• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 129
  • Last Modified:

Windows Server Web Edition - IIS writing with NO PERMISSIONS SET!

I've just got a simple question about Windows Server 2003 Web Edition and IIS.

I haven't set any permissions on ANY files at all, and I notice that my ASP scripts run fine and write to required files WITHOUT ME SETTING PERMISSIONS. Is this something to be worried about or is this normal Web Edition behavior? I notice that all folders on this hard drive have (the data hard drive, not the system hard drive) have inherited the Authenticated Users group in the security tab from the drive's permissions. I've not seen this before. Is this normal? I've used Server 2003 Standard a lot and not seen this, but I'm new to Web Edition.

Again, the IUSR account can apparently write WITHOUT ME SETTING PERMISSIONS. Please explain.

Thanks!
0
Pugglewuggle
Asked:
Pugglewuggle
  • 3
  • 3
2 Solutions
 
BlazCommented:
There is one thing I couldn't clearly get from your question: is the problem only that you didn't set the permissions yourself or is the problem that IUSR can write on a folder in which he has no permissions ?
0
 
PugglewuggleAuthor Commented:
The problem is that I didn't set the permissions myself AND that IUSER can write to a folder where no permissions are explicitly defined. The permissions on the folder are as follows:

Administrators (group) - Full Control
Authenticated Users (group) - everything except full control
SYSTEM - Full Control
Users (group) - Read & Execute, List Folder Contents, Read

IUSR_machinename is nowhere on the list but it can still write to the folder!

What's going on??? I'm so confused...
0
 
BlazCommented:
IUSER is a member of Authenticated users - so he has write and modify permisions.
Try to limit the authenticated users (or delete it - it probably should not be listed) and try again.
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 
PugglewuggleAuthor Commented:
Hmmm... that's what I figured, but that still doesn't explain how the ROOT of the DRIVE, not just the folder, got Authenticated Users in the NTFS permissions.... The C: drive doesn't have it there, only my data drive.

Also, what path do you suggest taking to secure the wwwroot? Scripts not requiring Write permissions will still be able to function even if the Authenticated Users group is removed from the folder, right? I can then apply the Authenticated Users group to approriate folders, is this right too?

Also, how do I change the default permissions for the Authenticated Users group -- I can't find it in the local security policy / computer management snap ins.
0
 
BlazCommented:
I believe that you should remove the "Authenticated users" group from NTFS permissions altogether  - it should not be there. It is a strange special group. That's why you cant find it in the computer management MMC. Use "Users" group or groups defined by you or select individual users if you need to change permisions to some folders.

The IUSR need read permisions on ASPs. You should also check in IIS management that the folders have read and execute script permissions only.
0
 
PugglewuggleAuthor Commented:
Thanks Blaz!
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now