0

I'm not a web-app guy but I'm the only one at my work that raised any objections about giving full permissions to the (anonymous) INETUSER account for the purposes of running an ASP.NET web-app in IIS. That's read, write, execute, special permissions, etc, for a webapp that reads (the db connection is read-only) from a SQL database. I'm thinking that this might not be the smartest choice for keeping the server secure.

Because I said, "hey, this might be a terrible idea," I was asked to do a risk assessment. Like I said, I basically have no knowledge of ASP.NET or web apps in general, but without knowing intimate details of the setup, can you guys tell me what kinds of issues should I be looking at here?

I'm a bit scared to give the anonymous internet user account FULL Permissions for the wwwroot\ directory.

Thanks for any help; I'm just looking for the big-ticket problems that are apparent to those more educated than me.

Any ideas?

Dave C.
  • 1
  • 1

3 Answers3

1

Presumably, you are giving INETUSER account write access because you have some mechanism to write/upload to wwwroot. The threat I see is the possibility of the user uploading arbirtrary code (new aspx's, .dlls) to the server, which would grant them the ability to do anything.

foson
  • 121
  • 3
0

If you absolutely have to give write permissions to the IIS user (e.g. for an "uploads" directory), then make sure it is a directory outside the root of the webserver. This would help mitigate the risk, since it ensures that whatever is uploaded cannot be subsequently served by IIS.

i.e. if you have to have an uploads directory, put it here:

c:\inetpub\uploads

not here 

c:\inetpub\wwwroot

otherwise, what foson said.

You might also consider not giving Execute permissions, just write/modify.

tomfanning
  • 3,308
  • 6
  • 33
  • 34
0

The article Secure Content in IIS Through File System ACLs could be of your interest. You should highlight Avoid full control, and use more granular read/write permissions.

You can also refer IIS 6.0 Security Best Practices (IIS 6.0) and Security in IIS 6.0.

Vivek Kumbhar
  • 3,063
  • 1
  • 17
  • 13
  • much appreciated. thank you as well. I read the "best practices" page last week, which is actually what prompted me to post this question -- the web-app REQUIRES full permissions, which breaks all those "best practice" rules. – Dave C. Nov 16 '10 at 18:00