« Previous Next »

• 11-20-2007, 3:06 PM

  rlang Joined on 11-20-2007, 7:35 PM Posts 1	IUSR_SERVER Write permissions unacceptable? Reply Contact I've read in a number of articles that giving IUSR_SERVER write permissions creates a huge security risk. I'm working with a databaseless CMS using ASP/VBScript that needs IUSR set to read/write in order to function.  Is there a way to allow the CMS to modify files without creating a security hole?  I'm running IIS 6.0 Thanks in advance.
  	Tags: web applicationpermissionsIIS Directory SecurityIUSRsecurity risks

• 11-20-2007, 5:58 PM

  In reply to

  Enterhst_Nathan Joined on 11-13-2007, 8:26 PM San Angelo Posts 3

  Re: IUSR_SERVER Write permissions unacceptable? Reply Contact While giving IUSR write/modify permissions is not inherently a security risk in and of itself, it's more an issue on what you give it these permissions to. IUSR is typically the anonymous user login that IIS uses when your clients browse to your website. If you have code within some of your websites that involves uploading files (even if temporary), you will need to make sure that the web service responsible for this function call has the allowed settings to perform the action; sometimes this is ASPNET, Network Service, sometimes IUSR... all depending on how the code was designed. While you could technically give service names such as ASPNET, Network Service, or even the IUSR account control over the wwwroot, this could indeed potentially pose a security risk to your website and allow an unauthorized user to make changes to your files. When dealing with NTFS permissions in a Web environment, you typically want to make sure you only provide what is needed, and nothing more. If possible, you may want to see if you can place the pages that contain these read/write calls behind a section of your site that requires a login process. At the very least, try to identify which specific folders (or files) will need to be modified and assign the elevated permissions only to those. Nathan S. Enterhost Support Team www.enterhost.com

• 11-20-2007, 10:05 PM

  In reply to

  Testius Joined on 11-21-2006, 2:56 AM Posts 59

  Re: IUSR_SERVER Write permissions unacceptable? Reply Contact Hi rlang, The biggest security risk of giving the IUSR_computername account write or modify permissions to content is experienced in Shared Hosting or when you run multiple websites on the same server. Basically, if you give the IUSR_compuername account write or modify permissions to content then every other website on that server configured to run as IUSR_compuername (all sites by default) will also have write or modify permissions to that content, which is of course not good. It is Microsoft's recommendation that a you use a unique anonymous user for each website, this reduces the risk associated with this and you can even restrict permissions so that one website's anonymous user can't even view the content of another. However, there is always the risk that your website could be compromised and if write or modify access is given to the anonymous user then the attacker is able to modify the content of the website. I hope this helps. Cheers, Liam

• 11-21-2007, 8:40 AM

  In reply to

  tomkmvp Joined on 03-20-2003, 6:27 AM Central NJ Posts 6,235	Re: IUSR_SERVER Write permissions unacceptable? Reply Contact Since it's a CMS type system, would you want to allow just anyone to write files?  There must be some type of logon involved so only authorized users have this capability. Tom Kaminski IIS MVP http://mvp.support.microsoft.com/ http://blogs.iis.net/tomkmvp/ http://www.linkedin.com/pub/8/690/408 http://www.bluesrepublic.org/