[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How dangerous are ASPX and DLLs on a web server?

Posted on 2009-02-20
14
Medium Priority
?
412 Views
Last Modified: 2013-11-07
I run a web hosting service and allow clients to host their web sites on our servers. Our IIS 5 server has the .NET Framework installed (1.1).

I wanted  to know the concerns I should have when allowing clients to place .aspx and Delphi .DLLs on the server in their web folder?  What damage can a combination of .aspx and Delphi .DLL do? If the web folder is on drive W, can a aspx/dll combo access files on drive C? Is there anything to stop such files from deleting files that do not belong to the customer or from retrieving data on another drive or another parent folder or Registry?

Thanks.
0
Comment
Question by:Monroe406
  • 9
  • 5
14 Comments
 
LVL 15

Expert Comment

by:aibusinesssolutions
ID: 23697793
Double post?  Here's my answer in this one as well.

When you set up the web site, you should be also setting up a user that the website will run as.  That user will have access to whatever you give it access to.  You'll want that user to have access to their folder and nothing else.
0
 
LVL 15

Expert Comment

by:aibusinesssolutions
ID: 23697803
Also, here is a link to a pdf document for securing IIS 5, it includes security tips and patch suggestions.

http://sos.its.psu.edu/guides/IIS5.pdf
0
 

Author Comment

by:Monroe406
ID: 23697873
>> When you set up the web site, you should be also setting up a user that the website will run as.

Huh?

I simply create an FTP account that locks the user's uploads to a certain folder.

As far as an IIS user account...?  I don't create any.  Why do you need to create an IIS user account? The default "Operators" for all new virtual domains are "Administrator" and "computername\ASPNET"  This has always been the way I set up new virtual domains.

How do you set up this user you are referring to?  And why set up a user that currently isn't even necessary to execute aspx/dll from a remote web browser?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 15

Expert Comment

by:aibusinesssolutions
ID: 23697889
  1.  Right click on the website directory and select Properties from the popup menu.
   2. Select the Directory Security tab on the Properties dialog
   3. Click the Edit button under Anonymous Access and Authentication Control. The Authentication Methods dialog will appear.
   4. Check Anonymous Access and click the Edit button. The Anonymous User Account dialog will be displayed.
   5. Click the Browse button and then select the username that the website will run under from the Select NT User Account dialog.
   6. Click successive OK buttons until to save settings until you return to the Directory Security tab on the Properties dialog.
   7. Optionally, edit IP Address and Domain Name Restriction to prevent access to your website from unauthorized locations.
0
 
LVL 15

Expert Comment

by:aibusinesssolutions
ID: 23697898
Here you go:

Internet Information Services (IIS) 5.0 Security Guidelines
http://www.microsoft.com/downloads/details.aspx?familyid=fa89d0f6-14a3-4ef5-85ab-fab049f2f56b&displaylang=en
0
 

Author Comment

by:Monroe406
ID: 23697925
>> Click the Browse button and then select the username that the website will run under
>> from the Select NT User Account dialog.

You are still losing me.

Any time you create a new virtual domain/web site in IIS, the anonymous user is already set up for you automatically, and it is always "IUSR_computername"

What's wrong with that?  What else am I supposed to change it to?
0
 
LVL 15

Expert Comment

by:aibusinesssolutions
ID: 23697963
Well, the problem with leaving every website as IUSR_computername is, that user has access to everything in the wwwroot folder.  If they wanted to they could list every folder in the wwwroot folder, and then list every file in those folders, since they have complete access.  

If you look at reseller portals like Rack Space, they use control panels that allow users to setup new websites.   Every time you setup a new website it creates a new user to run that site under, which would be something like "IUSR_websiteusername".  That username has read/write access to their folder only, nothing else.
0
 
LVL 15

Expert Comment

by:aibusinesssolutions
ID: 23697998
Here check this out, a full security check list.

http://windows.stanford.edu/docs/IISsecchecklist.htm
0
 

Author Comment

by:Monroe406
ID: 23698002
>> Well, the problem with leaving every website as IUSR_computername is,
>> that user has access to everything in the wwwroot folder.  

Well, can't I just delete the entire C:\Inetpub\wwwroot folder and not worry about this issue?

>> If they wanted to they could list every folder in the wwwroot folder, and then
>> list every file in those folders

But even if they do, what's the big deal about listing a bunch of default files that Microsoft installed?

>> Every time you setup a new website it creates a new user to run that site under, which
>> would be something like "IUSR_websiteusername".

Even if I were to create a new user account for each client who has a virtual web on my W: drive, how is that going to keep an aspx/DLL in their w:\their_account folder from deleting files in let's say "c:\winnt\system32" ?
0
 
LVL 15

Expert Comment

by:aibusinesssolutions
ID: 23698042
Ok, I see what your getting at. Does IIS 5.0 have an application pool?  I know the default user is ASPNET on IIS 5.0, that is what the application code will run under.

If ASPNET user has read/write access to your c:\winnt\ folder, then they could really mess up your server, but if you only give that user access to the W:\, then that's all they can see.
0
 

Author Comment

by:Monroe406
ID: 23698151
>>  Does IIS 5.0 have an application pool?

I'm not quite sure I understand.  In the IIS Properties > Home Directory page there is an Application Settings section with Application Protection set currently to MEDIUM (POOLED).  Does that answer your question?

>> If ASPNET user has read/write access to your c:\winnt\ folder

Forgive my ignorance, but how would they have access to c:\winnt ?  That's basically what my question was about to start with.  So we've come full circle.
0
 
LVL 15

Expert Comment

by:aibusinesssolutions
ID: 23698170
Yeah I think we got off track, I thought you were asking something different.  I'm not very familiar with Windows NT, but typically you would right click on the WinNT folder, and view the security permissions.  If ASPNET user is there, then they have access.  If not then they can't touch it.

On IIS6, there is an application pool,  each website runs either in a shared pool, or as individual applications which is more secure.  I haven't touched IIS 5.0 in about 10 years so I apologize if I'm naming things that you aren't familiar with.
0
 

Author Comment

by:Monroe406
ID: 23698227
>>  I'm not very familiar with Windows NT

I'm using Windows 2000 Server.

>> Typically you would right click on the WinNT folder, and view the security permissions

IUSR_computername does not have rights to any folder on c:\    IUSR_computername and ASPNET users only appear on drive W:\
0
 
LVL 15

Accepted Solution

by:
aibusinesssolutions earned 500 total points
ID: 23698239
Ok, if that's the case then you have nothing to worry about.  I would run IIS Lockdown on the server just to be sure though, it will scan everything and make sure your security settings are correct, and will also add additional security.

http://www.microsoft.com/downloads/details.aspx?FamilyID=dde9efc0-bb30-47eb-9a61-fd755d23cdec&DisplayLang=en
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article shows how to use the open source plupload control to upload multiple images. The images are resized on the client side before uploading and the upload is done in chunks. Background I had to provide a way for user…
More often than not, we developers are confronted with a need: a need to make some kind of magic happen via code. Whether it is for a client, for the boss, or for our own personal projects, the need must be satisfied. Most of the time, the Framework…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Suggested Courses
Course of the Month19 days, 21 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question