hi

i have installed a small script on a virtual web called explore.aspx
this is able to explore my whole c:\ directory, as the user asp.net
is a member of the group "Domain User / User" and this user
does has read permission on the whole drive c:\

how can i prevent this?
is it necessary that asp.net user is member of "Domain User/Users" ?

thankx for any tip/hint how to lock down my system

mike schwarz

[ Post a follow-up to this message ]

Mike Schwarz wrote:
> i have installed a small script on a virtual web called explore.aspx
> this is able to explore my whole c:\ directory, as the user asp.net
> is a member of the group "Domain User / User" and this user
> does has read permission on the whole drive c:\

The ASPNET and IUSR_MACHINENAME accounts should only be members of the
Guests group. Try that.

[ Post a follow-up to this message ]

i have deactivated guest group... as mentioned in several forums...


"Leon Mayne [MVP]" <l.rmv.mayne@uea.ac.uk> schrieb im Newsbeitrag
news:%23b3p2dj0EHA.3416@TK2MSFTNGP09.phx.gbl...
> Mike Schwarz wrote: 
>
> The ASPNET and IUSR_MACHINENAME accounts should only be members of the
> Guests group. Try that.
>
>

[ Post a follow-up to this message ]

"Mike Schwarz" <ctek@ctek.ch> wrote in message
news:#5rIjei0EHA.2156@TK2MSFTNGP10.phx.gbl...
> hi
>
> i have installed a small script on a virtual web called explore.aspx
> this is able to explore my whole c:\ directory, as the user asp.net
> is a member of the group "Domain User / User" and this user
> does has read permission on the whole drive c:\
>
> how can i prevent this?
> is it necessary that asp.net user is member of "Domain User/Users" ?
>
> thankx for any tip/hint how to lock down my system

Is your IIS server also the domain controller?

[ Post a follow-up to this message ]

"Mike Schwarz" <ctek@ctek.ch> wrote in message
news:uD2BPvj0EHA.2788@TK2MSFTNGP15.phx.gbl...
> i have deactivated guest group... as mentioned in several forums...

You certainly did not mention that here.

[ Post a follow-up to this message ]

yes, my webserver is setup as domain controller

"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> schrieb im Newsbeitra
g
news:ezQE1Gk0EHA.2316@TK2MSFTNGP15.phx.gbl...
> "Mike Schwarz" <ctek@ctek.ch> wrote in message
> news:#5rIjei0EHA.2156@TK2MSFTNGP10.phx.gbl... 
>
> Is your IIS server also the domain controller?
>
>

[ Post a follow-up to this message ]

On Wed, 24 Nov 2004 14:17:45 +0100, "Mike Schwarz" <ctek@ctek.ch>
wrote:

>i have installed a small script on a virtual web called explore.aspx
>this is able to explore my whole c:\ directory, as the user asp.net
>is a member of the group "Domain User / User" and this user
>does has read permission on the whole drive c:\
>
>how can i prevent this?

Don't have the asp.net user in the domain users group *and* remove
domain users from the NTFS permissions for the root of C:\.

>is it necessary that asp.net user is member of "Domain User/Users" ?

No.

Are you running IIS on a DC?  There are idiosyncracies to this since
the IIS accounts become domain accounts and have a different access
potential than if they are local accounts.  Basically, remove all
access for accounts that don't need access.

Jeff

[ Post a follow-up to this message ]