Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 739
  • Last Modified:

Hosting with IIS

Hello everybody!

I'm trying to setup a windows 2000 server, IIS 5, for hosting. The problem is: How can i secure my customers pages. With a simple ASP script, using FileSystemObject, any customer can read what ever he want in the HDD. So he can read also ASP source of other customers.
For the other part of HDD i'm thinking to remove everyone access at NTFS and put only Administrators and SYSTEM. But what to do with users folder. They of course need INETUSR read. So they can read each other script sources.
Exist any solution for this?

Thank You!
  • 2
  • 2
1 Solution
If you don't need the FileSystemObject, you can disable it. The following command will disable File System Object:
regsvr32 scrrun.dll /u
From "Secure Internet Information Services 5 Checklist"

renisAuthor Commented:
But my customers need that.
Now i'm thinking another solution. Please tell me if this is right or not.

1. Open a windows user for every customer.
2. Create folder for the user and give NTFS access for administrators, System and user account.
3. Create WebSite at IIS.
3. Open IIS properties for website just created and change IIS User from INETUSR to useraccount.

Maybe this can be a solution. In this mode every user will have access only at his folder.

But i'm not sure this will work or not... any opinion?
I had never try that, but is exactly what it says here:

Another situation you may encounter is when hosting multiple sites such as is the situation with a web hosting company. Many web hosting companies are hesitant to allow access to the FileSystemObject for fear of a user being able to access the content of another web site or worse, gain access to sensitive system files. To fix this, you must take a few extra steps when setting up multiple sites. First, you must create a unique anonymous user account for each web site. Be sure that only that account has access to its web root and that account does not have access to anything else on the system. Next, assign that anonymous account to a single web site. Any FileSystemObject code that runs on that web site will now run under this new anonymous account and will only have access to the files in its own web root. Repeat these steps for each site, giving each one its own anyonymous user account and now each user has FileSystemObject access that is contained to their own web root.

But suppose that in the above scenario that you want to give some users access to the FileSystemObject while denying other users? The solution is to set NTFS permissions to explicitly deny access for that anonymous user account to either the FileSystemObject DLL scrrun.dll or the registry key HKLM\SOFTWARE\Classes\Scripting.FileSystemObject. One interesting note about changing permissions on the registry key is that you can disable the FileSystemObject without affecting the ability for the user to use the Dictionary object. Essentially by using registry permissions, you can have granular control over who has access to what objects.

Sure, you can just disable the FileSystemObject by running regsvr32.exe /u sccrun.dll, but when properly secured the FileSystemObject can be quite safe to use, even when hosting multiple sites for multiple users

FileSystemObject Security
renisAuthor Commented:
Thank you. I was searching for an article like this in internet, but was unable to find.
I had the same idea, but i was really unsure for that. Now i'm clear.

Thank you Andres

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now