If I give IWAM and IUSR accounts full access to a folder and database on our
intranet and that same server is used as our WWW server, will the outside
world have access to that folder and the database?

Tim

[ Post a follow-up to this message ]

Depends if that folder and/or database are accessible to the outside world.

Cheers
Ken


"TIML" <t3838@hotmail.com> wrote in message
news:eUCqO24EEHA.1228@TK2MSFTNGP11.phx.gbl...
: If I give IWAM and IUSR accounts full access to a folder and database on
our
: intranet and that same server is used as our WWW server, will the outside
: world have access to that folder and the database?
:
: Tim
:
:

[ Post a follow-up to this message ]

How would the folder and db be exposed?  I would be giving read/write
permission to the folder (which is a shared folder) and the db.

Tim

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:uabAZd6EEHA.2416@TK2MSFTNGP12.phx.gbl...
> Depends if that folder and/or database are accessible to the outside
world.
>
> Cheers
> Ken
>
>
> "TIML" <t3838@hotmail.com> wrote in message
> news:eUCqO24EEHA.1228@TK2MSFTNGP11.phx.gbl...
> : If I give IWAM and IUSR accounts full access to a folder and database on
> our
> : intranet and that same server is used as our WWW server, will the
outside
> : world have access to that folder and the database?
> :
> : Tim
> :
> :
>
>

[ Post a follow-up to this message ]

Suppose you have two websites:

http://www.yourCompany.com  -> c:\inetpub\mainsite\
http://intranet.yourCompany.com -> c:\inetpub\intranet\
and, your database is stored outside the webroots, eg in: c:\databases\

In this case, only files and folders under c:\inetpub\mainsite\ are visible
to the public (assuming you don't create any virtual directories). Only
files and folders under c:\inetpub\intranet\ are visible to users of the
intranet site.

In neither case, can the database be downloaded by browsers directly

Please consult the IIS online help for information on the concepts of
creating websites...

Cheers
Ken


"Tiffany" <t3838@hotmail.com> wrote in message
news:eO$wg2IFEHA.1032@TK2MSFTNGP09.phx.gbl...
: How would the folder and db be exposed?  I would be giving read/write
: permission to the folder (which is a shared folder) and the db.
:
: Tim
:
: "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
: news:uabAZd6EEHA.2416@TK2MSFTNGP12.phx.gbl...
: > Depends if that folder and/or database are accessible to the outside
: world.
: >
: > Cheers
: > Ken
: >
: >
: > "TIML" <t3838@hotmail.com> wrote in message
: > news:eUCqO24EEHA.1228@TK2MSFTNGP11.phx.gbl...
: > : If I give IWAM and IUSR accounts full access to a folder and database
on
: > our
: > : intranet and that same server is used as our WWW server, will the
: outside
: > : world have access to that folder and the database?
: > :
: > : Tim
: > :
: > :
: >
: >
:
:

[ Post a follow-up to this message ]

Why share the folder ??  That is asking for complications.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Tiffany" <t3838@hotmail.com> wrote in message
news:eO$wg2IFEHA.1032@TK2MSFTNGP09.phx.gbl...
> How would the folder and db be exposed?  I would be giving read/write
> permission to the folder (which is a shared folder) and the db.
>
> Tim
>
> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> news:uabAZd6EEHA.2416@TK2MSFTNGP12.phx.gbl... 
> world. 
on 
> outside 
>
>

[ Post a follow-up to this message ]

So basically, all I need to do is give read/write permission to the IUSR and
IWAM for the db and folder that the db resides in?  This will allow the ASP
code to run and utilize the db, but not expose the db to any hackers?

Tim
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:eESTnwVFEHA.1228@TK2MSFTNGP11.phx.gbl...
> Why share the folder ??  That is asking for complications.
>
> --
> Roger Abell
> Microsoft MVP (Windows Server System: Security)
> MCSE (W2k3,W2k,Nt4)  MCDBA
> "Tiffany" <t3838@hotmail.com> wrote in message
> news:eO$wg2IFEHA.1032@TK2MSFTNGP09.phx.gbl... 
database
> on 
>
>

[ Post a follow-up to this message ]

Its pretty theoretical, but if an attacker did find away to issue the code
of his choice on your web server under the anonymous account (and there have
been plenty of previously fixed IIS vulnerabilities that allowed just this)
he would have rights to attack other resources on your machine that the
account had access to.

Better safe than sorry.  I would lock down the anonymous account as tightly
as possible.

"TIML" <t3838@hotmail.com> wrote in message
news:eUCqO24EEHA.1228@TK2MSFTNGP11.phx.gbl...
> If I give IWAM and IUSR accounts full access to a folder and database on
our
> intranet and that same server is used as our WWW server, will the outside
> world have access to that folder and the database?
>
> Tim
>
>

[ Post a follow-up to this message ]