« Previous Next »

• 10-13-2008, 11:15 AM

  boen_robot Joined on 07-31-2008, 11:31 AM Plovdiv Posts 28

  FTP: Possibly a security issue Reply Contact Hi. I have an IIS7 FTP server on which I want to grant access to a certain user group (called FTP_DIRECTORY_USERS). The group in question doesn't have any members just yet and doesn't inherit anything from any other group either. I've made the appropriate authorization setting, but when I access the server with a user (let's call it user1) that is not part of this group, I still get access. user1 is only part of another group (FTP_USERS), and is not part of any other group. FTP_USERS are not authorized on any level in IIS (not yet anyway). Just for the sake of testing, I tried changing the authorization setting from FTP_DIRECTORY_USERS to Users, and somehow, I still got access. Again, user1 is not part of Users. I tried the same thing with "Administrators" and this time, I wasn't granted access (thank god THAT one didn't worked). Removing the allowed rule altogether also eliminates access. This authorization process seems broken to me. Is it possible that this is a regression from the latest hotfix (http://support.microsoft.com/kb/955136). I don't recall having this issue before I installed it.  [edit] I did a little more research, and I think the cause may be in the IIS7 core or Windows itself... if I create a PHP file that gets lauched as user1 (I double checked that this is the user), it runs with the full permissions of the Users group even though it's not part of it (double checked that too). It appears all groups implicitly inherit the rules for the Users group. Where should I report security issues like this one anyway?[/edit]

• 10-14-2008, 7:03 AM

  In reply to

  jeff@zina.com Joined on 09-26-2003, 10:43 AM Naples, FL, USA Posts 2,090	Re: FTP: Possibly a security issue Reply Contact First, no group implicitly inherits from another.  But if you believe you have a reproducible security error, the email is security@microsoft.com. Jeff Look for Wrox's new book Professional IIS 7 in your local bookstore, or order now at Amazon.com

• 10-16-2008, 11:19 AM

  In reply to

  boen_robot Joined on 07-31-2008, 11:31 AM Plovdiv Posts 28

  Re: FTP: Possibly a security issue Reply Contact Thanks for the email link. I'll see what I can do with it.  And you're right... it not (exactly) an implicit inheritance, it's more like mirroring. The Users group includes the "Authorized users" built in security principal, and that principal also includes user1 (i.e. every user also inherits the permissions for "Authorized users" and thus for Users). Removing "Authorized users" results in "503: Service unavailable" error. Looking into IIS's settings shows that this is happening because the user's profile has failed to load. This obviously happens due to insufficient privileges. But here's the new problem... how exactly can I give IIS full control of whatever it needs (say "C:\" and everything in it) without also giving user1 such access? Right now, it seems that, by design, IIS requests all of it's stuff as user1, forcing me to give Users (on the very least) reading and executing privilages to "C:\" and its descendants + write access in the "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files" folder.  BTW, sorry for using the "Publishing" forum for what now appears to obviously be a security discussion. It's just that at first I thought it's just an FTP setting that I have missed or tweaked in a wrong way. To the moderators/administrators - feel free to move this topic into the security forum. It's where it belongs anyway.

  Tags: security

• 10-16-2008, 12:05 PM

  In reply to

  boen_robot Joined on 07-31-2008, 11:31 AM Plovdiv Posts 28

  Re: FTP: Possibly a security issue Reply Contact I just tried to send an email to that address and got this error from GMail: This is an automatically generated Delivery Status Notification Delivery to the following recipient failed permanently: security@microsoft.com Technical details of permanent failure: Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 554 554 : Recipient address rejected: Access denied (state 14). What's that? Microsoft's mail server(s) don't support GMail or do they accept mails only from emails in some sort of white list?

• 10-16-2008, 12:35 PM

  In reply to

  steve schofield Joined on 06-10-2002, 8:54 PM MI Posts 3,889	Re: FTP: Possibly a security issue Reply Contact I'm not sure on the MS address.  I've notified a couple people and hopefully they'll get the message. Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget

• 10-16-2008, 3:04 PM

  In reply to

  JaroDunajsky Joined on 04-19-2005, 10:23 PM Redmond Posts 168

  Re: FTP: Possibly a security issue Reply Contact Let me try to understand your original configuration steps. 1) You created local Windows Group called FTP_DIRECTORY_USERS. It is empty 2) You had/created User1 (ordinary user who is member of Users group - since every authenticated user is anyway) 3) You configured FTP to ONLY allow access to members of FTP_DIRECTORY_USERS group 4) You logged on to FTP site and were able to get access Are these the steps that would describe what you did?  Could I get a copy of your system.ftpServer\authorization section from %windir%\system32\inetsrv\config\applicationhost.config file? Jaroslav Dunajsky (MSFT, IIS)

• 10-16-2008, 5:40 PM

  In reply to

  boen_robot Joined on 07-31-2008, 11:31 AM Plovdiv Posts 28

  Re: FTP: Possibly a security issue Reply Contact I've made a lot of security related reconfigurations on the server in those few days in an attempt to work around this issue. In particular, I lowered the "Users" permissions as much as I can. In addition, I downloaded the latest updates from yesterday. The FTP side of this issue (i.e. the one which occurs with the steps you desribed) appears to be fixed after those updates. I can no longer duplicate it. It may be from the update, or have something to do with the "permission revision" I did, though I believe it's the former. I'll keep retrying to duplicate it to see what may have gone wrong before.  However, the execution part of the issue remains. I'm still forced to give user1 read access to "C:\" or at least to the "Windows" and "Program Files" folders even though PHP never access them (AFAIK) - only IIS does. Steps for duplication on that part are simply: Create a new application pool. Set the application pool to run as user1 and set "Load User Profile" to true (leaving it to false doesn't seem to make PHP run as that user). Create a new application/site that uses that new application pool. From then on, as said already, unless user1 implicitly or explicitly has reading permissions on "C:\" and writing permissions in "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files", you'll get "503: Service Unavailable" because the application pool fails. BTW, IIS explicitly compained from a lack of writing permissions, but never really gave out any error messages to the reading ones... so I'm still not sure what folders/files does IIS need access to... and even if I did, I still don't see any reason why user1 should read those things. IIS should read those on its own from another user account.

• 10-17-2008, 7:37 PM

  In reply to

  JaroDunajsky Joined on 04-19-2005, 10:23 PM Redmond Posts 168

  Re: FTP: Possibly a security issue Reply Contact Staying with the FTP issue for a bit longer: Why are you using the "Users" group to ACLs ?stuff. I  thought you had a dedicated windows group to do that. Regarding the other issue: You should have access to C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files" granted through the IIS_IUSRS group membership unless you disabled it for the application pool (manualGroupMembership is the name of the application pool property to control that) What exactly are you trying to do?  It apprears that you are trying to make PHP run. If you don't plan to use any managed module (such as the one providing Asp.Net membership based authentication then you indeed would not need access to C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files. Please try to explain what exactly is the goal of your configuration (not what steps you took but what is the actual scenario you need to make work) and we resume from there. Thanks for your patience,     Jaroslav Dunajsky (MSFT, IIS)

• 10-18-2008, 4:58 AM

  In reply to

  boen_robot Joined on 07-31-2008, 11:31 AM Plovdiv Posts 28

  Re: FTP: Possibly a security issue Reply Contact I'm using Users because I realized it practically includes everyone, or at least every authenticated user. Following the principal of least privileges, I wouldn't want to give all users permissions they don't need, and it already seems Users have way too much control. For FTP's sake, I guess I could just explicitly deny access to FTP_USERS and get it over with... you know, that's exactly what I'll do. Thanks for the suggestion. The scenario is a simple, small scale, web hosting environment: All users can have either their own domain hosted on the server, or have a directory on my domain. If they have their own domain, they also get a DNS zone on the server (by default pointing their domain and all subdomains to this same computer). Regardless of whether they're in a directory or their own domain, they have an FTP account from which they can log in and add data up to a certain quota (1GB, successfully set already). And (this is where the execution problem starts) regardless of whether they're in a domain or a directory, they should be able to execute any scripts they want (ASP.NET and PHP in particular), as long as they can only execute them over their own space. In other words, they need to have full control over their space, and absolutely no access (reading included) over anything else. The only place where I was able to see the "manualGroupMembership" setting was in appcmd. Regardless of whether I set it to true or false, the service unavailable error still persists (unless of course I remove the denial on FTP_USERS). I don't use any ASP.NET managed modules as far as I'm aware of, and I certainly don't plan to use any. Here's my modules section on my applicationHost.config. I use none of the managed modules, though I'm not sure if I should remove them. I mean "AnonymousIdentification"? This sounds like it would disable any viewing of HTTP pages if I remove it.             <modules>                 <add name="HttpCacheModule" lockItem="true" />                 <add name="DynamicCompressionModule" lockItem="true" />                 <add name="StaticCompressionModule" lockItem="true" />                 <add name="DefaultDocumentModule" lockItem="true" />                 <add name="DirectoryListingModule" lockItem="true" />                 <add name="IsapiFilterModule" lockItem="true" />                 <add name="ProtocolSupportModule" lockItem="true" />                 <add name="HttpRedirectionModule" lockItem="true" />                 <add name="ServerSideIncludeModule" lockItem="true" />                 <add name="StaticFileModule" lockItem="true" />                 <add name="AnonymousAuthenticationModule" lockItem="true" />                 <add name="CertificateMappingAuthenticationModule" lockItem="true" />                 <add name="UrlAuthorizationModule" lockItem="true" />                 <add name="BasicAuthenticationModule" lockItem="true" />                 <add name="DigestAuthenticationModule" lockItem="true" />                 <add name="WindowsAuthenticationModule" lockItem="true" />                 <add name="IISCertificateMappingAuthenticationModule" lockItem="true" />                 <add name="IpRestrictionModule" lockItem="true" />                 <add name="RequestFilteringModule" lockItem="true" />                 <add name="CustomLoggingModule" lockItem="true" />                 <add name="CustomErrorModule" lockItem="true" />                 <add name="IsapiModule" lockItem="true" />                 <add name="HttpLoggingModule" lockItem="true" />                 <add name="FailedRequestsTracingModule" lockItem="true" />                 <add name="CgiModule" lockItem="true" />                 <add name="FastCgiModule" lockItem="true" />                 <add name="ConfigurationValidationModule" lockItem="true" />                 <add name="OutputCache" type="System.Web.Caching.OutputCacheModule" preCondition="managedHandler" />                 <add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule" preCondition="managedHandler" />                 <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" preCondition="managedHandler" />                 <add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" preCondition="managedHandler" />                 <add name="RoleManager" type="System.Web.Security.RoleManagerModule" preCondition="managedHandler" />                 <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" preCondition="managedHandler" />                 <add name="FileAuthorization" type="System.Web.Security.FileAuthorizationModule" preCondition="managedHandler" />                 <add name="AnonymousIdentification" type="System.Web.Security.AnonymousIdentificationModule" preCondition="managedHandler" />                 <add name="Profile" type="System.Web.Profile.ProfileModule" preCondition="managedHandler" />                 <add name="UrlMappingsModule" type="System.Web.UrlMappingsModule" preCondition="managedHandler" />                 <add name="PlaylistHandler" />                 <add name="WebPlaylistSession" type="Microsoft.Web.Media.Playlist.SessionHelperModule, Microsoft.Web.Media.Playlist.SessionHelper, Version=1.0.0.000, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />                 <add name="Session" type="System.Web.SessionState.SessionStateModule" />                 <add name="BitrateModule" preCondition="bitness64" />                 <add name="BitrateModule32" preCondition="bitness32" />                 <add name="RewriteModule" />             </modules>