Solved

fileSystem object and remote permissions

Posted on 2004-03-26
22
474 Views
Last Modified: 2006-11-17
You can have every point I've got if you can help me make this work... that's only 224 don't get excited.

<%
set fso = server.CreateObject("scripting.filesystemObject")
listpath = "\\server\listdirectory\"
masterpath = "\\server\masterdirectory\"
scriptpath = "\\server\scriptdirectory\"
fso.CreateFolder listpath
fso.CreateFolder masterpath
fso.CreateFolder scriptpath
%>

I'm getting a permission denied error.  I'm sure it's some kind of user rights issue with IUSER_server but I can't figure it out.  
0
Comment
Question by:1cell
  • 10
  • 6
  • 4
  • +2
22 Comments
 
LVL 20

Expert Comment

by:jitganguly
Comment Utility
Make sure IUSER_server user has all the permission
0
 
LVL 6

Expert Comment

by:sforcier
Comment Utility
To clarify, navigate to the folder c:\inetpub\wwwroot\listdirectory\ (if you're web app isn't on the root, then it will have a different path). Right click on the folder, choose properties, choose security, click "Add", select the "IUSR_server", and change their permissions to include read, write, and (I believe you'll also need) modify. Repeat this process for the other folders. After you get it working, try removing the modify permissions and see if it still works. The weaker the permissions for IUSR_server (while still being functional), the better.
0
 
LVL 6

Author Comment

by:1cell
Comment Utility
sforcier, to clarify a bit more....  \\server\directory\ is a directory on a remote server.  it's not on the same machine as the web server.

jitganguly, domain\IUSER_server has everything but Delete Subfolders and Files, Change Permissions, and Change Ownership. is ALL really necessary???
0
 
LVL 11

Expert Comment

by:mouatts
Comment Utility
For this to work the IUser_server account must have permissions to write to the folder and it must have rights to access these directories using the same username and password that the IUSR account has.

Now if that is a problem the solution is to add the paths as virtual directories using the correct password. This would open up the directories to the outside world so turn authentication on for those virtual directories and disable all IP addresses apart from that of the server to block them again.

HTH
Steve
0
 
LVL 6

Author Comment

by:1cell
Comment Utility
mouatts, I let windoze manage the IUSER password.  I don't even know what it is unless I assign it.  I figured if that was managed BY windows that the domain user info would be supplied to other servers.  Do you think I'm wrong about that?

Maybe the virtual directories solution is best.  I didn't really give it much thought because of the security issues but authenticating on IP would work.
0
 
LVL 11

Expert Comment

by:mouatts
Comment Utility
> I figured if that was managed BY windows that the domain user info would be supplied to other servers.  Do you think I'm wrong about that?

I think so. Certainly looking at my servers the USR account is a local one. The only USR account which is a domain one is for the web server that sits on the domain controller.

Steve
0
 
LVL 6

Author Comment

by:1cell
Comment Utility
well, I tried creating a virtual directory under the existing site but I'm still getting a permission denied error.  In the properties for the virtual directory, I used a user with full permissions to the parent directory and applied them all to all subdirectories.

I can browse the virtual directory through IIS mgr so the password is correct, right?
0
 
LVL 6

Author Comment

by:1cell
Comment Utility
I also got the same result when trying to map a drive letter and do it that way.
0
 
LVL 11

Expert Comment

by:mouatts
Comment Utility
No you don't want to do it via a drive letter. When you do that it is your account that is allowed access not the IUSR account.
When you create the virtual directory enter the UNC filename and on the next screen it will prompt you for the username and password.

Steve
0
 
LVL 6

Author Comment

by:1cell
Comment Utility
and for that user I can use any user with the permissions to the target directory?

that's what I did, and I've been playing with, but I can't get it to go.
0
 
LVL 11

Expert Comment

by:mouatts
Comment Utility
Trying restarting IIS it's sometimes a bit of a pig to get this to take. Trust me it works but believe me when I tell you I have spent hours retyping the bloody thing before it seems to connect :(

Steve
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 11

Expert Comment

by:mouatts
Comment Utility
Just a though you may need the domain name in front of the username eg mydomain/adminsitrator
0
 
LVL 6

Author Comment

by:1cell
Comment Utility
restarted, same error

the domain name is in front of the username.

I was reading an article about duplicate anonymous accounts
http://support.microsoft.com/default.aspx?scid=kb;en-us;184566
0
 
LVL 6

Author Comment

by:1cell
Comment Utility
and this...

http://support.microsoft.com/default.aspx?scid=kb;en-us;169271

I'm gonna see what I can mess up in that direction.
0
 
LVL 6

Accepted Solution

by:
sforcier earned 224 total points
Comment Utility
Another road to go down might be to change the user that the ASP page "behaves like" (I skimmed the previous posts, so if this has been suggested, please ignore). To do this, open IIS Manager, navigate to the ASP page that needs access (not the folders your trying to get to), right click the file and choose properties. From there, choose the "file security" tab, click "Edit" in the Anonymous Access section. Check the "anonymous access" checkbox at the top, click "edit" or "browse" to change the anonymous user account. Choose a pre-existing user with sufficient privledges (if you're just testing, perhaps just use a domain admin, but be careful as this is a security risk). Uncheck "Allow IIS to manage password for me" and type in the password. Then click "apply/ok" until you're back at the IIS Manager screen.

If you have this in a test environment and it is adequately shielded from the outside, then use the Domain Admin account. Otherwise, you could create a new domain user and give them lots of privledges on the folders, test the ASP page, and then slowly back off the privledges until it no longer works.
0
 
LVL 6

Author Comment

by:1cell
Comment Utility
HEY! There you go!  Lemme fiddle around with this a bit and make sure I can apply it to my situation.  It worked for my testing purposes.
0
 
LVL 6

Author Comment

by:1cell
Comment Utility
thanks a lot to everybody but sforcier's idea worked very well for me and I'll be able to enforce user level security on it as well so I can implement it per page and not worry about other holes.
0
 
LVL 6

Expert Comment

by:sforcier
Comment Utility
I'm glad I could help! I just want to reiterate how careful you should be when doing this. Granting an ASP page more power makes it easier to hack. I'm sure you're aware of this, and I'm sure you'll use due dilligence; I just can't stress this point enough.
0
 
LVL 6

Author Comment

by:1cell
Comment Utility
that's what I mean about enforcing user level security.  While the page has permissions, I can set requirements within it by using userLevels that already exist in my app..... so, only specific logged in users can even access the page.  anybody else gets redirected.

you think that's adequate???
0
 
LVL 6

Expert Comment

by:sforcier
Comment Utility
I don't know that I fully understand what you mean by "user level access" specifically. If you mean disabling anonymous access or using NTFS security on the individual ASP pages, then yes, that should certainly be adequate.
0
 

Expert Comment

by:joninhas
Comment Utility
I have an asp application that colects images from a folder generated by a scanner. This folder is in a network drive (like \\a_drive\scanner). I wish to move all images from this folder to another folder wich is located in my local server.
Please help...
0
 
LVL 11

Expert Comment

by:mouatts
Comment Utility
joninhas you will need to post your own question. You can't just piggy back another.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Hello, all! I just recently started using Microsoft's IIS 7.5 within Windows 7, as I just downloaded and installed the 90 day trial of Windows 7. (Got to love Microsoft for allowing 90 days) The main reason for downloading and testing Windows 7 is t…
I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now