Solved

Setting IIS8 security - removing the "Users" group from c:\ and system folders.

Posted on 2013-01-04
2
274 Views
Last Modified: 2014-08-22
I have an win2012/IIS 8 webserver which I am trying to secure. I want to isolate each site/user to their own folder as best as possible.

I have moved the websites to "c:\sites\mysiteA\", "c:\sites\mysiteB\" and so on.

I have setup separate user accounts for each website and set minimum permissions for the folder (including removing the "Users" group.)

removed non essential users from other data folders like the MSSQL database folders.

However "c:\" and all system folders have by default read/execute access for the "Users" group.

I have read that recent editions of IIS are secure out of the box but allowing IIS users to read and execute system files doesn't seem secure to me.

Is it normal to leave the server like this?

Can anyone suggest what the best practice is from this point. Should the "Users" group be removed from "c:\" or perhaps a DENY rule added for IIS users.

These seem like drastic changes and I'm not sure if they would effect the running of IIS or SQL Server 2012. Only the administrator logs into the desktop so there are no other physical users.
0
Comment
Question by:meagord
2 Comments
 
LVL 30

Accepted Solution

by:
Brad Howe earned 500 total points
ID: 38746049
Yes, this is normal. Those permissions are very restrictive and require access thorugh RDP to the server.

Since you are using isolation, I would suggest the following approach;

1. Remove the local accounts from the local USERS Group.
2. Remove Inheritence from the c:\sites\x directories.
3. Remove USERS group permissions
4. Add "local user 1/2/3" permissions as

Read & execute
List folder contents
Read


To explain further, since you do not seem to have any network shares, there is no concern since they cannot RDP or access admin shares (X$).

Hope it helps,
Hades666
0
 

Author Comment

by:meagord
ID: 38750560
Thanks for the reply.

1. Remove the local accounts from the local USERS Group.

Done

2. Remove Inheritence from the c:\sites\x directories.

Done

3. Remove USERS group permissions

From where?

4. Add "local user 1/2/3" permissions as Read & execute List folder contents Read

Again where?


I tried removing the separate web user accounts from the Users group but somehow they still seems to have the same rights as the "Users" group.  I'm wondering if IIS 8 automatically gives them these rights when it joins them to the iis_iusrs group automatically.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question