Link to home
Start Free TrialLog in
Avatar of lbgaus
lbgaus

asked on

IWAM security context question

I am trying to ensure that customers on a shared IIS 5 server do not have the ability to access other directories except for their own through the FileSystemObject in ASP, or any other means for that matter.

I have managed to get this set up correctly (where only their website directory is visible to them) by restricting the NTFS permissions for the IUSR account, but am confused as to why it works in the first place. All the sites are currently running in pooled out-of-process mode, which from doing extensive reading causes ASP execution to be run in the security context of the IWAM account, not the IUSR or SYSTEM accounts. This being said, shouldn't the security context used in the execution of the FileSystemObject be that of the IWAM account, causing directory listing to fail because the IWAM account has no permissions over it?

How, exactly, does the IWAM account affect the security context of scripts run in pooled protection mode? Is the IWAM account only used to load dllhost.exe into process? Once it is in process and being used to process the FileSystemObject commands, does that object then use the IUSR permissions to physically browse the drive?

Thanks in advance.
Avatar of lbgaus
lbgaus

ASKER

Anyone with any comments on this????
Avatar of meverest
Hi,

I agree with your assessment of how the the IWAM account/s work in iis6 mode.

What you are probably discovering with the filesystem object is a system limitation that prevents script access beyond the specific application root of the executing script.

look on 'configuration' page of 'web site properties' (or virtual directory) to view the application settings.  There is an option called 'enable parent paths' which permits executing scripts to access paths beyond the current executing application container root.

by default, "parent paths" are disabled, which is pretty much what you want in the scheme you describe.

Cheers!
Avatar of lbgaus

ASKER

I am aware of the parent paths property. However, they do not have any affect over the permissions and/or account impersonation of the system.

Is there some sort of confirmation out there that will indeed show that the IWAM user is only used to get dllhost.exe in process, and that the scripting contained within these ASP pages is run using the permissions of the IUSR account?
ASKER CERTIFIED SOLUTION
Avatar of meverest
meverest
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial