Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.
Solved
Setting IIS8 security - removing the "Users" group from c:\ and system folders.
Posted on 2013-01-04
I have an win2012/IIS 8 webserver which I am trying to secure. I want to isolate each site/user to their own folder as best as possible.
However "c:\" and all system folders have by default read/execute access for the "Users" group.
I have read that recent editions of IIS are secure out of the box but allowing IIS users to read and execute system files doesn't seem secure to me.
Is it normal to leave the server like this?
Can anyone suggest what the best practice is from this point. Should the "Users" group be removed from "c:\" or perhaps a DENY rule added for IIS users.
These seem like drastic changes and I'm not sure if they would effect the running of IIS or SQL Server 2012. Only the administrator logs into the desktop so there are no other physical users.
I have moved the websites to "c:\sites\mysiteA\", "c:\sites\mysiteB\" and so on.
I have setup separate user accounts for each website and set minimum permissions for the folder (including removing the "Users" group.)
removed non essential users from other data folders like the MSSQL database folders.
However "c:\" and all system folders have by default read/execute access for the "Users" group.
I have read that recent editions of IIS are secure out of the box but allowing IIS users to read and execute system files doesn't seem secure to me.
Is it normal to leave the server like this?
Can anyone suggest what the best practice is from this point. Should the "Users" group be removed from "c:\" or perhaps a DENY rule added for IIS users.
These seem like drastic changes and I'm not sure if they would effect the running of IIS or SQL Server 2012. Only the administrator logs into the desktop so there are no other physical users.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
2 Comments
Yes, this is normal. Those permissions are very restrictive and require access thorugh RDP to the server.
Since you are using isolation, I would suggest the following approach;
1. Remove the local accounts from the local USERS Group.
2. Remove Inheritence from the c:\sites\x directories.
3. Remove USERS group permissions
4. Add "local user 1/2/3" permissions as
Read & execute
List folder contents
Read
To explain further, since you do not seem to have any network shares, there is no concern since they cannot RDP or access admin shares (X$).
Hope it helps,
Hades666
Since you are using isolation, I would suggest the following approach;
1. Remove the local accounts from the local USERS Group.
2. Remove Inheritence from the c:\sites\x directories.
3. Remove USERS group permissions
4. Add "local user 1/2/3" permissions as
Read & execute
List folder contents
Read
To explain further, since you do not seem to have any network shares, there is no concern since they cannot RDP or access admin shares (X$).
Hope it helps,
Hades666
Thanks for the reply.
1. Remove the local accounts from the local USERS Group.
Done
2. Remove Inheritence from the c:\sites\x directories.
Done
3. Remove USERS group permissions
From where?
4. Add "local user 1/2/3" permissions as Read & execute List folder contents Read
Again where?
I tried removing the separate web user accounts from the Users group but somehow they still seems to have the same rights as the "Users" group. I'm wondering if IIS 8 automatically gives them these rights when it joins them to the iis_iusrs group automatically.
1. Remove the local accounts from the local USERS Group.
Done
2. Remove Inheritence from the c:\sites\x directories.
Done
3. Remove USERS group permissions
From where?
4. Add "local user 1/2/3" permissions as Read & execute List folder contents Read
Again where?
I tried removing the separate web user accounts from the Users group but somehow they still seems to have the same rights as the "Users" group. I'm wondering if IIS 8 automatically gives them these rights when it joins them to the iis_iusrs group automatically.
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource.
Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses
Course of the Month13 days, 17 hours left to enroll
656 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.