| Eric Chaves 2006-07-28, 7:19 pm |
| Hi Folks,
Altought it seems that nobody is reading this post any longer, I'll
update it anyway.
I just finished the tests with a total fresh and clean Windows Server
2003 installation and comproved that "network service" does have write
permission on folders, despite of what was said before. It appears that
Network Service belongs to "Authenticated Users" group and by consequence to
the "Users" group, allowing it to create files and folder by default. Once
created the resource it has fullcontrol over it as creator owner, which
means that it can execute files created by itself. The effective permissions
was checked with AccessCheck utility from sysinternals and the "Advanced
Security" form of Windows Explorer, and tests suceffuly made with a very
simple ASP.NET page under default installation comproved that.
In resume, by default, "Network Service" user can create folders in any
partition (C: D: etc) and, in a lot of other folders including C:\INETPUB,
it can create files and folders. It cannot create files under wwwroot since
this folder preventes inheritence from parent folder permission, and
overrides the defaults to "Read & Execute" only.
Again, I'm not implying that IIS is insecure "out-of-the-box" or
anything else, but it does mean that IIS doesn't run as "low privileged" as
said. Also, in my opinion, some explicit advices could be made with the
Microsoft's recomendations regarding IIS configurations. For example, it is
recomended to use a diferent partition to store content and log files
without any hints regarding default permissions having the "Users" group. In
most scenarios, I guess, Users group could be safely removed from those
partitions, and explicit permissions be assigned to the IIS_WPG group or
similar.
Cheers,
Eric.
|