asked on
IWAM security context question
I am trying to ensure that customers on a shared IIS 5 server do not have the ability to access other directories except for their own through the FileSystemObject in ASP, or any other means for that matter.
I have managed to get this set up correctly (where only their website directory is visible to them) by restricting the NTFS permissions for the IUSR account, but am confused as to why it works in the first place. All the sites are currently running in pooled out-of-process mode, which from doing extensive reading causes ASP execution to be run in the security context of the IWAM account, not the IUSR or SYSTEM accounts. This being said, shouldn't the security context used in the execution of the FileSystemObject be that of the IWAM account, causing directory listing to fail because the IWAM account has no permissions over it?
How, exactly, does the IWAM account affect the security context of scripts run in pooled protection mode? Is the IWAM account only used to load dllhost.exe into process? Once it is in process and being used to process the FileSystemObject commands, does that object then use the IUSR permissions to physically browse the drive?
Thanks in advance.
I have managed to get this set up correctly (where only their website directory is visible to them) by restricting the NTFS permissions for the IUSR account, but am confused as to why it works in the first place. All the sites are currently running in pooled out-of-process mode, which from doing extensive reading causes ASP execution to be run in the security context of the IWAM account, not the IUSR or SYSTEM accounts. This being said, shouldn't the security context used in the execution of the FileSystemObject be that of the IWAM account, causing directory listing to fail because the IWAM account has no permissions over it?
How, exactly, does the IWAM account affect the security context of scripts run in pooled protection mode? Is the IWAM account only used to load dllhost.exe into process? Once it is in process and being used to process the FileSystemObject commands, does that object then use the IUSR permissions to physically browse the drive?
Thanks in advance.
Microsoft IIS Web Server
Last Comment
meverest
ASKER
Anyone with any comments on this????
Hi,
I agree with your assessment of how the the IWAM account/s work in iis6 mode.
What you are probably discovering with the filesystem object is a system limitation that prevents script access beyond the specific application root of the executing script.
look on 'configuration' page of 'web site properties' (or virtual directory) to view the application settings. There is an option called 'enable parent paths' which permits executing scripts to access paths beyond the current executing application container root.
by default, "parent paths" are disabled, which is pretty much what you want in the scheme you describe.
Cheers!
I agree with your assessment of how the the IWAM account/s work in iis6 mode.
What you are probably discovering with the filesystem object is a system limitation that prevents script access beyond the specific application root of the executing script.
look on 'configuration' page of 'web site properties' (or virtual directory) to view the application settings. There is an option called 'enable parent paths' which permits executing scripts to access paths beyond the current executing application container root.
by default, "parent paths" are disabled, which is pretty much what you want in the scheme you describe.
Cheers!
ASKER
I am aware of the parent paths property. However, they do not have any affect over the permissions and/or account impersonation of the system.
Is there some sort of confirmation out there that will indeed show that the IWAM user is only used to get dllhost.exe in process, and that the scripting contained within these ASP pages is run using the permissions of the IUSR account?
Is there some sort of confirmation out there that will indeed show that the IWAM user is only used to get dllhost.exe in process, and that the scripting contained within these ASP pages is run using the permissions of the IUSR account?
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.