OK, pretty sure this is permissions, so I did a base install on a VMWare image. Below is the process I’ve taken and my conclusions so far. My Hope is that this helps someone else who may be trying to harden their IIS box rather than take the default…
Installed Base 2K3 std SP2
Installed IIS, defaults.
Moved IIS root to E:\webroot
Installed PHP to E:\php (just unzipped v5.2.6 to folder)
- Added E:\php to beginning of system PATH env. var.
- Added registry entries:
HKLM\Software\PHP\InstallDir "E:\php\"
HKLM\Software\PHP\IniFileDir "E:\php\"
- Copied php.ini-recommended to php.ini
- created folders and updated appropriate php.ini entries:
E:\php\session
E:\php\logs
*php.ini section is E:\php\logs\phperror.log
- updated extensions dir in php.ini to E:\php\ext
- NOTE: I did not copy any files outside of the PHP directory.
I did not create the PHPRC env. Variable
Created files:
C:\webroot\info.php just <?php phpinfo(); ?>
C:\webroot\testdb.php (ripped code from a forum, sorry I don't remember author/URL)
<?PHP
$rst = @mysql_connect("localhost","userid","password");
if (!$rst){
echo( "<p>Unable to connect to database manager.</p>");
die('Could not connect: ' . mysql_error());
exit();
} else {
echo("<p>Successfully Connected to MySQL Database Manager!</p>");
}
if (! @mysql_select_db("mySchema") ){
echo( "<p>Unable to connect database...</p>");
exit();
} else {
echo("<p>Successfully Connected to Database 'mySchema'!</p>");
}
?>
C:\webroot\wizard.php (this is the test your server script offered by www.expressionengine.com
to verify your system is ready for thier product.
Verified scripts worked (MySQL tests failed with Socket (5) errors). php log file would not create.
- pre-created c:\php\logs\phperror.log
- retested, but no change.
- granted IUSR_ full priv's, log still updated.
- removed all but Write/Append, it now updates properly, but write priv's are required.
Installed MySQL v5.0.51b
- Server Mode, non-strict, Transactional, had bin it added to env. var. PATH (defaults on rest).
- E:\mysql
Installed MySQL tools v5.0-r12
- E:\mysql\tools
Installed ImageMagick v6.4.1.1-Q16 (non-static)
- E:\subfolder\IM
Using MySQL Administrator:
- created schema 'mySchema'
- created user 'userid'
- created localhost for userid
- granted SELECT, INSERT, UPDATE, DELETE, DROP, ALTER, CREATE and Grant to userid@localhost for mySchema
Uncommented following extensions:
- php_bz2.dll
- php_gd2.dll
- php_gettext.dll
- php_mcrypt.dll
- php_mime_magic.dll
- php_mysql.dll
- php_smtp.dll
- php_zip.dll
Tested the 3 .php files:
- info.php "OK"
- testdb.php "OK"
- Wizard.php "all supported except for URL Segment and Built-in Spellchecker"
- Wizard.php database check "OK"
Base permissions:
Users: 3 special perms to all base drives:
Read Execute on This folder, subfolders and files
Create Folders/Append on This folder and subfolders
Create Files/Append on Subfolders only
* These are on %systemdrive%, %systemroot%, %systemroot%\system32 and E:
** systemroot does not inherit from drive and system32 does not inherit from systemroot
but have same explicit ACL's
Administrators: Full on all
Everyone: Root of drive only, Read/Execute that folder only.
System: Full on all
Creator Owner: Full on subfolders and files only
Removed Everyone from C: (read/Exec. This folder only), no change.
Removed Everyone from E: (read/Exec. This folder only), no change.
Removed Interactive and Authenticated from Users group, broke web, mysql access
(no change actually until I restarted IIS. So assume from now on, each step I restarted IIS
after making the change)
Removed Interactive from Users group, no change.
Denied IUSR_ account to C:, no change (note, none of the default directories on C: inherit this).
Removed Authenticated from Users group, broke web access, mysql access.
* NOTE: I want to do this as eventually my production system will be in a domain environment
as a stand-alone domain server. If Authenticated Users group is allowed,
then any user in the domain can gain user access to whatever the User group
has access to. By removing it and then only adding the Domain Users/Groups
I choose, I gain tighter control of my server content.
Created group Web-read, added IUSR account, granted Read/Execute on E: and all sub folders.
(can now view info.php
get Socket (5) error from MySQL connect test.php
loose ExpressionEngine (EE) Wizard.php 1 option for Ping and TraceBack
EE Wizard.php failes DB check - will refer to this as a 'Parital breakdown' here on out)
Added Network Service to Web-read group, no change.
Added IWAM_ user to Web-read group, no change.
Added Service to Web-Read, no change.
**Note: e:\php\phperror.log is still be appended to, so IUSR_ MUST have at least Write priv's is proved.
Added Web-Read to C:\windows, no change.
Added Web-Read to C:\windows\systeme32 (does not inherit C:\windows permissions),
Added Authenticated to Web-Read, no change.
Removed Authenticated from web-Read and re-added to Users just to check, "OK on All"
(remember I restart IIS after each)
Removed Authenticated from Users.
*This time, instead of restarting IIS, I just recycled the DefaultApplication pool.
- Now I'm backed to only the PHP.info working, Wizard.php losses Ping/trace support.
Added IUSR_, IWAM_, Network Service, Service accounts to the Users group, "OK on ALL"
Removed Service account from Users group, "OK on ALL"
Removed IUSR_ from Users group, "back to parital broke"
Readded IUSR_ and removed IWAM from users group, "OK on ALL"
Removed Service account from Web-Read, "OK on ALL"
Removed Network Service account from Web-Read, "OK on ALL"
Removed IWAM_ from Web-read, "OK on ALL"
Removed Web-read as it's its basically nulled, "OK on ALL"
** So basically we've proven that none of those other accounts need explicit
read/write access (whether they get it implicit some other way is another question,
some are in the IIS_WPG group, but I cannot find any explicit rights granted to any
folder to this group). IUSR_ basically has read/write access to all parts of my
system, which I do not want. So I will start explicitly
dening write access for IUSR_ to various directories to override it's "write priv's"
from being in the users group.
Denied IUSR_ %program files% (all sub folders inherit), "OK on ALL"
Denied IUSR_ %systemroot%, "OK on ALL"
Denied IUSR_ %systemroot%\system32, "OK on ALL"
Denied IUSR_ e:\mysql, "OK on ALL"
* Restarted mysql service just to make sure on that as well
Denied IUSR_ e:\php, "ALL Broke"
Reset to just Deny write to e:\php to IUSR_, "OK on ALL"
** So now we have on E: at least, Explicit deny Write rights on all folders, with only read/execute
e:\webroot and e:\php (explicit write rights given on e:\php\logs\phperror.log
Removed IUSR_ from Users group, "back to partial breakdown"
Readded IUSR_ to Users group, but reomved User's group priv's from E:, this broke everything.
Added IUSR_ to E: with same as previous 3 speical users group, everything still broke.
Removed IUSR_ from E: and added back the 3 special Users group, Everything works.
!! This doesn't make sense to me.
Denied Users group write priv's to E:, "OK on ALL"
So this seems to indicate to me that the Users group has a special "user security/policy
right assignment", similar to 'log on as batch job' type requirement in order to create a socket. So my theory now is, if I can identify the policy right(s), I can grant it to the IUSR_ accont and remove it from the Users group. I'm out of time at the moment. I'll try to investigate this soon.