Hosting with IIS

Posted on 2003-03-26
Medium Priority
Last Modified: 2012-05-04
Hello everybody!

I'm trying to setup a windows 2000 server, IIS 5, for hosting. The problem is: How can i secure my customers pages. With a simple ASP script, using FileSystemObject, any customer can read what ever he want in the HDD. So he can read also ASP source of other customers.
For the other part of HDD i'm thinking to remove everyone access at NTFS and put only Administrators and SYSTEM. But what to do with users folder. They of course need INETUSR read. So they can read each other script sources.
Exist any solution for this?

Thank You!
Question by:renis
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 10

Expert Comment

ID: 8211720
If you don't need the FileSystemObject, you can disable it. The following command will disable File System Object:
regsvr32 scrrun.dll /u
From "Secure Internet Information Services 5 Checklist"


Author Comment

ID: 8212463
But my customers need that.
Now i'm thinking another solution. Please tell me if this is right or not.

1. Open a windows user for every customer.
2. Create folder for the user and give NTFS access for administrators, System and user account.
3. Create WebSite at IIS.
3. Open IIS properties for website just created and change IIS User from INETUSR to useraccount.

Maybe this can be a solution. In this mode every user will have access only at his folder.

But i'm not sure this will work or not... any opinion?
LVL 10

Accepted Solution

AndresM earned 750 total points
ID: 8212521
I had never try that, but is exactly what it says here:

Another situation you may encounter is when hosting multiple sites such as is the situation with a web hosting company. Many web hosting companies are hesitant to allow access to the FileSystemObject for fear of a user being able to access the content of another web site or worse, gain access to sensitive system files. To fix this, you must take a few extra steps when setting up multiple sites. First, you must create a unique anonymous user account for each web site. Be sure that only that account has access to its web root and that account does not have access to anything else on the system. Next, assign that anonymous account to a single web site. Any FileSystemObject code that runs on that web site will now run under this new anonymous account and will only have access to the files in its own web root. Repeat these steps for each site, giving each one its own anyonymous user account and now each user has FileSystemObject access that is contained to their own web root.

But suppose that in the above scenario that you want to give some users access to the FileSystemObject while denying other users? The solution is to set NTFS permissions to explicitly deny access for that anonymous user account to either the FileSystemObject DLL scrrun.dll or the registry key HKLM\SOFTWARE\Classes\Scripting.FileSystemObject. One interesting note about changing permissions on the registry key is that you can disable the FileSystemObject without affecting the ability for the user to use the Dictionary object. Essentially by using registry permissions, you can have granular control over who has access to what objects.

Sure, you can just disable the FileSystemObject by running regsvr32.exe /u sccrun.dll, but when properly secured the FileSystemObject can be quite safe to use, even when hosting multiple sites for multiple users

FileSystemObject Security

Author Comment

ID: 8213716
Thank you. I was searching for an article like this in internet, but was unable to find.
I had the same idea, but i was really unsure for that. Now i'm clear.

Thank you Andres

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
Lync server 2013 or Skype for business Backup Service Error ID 4049 – After File Share Migration
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses
Course of the Month9 days, 11 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question