Which user should i give permission to in IIS?

Question

I'm running a windows 2012 server with IIS 8 installed,
I have a php script which complains about not having write permission on a specific folder.
If I grant permissions to this IUSR user, It works just fine,
But I don't know if this is the right way to do it or if it is secure?
I read about the IUSR & there was tons a description about this user being for anonymous authentication, I just didn't understand if there was any risks giving full permission to it.
So I stopped the work & thought it would be wise to get some advice from experts first.
Which user should I grant permissions?
Thanks!

Answer 1

All object access in Windows NT-based operating systems is performed under the context of a user account. When anonymous users access your website IIS accesses files and scripts under the IUSR_machinename user account. This user account has very limited rights and serves to compartmentalize the anonymous access.

The authentication functionality in IIS allows remote users to authenticate such that IIS will "impersonate" their Windows user account and access files and scripts under their user account's context rather than the anonymous user account's context.

If your remote users don't have Windows user accounts then they're just anonymous users and have no ability to authenticate to IIS. In that case (which is the typical one) you're just going to need to grant the anonymous user account rights to do whatever is necessary to make your application work. That's just the way it is w/ some applications-- you don't have the ability for the users to authenticate so you have to make due w/ anonymous access and granting permissions to the anonymous user account.

Is that "risky"? That depends on your application. If anonymous users have the ability to upload arbitrary files to a directory and execute them, for example, then you're effectively opening up public shell access on your server computer. The architecture of the application is going to determine this.

Applications that allow anonymous users to upload arbitrary types, quantities, and sizes of files to a remote server computer seem very risky to me on the surface. It's a complete showstopper if the directory where the uploads are stored is accessible via the webserver for downloads because, effectively, you just made your server into a public file-sharing site. It's also a complete showstopper if the user can cause any content they upload (including EXE files and/or script files) to be executed by either Windows or the PHP interpreter.

The more "removed" the writing is from user control (i.e. if the script is just keeping files there to track state, rather than allowing users to upload arbitrary content) the less "risky" it seems. I'd be looking for the script to do a good job sanitizing user input and limiting the quantity of data that a user can cause the script to write (to prevent DoS attack).

What you're really looking for, ultimately, is a an application security architecture review, and maybe a pentest. If this is a commonly-used script that is supported and publicly available then, hopefully, simple security bugs should have already been shaken-out. If this is something more boutique or custom then I'd be wary of trusting the security architecture of the application w/o having it review.