writing using the NTFS security.
>
> It looks like the IUSR_ account used for anonymous access is actually
using
> the permissions from the users group, despite it not being in this group?
>
> Can anyone explain what is going on?
>
>
| |
|
| I removed "everyone" group access from the root and all sub folders. I've
checked all folders and none allow access for the everyone group.
"Gino" <cosine@covad.net> wrote in message
news:d9429$403175fe$44a77c62$11894@msgid
.meganewsservers.com...
> The IUSER account inherits from the Everyone Group. If you are using IIS
5.0
> the Everyone Group has FULL control of every drive which all
subdirectories
> inherit from.
>
> "James" <replytogroup@nospam.com> wrote in message
> news:ehdYciN9DHA.2656@TK2MSFTNGP11.phx.gbl...
> the
> and
> problems:
> using
group?[color=blue]
>
>
| |
|
| I would check the IUSER account and see what groups it's a member of. If you
have removed the Everyone Group from all drives, that sould cut off any
inheritance. The FTP root would need the IUSER accounct to have READ, LIST,
ATTRIBUTES, and EXTENDED ATTIRBUTES to connect and open the folder. You have
to go into Extended Rights and uncheck EXECUTE and TRAVERSE.
If you need to allow uploads that should be on a sub folder, remove
inheritance and add WRITE and LIST only.
(if your still having the same issue, try breaking inheritance on the
FTPROOT, and add SYSTEM, ADMINISTRATORS full, CREATOR OWNER clear all, and
IUSER READ, LIST, ATTRIBUTES, and EXTENDED ATTRIBUTES).
"James" <replytogroup@nospam.com> wrote in message
news:ehdYciN9DHA.2656@TK2MSFTNGP11.phx.gbl...
> I'm going round in circles with the NTFS/IIS security. Can't seem to get
the
> combination right.
>
> My theory was this:
> - FTP server set to isolate users
> - NTFS security on all drives set to full contol for admin group, system
and
> creator owner.
> - except ftp root which also has users group with full control.
>
> This works ok, but when I try and allow an anonymous account I get
problems:
> - I selected "allow anonynous connections" with the IUSR_ username and
> "allow only anonymous" unchecked
> - IUSR_ is in the guests group, and neither the user or the guest group
> have NTFS security access to any of the folders under the FTP root
> - Despite this, anonymous users can still logon and both read and write
> files in the "Public" folder they are isloated to.
>
> To even allow anonymous connections to logon, I was expecting to have to
> provide access to the "Public" folder for the IUSR_ account, and then I
> thought I could prevent writing using the NTFS security.
>
> It looks like the IUSR_ account used for anonymous access is actually
using
> the permissions from the users group, despite it not being in this group?
>
> Can anyone explain what is going on?
>
>
| |
| Bernard 2004-02-16, 9:33 pm |
| Well, I'm sure somewhere somehow that iusr indirectly 'inherit' the
permission somewhere, you might want to try filemon from sysinternals.com,
run it on server, see if it's iusr writting the file, if yes, check see if
it belong to any group you granted the permission.
--
Regards,
Bernard Cheah
http://support.microsoft.com/
Please respond to newsgroups only ...
"James" <replytogroup@nospam.com> wrote in message
news:#lD#JCQ9DHA.2412@TK2MSFTNGP09.phx.gbl...
> I removed "everyone" group access from the root and all sub folders. I've
> checked all folders and none allow access for the everyone group.
>
> "Gino" <cosine@covad.net> wrote in message
> news:d9429$403175fe$44a77c62$11894@msgid
.meganewsservers.com...
> 5.0
> subdirectories
get[color=blue]
system[color=blue]
group[color=blue]
write[color=blue]
to[color=blue]
I[color=blue]
> group?
>
>
| |
| James 2004-02-17, 10:34 am |
| Thanks for both your suggestions. I broke the inheritance on the ftp root
and set the security manually (admin & system = full, creator owner= none,
users= read/execute, list folder contents and read) and then I switched the
settings round so users=none, and IUSR = read/execute, list folder contents
and read, to compare the different behaviour.
However, it seems that despite breaking the inheritance, the anonymous
account IUSR can still get users group level access.
I've checked user manager and IUSR is only a member of the guest group, and
the guest group only has IUSR in in. The users group has NT
AUTHORITY\INTERACTIVE and NT AUTHORITY\Authenticated Users.
Is an anonymous connection through IUSR considered as an Authenticated User?
I looked at filemon, but the only username I could find was NT
AUTHORITY\SYSTEM
"Bernard" <qbernard@hotmail.com.discuss> wrote in message
news:ODkx%23QU9DHA.2412@TK2MSFTNGP09.phx.gbl...
> Well, I'm sure somewhere somehow that iusr indirectly 'inherit' the
> permission somewhere, you might want to try filemon from sysinternals.com,
> run it on server, see if it's iusr writting the file, if yes, check see if
> it belong to any group you granted the permission.
>
> --
> Regards,
> Bernard Cheah
> http://support.microsoft.com/
> Please respond to newsgroups only ...
>
>
> "James" <replytogroup@nospam.com> wrote in message
> news:#lD#JCQ9DHA.2412@TK2MSFTNGP09.phx.gbl...
I've[color=blue]
IIS[color=blue]
> get
> system
and[color=blue]
> group
> write
have[color=blue]
> to
then[color=blue]
> I
actually[color=blue]
>
>
| |
|
| This one is very stubborn.
The IUSER account is not an authenicated user by default.
To further troubleshoot, check in the IIS manager and make sure that IUSER
is the account for anonymous.
I would then try to solve by creating a new user account, and remove it form
the LOCAL USERS GROUP. Then use that account for anonymous and assign the
ACL rights for the FTPROOT. You will also have to give that account logon
locally and logon over the network rights in LOCAL POLICY. I do agree with
Bernard though, somewhere there is inheritance or IUSER is a member of a
Local Group.
"James" <replytogroup@nospam.com> wrote in message
news:ehdYciN9DHA.2656@TK2MSFTNGP11.phx.gbl...
> I'm going round in circles with the NTFS/IIS security. Can't seem to get
the
> combination right.
>
> My theory was this:
> - FTP server set to isolate users
> - NTFS security on all drives set to full contol for admin group, system
and
> creator owner.
> - except ftp root which also has users group with full control.
>
> This works ok, but when I try and allow an anonymous account I get
problems:
> - I selected "allow anonynous connections" with the IUSR_ username and
> "allow only anonymous" unchecked
> - IUSR_ is in the guests group, and neither the user or the guest group
> have NTFS security access to any of the folders under the FTP root
> - Despite this, anonymous users can still logon and both read and write
> files in the "Public" folder they are isloated to.
>
> To even allow anonymous connections to logon, I was expecting to have to
> provide access to the "Public" folder for the IUSR_ account, and then I
> thought I could prevent writing using the NTFS security.
>
> It looks like the IUSR_ account used for anonymous access is actually
using
> the permissions from the users group, despite it not being in this group?
>
> Can anyone explain what is going on?
>
>
| |
| Bernard 2004-02-25, 9:39 am |
| Sorry for the late reply.. quite busy recently.
"Is an anonymous connection through IUSR considered as an Authenticated
User?"
yes. once connected this will be the authenticated user token.
I believe when you see 'NT Auth\System' is because ftp process is
hosted in inetinfo.exe run under localsystem. this will be the process
identity.. for request identity it will be iusr again.
when you said "anonmous account IUSR can still get users group level
access."
I don't quite get you.. what group ?
if you denied iusr.. do iusr still able to access resource files ?
--
Regards,
Bernard Cheah
http://support.microsoft.com/
Please respond to newsgroups only ...
"James" <replytogroup@nospam.com> wrote in message
news:#w6Bbya9DHA.1592@TK2MSFTNGP10.phx.gbl...
> Thanks for both your suggestions. I broke the inheritance on the ftp root
> and set the security manually (admin & system = full, creator owner= none,
> users= read/execute, list folder contents and read) and then I switched
the
> settings round so users=none, and IUSR = read/execute, list folder
contents
> and read, to compare the different behaviour.
>
> However, it seems that despite breaking the inheritance, the anonymous
> account IUSR can still get users group level access.
>
> I've checked user manager and IUSR is only a member of the guest group,
and
> the guest group only has IUSR in in. The users group has NT
> AUTHORITY\INTERACTIVE and NT AUTHORITY\Authenticated Users.
>
> Is an anonymous connection through IUSR considered as an Authenticated
User?
>
> I looked at filemon, but the only username I could find was NT
> AUTHORITY\SYSTEM
>
>
> "Bernard" <qbernard@hotmail.com.discuss> wrote in message
> news:ODkx%23QU9DHA.2412@TK2MSFTNGP09.phx.gbl...
sysinternals.com,[color=darkred]
if[color=darkred]
> I've
> IIS
to[color=darkred]
> and
> have
> then
> actually
>
>
|
|
|
|
|