Solved

Giving IIS_IUSR write access to Images folder on my website - is that a good idea?

Posted on 2011-03-11
7
1,163 Views
Last Modified: 2012-05-11
Hi,
I need to have an upload control on my website so admin users can upload images to site. This is done from a SSL secure admin interface. To make it work I need to give the IIS_IUSR write access rights to the Images folder. Is that a good idea? Can't oversee the security implications.
Is there another way to accomplish this? Preferably without messing with the web.config (impersonate settings).

Any thoughts appreciated. Thanks.
Jens
0
Comment
Question by:MYTAIR
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 5

Expert Comment

by:tiago_aviz
ID: 35107877
If the IIS_IUSR has only write access there on the images folder, the worst that could happen is somebody pasting a malicious .aspx or .asp file and executing it. Some good security measures:

1- control the file extensions that can be uploaded, so the malicious user can't upload .asp or .aspx files for an example.

2- make absolutely sure noone can get to the restricted upload area without authentication

3- Make absolutely sure your server is not prone to Remote file Include and directory traversal attacks

4- On your secure SSL login interface, make sure that after say, three wrong password attempts, the page will be unavailable for the attacker.

These should make your server un-interesting for attacks :)
0
 
LVL 4

Expert Comment

by:bitla
ID: 35108244
I suggest you to install or run a PHP uploader script and give access to the particular web link for that user only.

Just google it
You will find uploader scripts that restricts the file types being uploaded like it will only allow: jpg, png, jpeg etc.,

I am leaving for now if you can find it thats good enough or i will post the link after an hour from now
0
 

Author Comment

by:MYTAIR
ID: 35108286
Hi Tiago,
Thanks for your reply. 1, 2 and 4 are allready in place.
I don' t know how to implement your third suggestion. How do I make my server not prone to directory traversal attacks and remote file include. Directory browsing is not allowed on the ISS.

Cheers
Jens
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 4

Expert Comment

by:bitla
ID: 35109039
0
 
LVL 5

Accepted Solution

by:
tiago_aviz earned 250 total points
ID: 35110673
Item 3 need to be solved on two tiers: first on the server (keep it updated all the time), and on your application.

Directory traversal and remote file include attacks are usually exploited within poorly-coded apps. You can evaluate their security by using tools such as Nessus and Paros Proxy.

If you have security measures 1, 2 and 4 already in place, you're good to go.

Also, a security measure that I adopt to avoid Remote file includes is to block browsing and ftp from the web server.
0
 

Author Closing Comment

by:MYTAIR
ID: 35111774
Thanks for the help!
0
 

Author Comment

by:MYTAIR
ID: 35111803
Bitla, thanks for your input, but a flash uploader script was not what I was looking for.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
The article shows the basic steps of integrating an HTML theme template into an ASP.NET MVC project
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question