Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 484
  • Last Modified:

fileSystem object and remote permissions

You can have every point I've got if you can help me make this work... that's only 224 don't get excited.

<%
set fso = server.CreateObject("scripting.filesystemObject")
listpath = "\\server\listdirectory\"
masterpath = "\\server\masterdirectory\"
scriptpath = "\\server\scriptdirectory\"
fso.CreateFolder listpath
fso.CreateFolder masterpath
fso.CreateFolder scriptpath
%>

I'm getting a permission denied error.  I'm sure it's some kind of user rights issue with IUSER_server but I can't figure it out.  
0
1cell
Asked:
1cell
  • 10
  • 6
  • 4
  • +2
1 Solution
 
jitgangulyCommented:
Make sure IUSER_server user has all the permission
0
 
sforcierCommented:
To clarify, navigate to the folder c:\inetpub\wwwroot\listdirectory\ (if you're web app isn't on the root, then it will have a different path). Right click on the folder, choose properties, choose security, click "Add", select the "IUSR_server", and change their permissions to include read, write, and (I believe you'll also need) modify. Repeat this process for the other folders. After you get it working, try removing the modify permissions and see if it still works. The weaker the permissions for IUSR_server (while still being functional), the better.
0
 
1cellAuthor Commented:
sforcier, to clarify a bit more....  \\server\directory\ is a directory on a remote server.  it's not on the same machine as the web server.

jitganguly, domain\IUSER_server has everything but Delete Subfolders and Files, Change Permissions, and Change Ownership. is ALL really necessary???
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
mouattsCommented:
For this to work the IUser_server account must have permissions to write to the folder and it must have rights to access these directories using the same username and password that the IUSR account has.

Now if that is a problem the solution is to add the paths as virtual directories using the correct password. This would open up the directories to the outside world so turn authentication on for those virtual directories and disable all IP addresses apart from that of the server to block them again.

HTH
Steve
0
 
1cellAuthor Commented:
mouatts, I let windoze manage the IUSER password.  I don't even know what it is unless I assign it.  I figured if that was managed BY windows that the domain user info would be supplied to other servers.  Do you think I'm wrong about that?

Maybe the virtual directories solution is best.  I didn't really give it much thought because of the security issues but authenticating on IP would work.
0
 
mouattsCommented:
> I figured if that was managed BY windows that the domain user info would be supplied to other servers.  Do you think I'm wrong about that?

I think so. Certainly looking at my servers the USR account is a local one. The only USR account which is a domain one is for the web server that sits on the domain controller.

Steve
0
 
1cellAuthor Commented:
well, I tried creating a virtual directory under the existing site but I'm still getting a permission denied error.  In the properties for the virtual directory, I used a user with full permissions to the parent directory and applied them all to all subdirectories.

I can browse the virtual directory through IIS mgr so the password is correct, right?
0
 
1cellAuthor Commented:
I also got the same result when trying to map a drive letter and do it that way.
0
 
mouattsCommented:
No you don't want to do it via a drive letter. When you do that it is your account that is allowed access not the IUSR account.
When you create the virtual directory enter the UNC filename and on the next screen it will prompt you for the username and password.

Steve
0
 
1cellAuthor Commented:
and for that user I can use any user with the permissions to the target directory?

that's what I did, and I've been playing with, but I can't get it to go.
0
 
mouattsCommented:
Trying restarting IIS it's sometimes a bit of a pig to get this to take. Trust me it works but believe me when I tell you I have spent hours retyping the bloody thing before it seems to connect :(

Steve
0
 
mouattsCommented:
Just a though you may need the domain name in front of the username eg mydomain/adminsitrator
0
 
1cellAuthor Commented:
restarted, same error

the domain name is in front of the username.

I was reading an article about duplicate anonymous accounts
http://support.microsoft.com/default.aspx?scid=kb;en-us;184566
0
 
1cellAuthor Commented:
and this...

http://support.microsoft.com/default.aspx?scid=kb;en-us;169271

I'm gonna see what I can mess up in that direction.
0
 
sforcierCommented:
Another road to go down might be to change the user that the ASP page "behaves like" (I skimmed the previous posts, so if this has been suggested, please ignore). To do this, open IIS Manager, navigate to the ASP page that needs access (not the folders your trying to get to), right click the file and choose properties. From there, choose the "file security" tab, click "Edit" in the Anonymous Access section. Check the "anonymous access" checkbox at the top, click "edit" or "browse" to change the anonymous user account. Choose a pre-existing user with sufficient privledges (if you're just testing, perhaps just use a domain admin, but be careful as this is a security risk). Uncheck "Allow IIS to manage password for me" and type in the password. Then click "apply/ok" until you're back at the IIS Manager screen.

If you have this in a test environment and it is adequately shielded from the outside, then use the Domain Admin account. Otherwise, you could create a new domain user and give them lots of privledges on the folders, test the ASP page, and then slowly back off the privledges until it no longer works.
0
 
1cellAuthor Commented:
HEY! There you go!  Lemme fiddle around with this a bit and make sure I can apply it to my situation.  It worked for my testing purposes.
0
 
1cellAuthor Commented:
thanks a lot to everybody but sforcier's idea worked very well for me and I'll be able to enforce user level security on it as well so I can implement it per page and not worry about other holes.
0
 
sforcierCommented:
I'm glad I could help! I just want to reiterate how careful you should be when doing this. Granting an ASP page more power makes it easier to hack. I'm sure you're aware of this, and I'm sure you'll use due dilligence; I just can't stress this point enough.
0
 
1cellAuthor Commented:
that's what I mean about enforcing user level security.  While the page has permissions, I can set requirements within it by using userLevels that already exist in my app..... so, only specific logged in users can even access the page.  anybody else gets redirected.

you think that's adequate???
0
 
sforcierCommented:
I don't know that I fully understand what you mean by "user level access" specifically. If you mean disabling anonymous access or using NTFS security on the individual ASP pages, then yes, that should certainly be adequate.
0
 
joninhasCommented:
I have an asp application that colects images from a folder generated by a scanner. This folder is in a network drive (like \\a_drive\scanner). I wish to move all images from this folder to another folder wich is located in my local server.
Please help...
0
 
mouattsCommented:
joninhas you will need to post your own question. You can't just piggy back another.
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 10
  • 6
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now