|
Home > Archive > Microsoft Content Management Server > March 2005 > IIS LockDown tool question
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS LockDown tool question
|
|
| Dariusz Tomoń 2005-03-23, 7:47 am |
| Hello
I'm just about to install IIS LockDown tool. The question is simple about that tool's settings because it proposes to kill writing to content directories like follow:
Writing to content directories By design, IIS allows the anonymous user account IUSR_<computername> to only read Web content. However, if this protection failed for any reason, an attacker might be able to change the Web pages on the server, and thus deface the Web site. Selecting the Running content directories check box explicitly denies the IUSR_<computername> account write access to the directories that house Web content. When this check box is selected, the IIS Lockdown Wizard sets an ACE on all files and folders referenced by virtual directories-including files and folders that are located on remote computers. The ACE denies write privileges to all anonymous user accounts that have been configured on the server (including IUSR_<computername> ), as well as all user accounts that are used for running Web applications (including IWAM_<computername> ).
Microsoft recommends that you prevent the IIS anonymous user account from writing to Web content directories.
The question is: if I disable to write to contenet directories I eventually disable major funtion of MCMS which I will be installing in second step.
I'm not sure if I'm right.
Darek
| |
| Stefan [MSFT] 2005-03-23, 7:47 am |
| Hi Dariusz,
on the MCMS 2002 CD there is a template for IIS Lockdown.
Just use this template.
Cheers,
Stefan.
--
This posting is provided "AS IS" with no warranties, and confers no rights
Book: Building Websites Using MCMS: http://tinyurl.com/6zj44
----------------------
"Dariusz Tomoń" <d.tomon@mazars.pl> wrote in message
news:#Hhefs5LFHA.2772@TK2MSFTNGP12.phx.gbl...
Hello
I'm just about to install IIS LockDown tool. The question is simple about
that tool's settings because it proposes to kill writing to content
directories like follow:
Writing to content directories By design, IIS allows the anonymous user
account IUSR_<computername> to only read Web content. However, if this
protection failed for any reason, an attacker might be able to change the
Web pages on the server, and thus deface the Web site. Selecting the Running
content directories check box explicitly denies the IUSR_<computername>
account write access to the directories that house Web content. When this
check box is selected, the IIS Lockdown Wizard sets an ACE on all files and
folders referenced by virtual directories-including files and folders that
are located on remote computers. The ACE denies write privileges to all
anonymous user accounts that have been configured on the server (including
IUSR_<computername> ), as well as all user accounts that are used for running
Web applications (including IWAM_<computername> ).
Microsoft recommends that you prevent the IIS anonymous user account from
writing to Web content directories.
The question is: if I disable to write to contenet directories I eventually
disable major funtion of MCMS which I will be installing in second step.
I'm not sure if I'm right.
Darek
|
|
|
|
|