Recommended security in hosting environment

This is Interesting: Free IT Magazines Now Free shipping to

Web Server Talk > Web Servers reviews > IIS server support > IIS Server Security > Recommended security in hosting environment

Last Thread Next Thread Next

Recommended security in hosting environment

cobba

Click here to Send cobba a Private Message

04-07-04 04:58 AM

Hi

I was just wondering if anyone had any recommendations on the security for a
 hosting environment?  eg if you had a databases folder, log folder, www fol
der, what sort of permissions would you put in there? 

Also, how would you configure IIS whether the sites were IP based hosting, o
r name based hosting?

Any suggestions are much appreciated!

[ Post a follow-up to this message ]

Re: Recommended security in hosting environment

Dmitry Burtsev

04-07-04 08:34 AM

Hello!
I am use name based virtual hosting. On my servers I do such things.
For new hosting user I create two accounts. One for user access by ftp,
second for IIS anonymous access.
Users upload their content by ftp. On their home directory  set full control
for user account.  Web site point on directory "www", on it set RX
permissions for IIS anonymous account.
DB folders -   .mdb files (Access database) users put in subdirectory under
"www".  In IIS console I uncheck  all boxes on  Properties -> Directory for
this directory.
Log folder - My users didn't need access their log files. I keep it on
another partitions (another disk will be best for perfomance). But you cant
create folder for it  under home directory.

Simple scheme:

/
|-Log folder
|-WWW
|-DB
|-Content

For security in IIS console on web site properties go to "Home Directory"
and uncheck all boxes except "Read" and "Log visits" (if you need it)
Sorry for my English.

Dmitry Burtsev (burtsev@km.ru)

"cobba" <cobba.14bv5m@mail.webservertalk.com> wrote in message
news:cobba.14bv5m@mail.webservertalk.com...
>
> Hi
>
> I was just wondering if anyone had any recommendations on the security
> for a hosting environment?  eg if you had a databases folder, log
> folder, www folder, what sort of permissions would you put in there?
>
> Also, how would you configure IIS whether the sites were IP based
> hosting, or name based hosting?
>
> Any suggestions are much appreciated!
>
>
>
> --
> cobba
> ------------------------------------------------------------------------
> Posted via http://www.webservertalk.com
> ------------------------------------------------------------------------
> View this thread: http://www.webservertalk.com/message174428.html
>

[ Post a follow-up to this message ]

Re: Recommended security in hosting environment

Jeff Cochran

04-07-04 02:42 PM

On Tue, 6 Apr 2004 23:58:00 -0500, cobba
<cobba.14bv5m@mail.webservertalk.com> wrote:

>I was just wondering if anyone had any recommendations on the security
>for a hosting environment?  eg if you had a databases folder, log
>folder, www folder, what sort of permissions would you put in there?

Configure a database folder outside the web heirarchy for each account
and it can't be accessed directly by HTTP.  Instruct users on how to
connect using ADO.  Database folders need MODIFY permission for the
anonymous account for that site, so you're stuck there.

Set each site to log to its own folder as well, with pemissions for
the system and the user's account.  The rest depends on whether you're
letting clients use a control panel to manage their own permissions,
whether you allow FrontPage extensions, etc.

>Also, how would you configure IIS whether the sites were IP based
>hosting, or name based hosting?

See the ISP section on Microsoft's siste for white papers discussing
this as well as provisioning tools.

Jeff

[ Post a follow-up to this message ]

Re: Recommended security in hosting environment

Roger Abell [MVP]

04-11-04 08:36 PM

You have some good answers already, to which I would like to add some.
Whether the sites are IP based or host header name based makes not
difference in what you need to do.  However, if by name based you mean
a web name within an existing site is granted to a different party that does
cause differences.

In my own provisioning what I do depends on things like
whether IIS version is 5 or 6
whether Asp and/or Asp.Net authoring is allowed
whether FrontPage/Sharepoint extension is used
whether ownership boundary is the site or the web with site
what authentication methods are used if non-anonymous web
or areas within the site
whether certain optional things like file upload (from browsing
client) will be allowed
whether the authors are trusted (corp punishable types, or the
general public)
and a mixed bag of other things

If you would start by defining the matrix of your hosting then it
is more simple to list the exposures against which you need to
have awareness and places where you can take precautions.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA,  MCSE W2k3+W2k+Nt4
"cobba" <cobba.14bv5m@mail.webservertalk.com> wrote in message
news:cobba.14bv5m@mail.webservertalk.com...
>
> Hi
>
> I was just wondering if anyone had any recommendations on the security
> for a hosting environment?  eg if you had a databases folder, log
> folder, www folder, what sort of permissions would you put in there?
>
> Also, how would you configure IIS whether the sites were IP based
> hosting, or name based hosting?
>
> Any suggestions are much appreciated!
>
>
>
> --
> cobba
> ------------------------------------------------------------------------
> Posted via http://www.webservertalk.com
> ------------------------------------------------------------------------
> View this thread: http://www.webservertalk.com/message174428.html
>

[ Post a follow-up to this message ]