Help... going to explode!

TheMSsForum.com: The Microsoft Software Forum

Hi there,

I recently upgraded to Vista (fresh install) as I was using XP Pro. Moved
my web pages to Vista and am trying to get write permission set to a
directory on my site hosted by IIS7 on my system. (http://RadioXex.ca) On XP
all I had to do in IIS Manager was to right-click on the directory and set
write permission. I need to write to a file called DB.MDB in that directory.
(It's from a tracker called MetaTraffic that tracks site traffic).

I tried setting permissions directly (from outside IIS7 Manager) by going to
the directory on my hard drive and going to the folder > properties >
security and adding a IUSR and IIS_ISURS user with "full control" checked.
This didn't help. (My website has it's own directory on my computer. i'e'.
c:\websites\RadioXex I'm not sure if this info helps.)

I need to do this to another directory within my site so my php code can
create images there, so it too needs write permissions.

Any suggestions? I've tried searching the web. I'm really confused now.
Top

Re: Help... going to explode! by David

David
Tue Feb 20 02:30:56 CST 2007

The correct user identity depends on server configuration. It is not
automatically some given user account no matter what you find on the
Internet because that's just wrong.

Since IIS7 is componentized and you can completely reconfigure the
server to behave with any authentication behavior, it is critical for
you to identify what components you have installed and what
Authentication settings are active for the URL in question.

You can use File Monitor from sysinternals.com to determine what user
identity is attempting to write to your file, and give that user
identity permissions.

Or you can identify the authentication protocol active for your IIS7
configuration and then determine which user identity it authenticated,
and if it impersonates, which identity or the process identity.

IUSR and IIS_IUSRS are only some of the default values for some of the
above mentioned identities, but they are not the only choices and you
can customize it all -- so you really need to identify what you
configured.

Or you can go the pragmatic route with File Monitor without knowing
anything else, for good or for bad.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




On Feb 19, 6:29 pm, "Prometheus Xex" <nos...@me.com> wrote:
> Hi there,
>
> I recently upgraded to Vista (fresh install) as I was using XP Pro. Moved
> my web pages to Vista and am trying to get write permission set to a
> directory on my site hosted by IIS7 on my system. (http://RadioXex.ca) On XP
> all I had to do in IIS Manager was to right-click on the directory and set
> write permission. I need to write to a file called DB.MDB in that directory.
> (It's from a tracker called MetaTraffic that tracks site traffic).
>
> I tried setting permissions directly (from outside IIS7 Manager) by going to
> the directory on my hard drive and going to the folder > properties >
> security and adding a IUSR and IIS_ISURS user with "full control" checked.
> This didn't help. (My website has it's own directory on my computer. i'e'.
> c:\websites\RadioXex I'm not sure if this info helps.)
>
> I need to do this to another directory within my site so my php code can
> create images there, so it too needs write permissions.
>
> Any suggestions? I've tried searching the web. I'm really confused now.

Top

Re: Help... going to explode! by Prometheus

Prometheus
Tue Feb 20 05:53:39 CST 2007

I guess in my case, I need to allow any user surfing from the web (no need
to sign in). Whomever is visiting each page, that page intern calls a small
script which "talks" to MetaTraffic (also on my site) to log user activity.
MetaTraffic updates/writes this info to a .MDB file in it's directory. So
the file or the directory itself needs to allow write priveliges no matter
who is surfing my site. I'm not clear on what action to take by altering the
server to allow this. The older IIS on XP was far simpler compared to
Vista's IIS.

- Francis

"David Wang" <w3.4you@gmail.com> wrote in message
news:1171960256.637942.248790@a75g2000cwd.googlegroups.com...
> The correct user identity depends on server configuration. It is not
> automatically some given user account no matter what you find on the
> Internet because that's just wrong.
>

Top

Re: Help... going to explode! by David

David
Wed Feb 21 11:39:55 CST 2007

True, the older IIS on XP was far simpler. It was also as insecure as
swiss cheese even though because it ran as LocalSystem.

So yes, it could do anything without getting denied access --
including being hacked. Security requirements has changed from those
simpler times and threats are now directed at you, so you can either
learn to cope with it or get violated -- your choice whether you want
to defend yourself.

For example, XP allowed anyone to modify your files by default. IIS7
does not allow anyone to modify your files by default. You tell me
which approach is more secure, which is "easier", and which makes more
sense.

In your case, you want to enable Anonymous authentication and make
sure the configured anonymous user identity (whatever you have chosen)
has read/write NTFS ACLs to the resources in question (such as the MDB
file). If your application uses the process identity, make sure that
has read/write NTFS ACLs to the resources in question. Of course, if
you "don't know", you can use the pragmatic approach of File Monitory
from sysinternals.com to figure it out.

The steps you need to do are actually exactly the same on IIS7/Vista
as IIS5.1/XP for this task.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//






On Feb 20, 3:53 am, "Prometheus Xex" <nos...@me.com> wrote:
> I guess in my case, I need to allow any user surfing from the web (no need
> to sign in). Whomever is visiting each page, that page intern calls a small
> script which "talks" to MetaTraffic (also on my site) to log user activity.
> MetaTraffic updates/writes this info to a .MDB file in it's directory. So
> the file or the directory itself needs to allow write priveliges no matter
> who is surfing my site. I'm not clear on what action to take by altering the
> server to allow this. The older IIS on XP was far simpler compared to
> Vista's IIS.
>
> - Francis
>
> "David Wang" <w3.4...@gmail.com> wrote in message
>
> news:1171960256.637942.248790@a75g2000cwd.googlegroups.com...
>
>
>
> > The correct user identity depends on server configuration. It is not
> > automatically some given user account no matter what you find on the
> > Internet because that's just wrong.- Hide quoted text -
>
> - Show quoted text -


Top

Re: Help... going to explode! by Prometheus

Prometheus
Wed Feb 21 12:30:34 CST 2007

Thanks for the reply. This website of mine is a hobby and I've no formal
training whatsoever with IIS, so this becomes a problem for me as now IIS7's
many new features/restrictions are a far leap forward than what I was
accustomed to. No in-between steps to help me grow with the product.


"David Wang" <w3.4you@gmail.com> wrote in message
news:1172079594.857032.150660@q2g2000cwa.googlegroups.com...
> True, the older IIS on XP was far simpler. It was also as insecure as
> swiss cheese even though because it ran as LocalSystem.
>
> So yes, it could do anything without getting denied access --


Top

Re: Help... going to explode! by David

David
Wed Feb 21 14:16:46 CST 2007

I'm sorry that you feel overwhelmed by IIS7's changes. Many people are
actually saying "it's about time that IIS is updated to have these
features!", so it is hard to compromise between everyone.

For the most part, IIS behaviors and configuration remained exactly
the same. Except where OS security or IIS security/functionality has
improved/altered. Unfortunately, that list is simply hard to enumerate
at a sufficient detail yet remain useful for users.

Information Technology is simply evolving faster than other things
like Automobiles. It's just a hard and unfortunate reality that there
are no in-between steps.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



On Feb 21, 10:30 am, "Prometheus Xex" <a...@def.com> wrote:
> Thanks for the reply. This website of mine is a hobby and I've no formal
> training whatsoever with IIS, so this becomes a problem for me as now IIS7's
> many new features/restrictions are a far leap forward than what I was
> accustomed to. No in-between steps to help me grow with the product.
>
> "David Wang" <w3.4...@gmail.com> wrote in message
>
> news:1172079594.857032.150660@q2g2000cwa.googlegroups.com...
>
>
>
> > True, the older IIS on XP was far simpler. It was also as insecure as
> > swiss cheese even though because it ran as LocalSystem.
>
> > So yes, it could do anything without getting denied access --- Hide quoted text -
>
> - Show quoted text -


Top