iis 6 - prevent asp, php and perl scripts to read other directories

hi ng!

I have a windows 2003 server with iis 6 running, and i wonder, how to make
it possible, that scripts (asp, php, perl and so on) can not access the
folders above the directory, the website is stored in.

e.g. my website is stored in: d:\inetpub\www.website.org

a php-script i've written can access d:\inetpub\testfile.txt

--> i don't want this.

does anybody know, how to fix this WITHOUT setting ntfs-permissions?

thans for help
wogri
--
wogri@wogri.at
www.wogri.at

paul_lynch67
Thu Jul 10 08:32:44 CDT 2003

Wolfgang,

NTFS file permissions are the best mechanism for enforcing security on
your server. They are, in effect, the cornerstone of security in NT
based systems. Any other method is simply not guaranteed to be secure.
See this KB article for more information :

HOW TO: Use NTFS Security to Protect a Web Page Running on IIS 4.0 or
5.0
http://support.microsoft.com/?id=299970

Regards,

Paul Lynch
MCSE

Wolfgang Hennerbichler <wogri@wogri.at> wrote in message news:<3f0d3ec4$0$48606$91cee783@newsreader02.highway.telekom.at>...
> hi ng!
>
> I have a windows 2003 server with iis 6 running, and i wonder, how to make
> it possible, that scripts (asp, php, perl and so on) can not access the
> folders above the directory, the website is stored in.
>
> e.g. my website is stored in: d:\inetpub\www.website.org
>
> a php-script i've written can access d:\inetpub\testfile.txt
>
> --> i don't want this.
>
> does anybody know, how to fix this WITHOUT setting ntfs-permissions?
>
> thans for help
> wogri

Wolfgang
Thu Jul 10 10:09:46 CDT 2003

Paul Lynch wrote:

> Wolfgang,
>
> NTFS file permissions are the best mechanism for enforcing security on
> your server. They are, in effect, the cornerstone of security in NT
> based systems. Any other method is simply not guaranteed to be secure.
> See this KB article for more information :

thanks, paul!

You're quite right in what you say.
thank you!

wogri

David
Thu Jul 10 21:05:44 CDT 2003

The best way to achieve this sort of isolation on IIS6 is to:
0. Suppose you have two users, coke and pepsi, whose files are top secret
relative to each other.
1. You should physically ACL coke and pepsi files to "coke_user" and
"pepsi_user", respectively
2. You should create two AppPools, coke_apppool and pepsi_apppool.
3. You should set AppPoolId of coke_apppool to coke_user and pepsi_apppool
to pepsi_user
4. You should create two websites, "coke_web" and "pepsi_web", and make
coke_web use coke_apppool while pepsi_web uses pepsi_apppool.
5. You can enable Anonymous auth and set "coke_web" to use "coke_user" as
its anonymous user, and "pepsi_web" to use "pepsi_user" as its anonymous
user.

Now, make a request to the coke website will result in the coke_user to be
used on the server to serve files... and it's impossible for coke_user on
the server to access any pepsi files because it doesn't have ACLs to it.

There's a couple more steps to do for the security zealot to truly isolate
these two websites, but you get the picture.

--
//David
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Wolfgang Hennerbichler" <wogri@wogri.at> wrote in message
news:3f0d3ec4$0$48606$91cee783@newsreader02.highway.telekom.at...
hi ng!

I have a windows 2003 server with iis 6 running, and i wonder, how to make
it possible, that scripts (asp, php, perl and so on) can not access the
folders above the directory, the website is stored in.

e.g. my website is stored in: d:\inetpub\www.website.org

a php-script i've written can access d:\inetpub\testfile.txt

--> i don't want this.

does anybody know, how to fix this WITHOUT setting ntfs-permissions?

thans for help
wogri
--
wogri@wogri.at
www.wogri.at