| Author |
prevent asp.net and IUSR from accessing c:\
|
|
| Mike Schwarz 2004-11-24, 8:12 am |
| hi
i have installed a small script on a virtual web called explore.aspx
this is able to explore my whole c:\ directory, as the user asp.net
is a member of the group "Domain User / User" and this user
does has read permission on the whole drive c:\
how can i prevent this?
is it necessary that asp.net user is member of "Domain User/Users" ?
thankx for any tip/hint how to lock down my system
mike schwarz
| |
| Leon Mayne [MVP] 2004-11-24, 8:12 am |
| Mike Schwarz wrote:
> i have installed a small script on a virtual web called explore.aspx
> this is able to explore my whole c:\ directory, as the user asp.net
> is a member of the group "Domain User / User" and this user
> does has read permission on the whole drive c:\
The ASPNET and IUSR_MACHINENAME accounts should only be members of the
Guests group. Try that.
| |
| Mike Schwarz 2004-11-24, 6:26 pm |
| i have deactivated guest group... as mentioned in several forums...
"Leon Mayne [MVP]" <l.rmv.mayne@uea.ac.uk> schrieb im Newsbeitrag
news:%23b3p2dj0EHA.3416@TK2MSFTNGP09.phx.gbl...
> Mike Schwarz wrote:
>
> The ASPNET and IUSR_MACHINENAME accounts should only be members of the
> Guests group. Try that.
>
>
| |
| Tom Kaminski [MVP] 2004-11-24, 6:26 pm |
| "Mike Schwarz" <ctek@ctek.ch> wrote in message
news:#5rIjei0EHA.2156@TK2MSFTNGP10.phx.gbl...
> hi
>
> i have installed a small script on a virtual web called explore.aspx
> this is able to explore my whole c:\ directory, as the user asp.net
> is a member of the group "Domain User / User" and this user
> does has read permission on the whole drive c:\
>
> how can i prevent this?
> is it necessary that asp.net user is member of "Domain User/Users" ?
>
> thankx for any tip/hint how to lock down my system
Is your IIS server also the domain controller?
| |
| Tom Kaminski [MVP] 2004-11-24, 6:26 pm |
| "Mike Schwarz" <ctek@ctek.ch> wrote in message
news:uD2BPvj0EHA.2788@TK2MSFTNGP15.phx.gbl...
> i have deactivated guest group... as mentioned in several forums...
You certainly did not mention that here.
| |
| Mike Schwarz 2004-11-25, 2:50 am |
| yes, my webserver is setup as domain controller
"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> schrieb im Newsbeitrag
news:ezQE1Gk0EHA.2316@TK2MSFTNGP15.phx.gbl...
> "Mike Schwarz" <ctek@ctek.ch> wrote in message
> news:#5rIjei0EHA.2156@TK2MSFTNGP10.phx.gbl...
>
> Is your IIS server also the domain controller?
>
>
| |
| Jeff Cochran 2004-11-27, 2:47 am |
| On Wed, 24 Nov 2004 14:17:45 +0100, "Mike Schwarz" <ctek@ctek.ch>
wrote:
>i have installed a small script on a virtual web called explore.aspx
>this is able to explore my whole c:\ directory, as the user asp.net
>is a member of the group "Domain User / User" and this user
>does has read permission on the whole drive c:\
>
>how can i prevent this?
Don't have the asp.net user in the domain users group *and* remove
domain users from the NTFS permissions for the root of C:\.
>is it necessary that asp.net user is member of "Domain User/Users" ?
No.
Are you running IIS on a DC? There are idiosyncracies to this since
the IIS accounts become domain accounts and have a different access
potential than if they are local accounts. Basically, remove all
access for accounts that don't need access.
Jeff
|
|
|
|