PHP + IIS Application Pool Identity Windows\Temp permissions

Question

I am currently running PHP (5.3) on IIS 7.5 on a Win2k8 R2 Web Edition Server and would like to know what, if any, problems or security vulnerabilities I may introduct into a system by assigning Read, Write, Modify & Execute permissions to either IUSR account or the IIS_USERS group for %SystemRoot%\Temp?

Should I be altering permissions to that folder at all (as Windows reminds me I probably shouldn't when i attempt to change them)?

Should I create a temp folder somewhere else and set permissions accordingly?

The problem is when i set Anonymous Authentication (I'm guessing is a more secure option???) to use the App Pool identity, when starting sessions PHP gets stuck in a loop because it's unable to create session files in the %SystemRoot%\Temp folder due to lack of permission on the application pool user or IIS_USERS group.

Another problem being ImageMagick (PHP Extension) is being denied access to %SystemRoot%\Temp to write temporary files so is throwing exceptions.

I have tried searching Google however have not found anything that touches upon this subject specifically.

Any help greatly appreciated.

Answer 1

Assigning the anonymous inet user "modify" rights the default temp folder isn't very wise. As such, it's not a security failure but you're making some classes of attack against your web infrastructure easier.

As always, the devil is in the details. As long as nothing but innocuous data is written to that folder, there is no specific risk: the folder itself isn't different from numerous other places on your system. Of course, if you want to setup rights for the IUSR_ on that folder, it also means you intend to use that assignment so that web application can write to it.

There comes the risks: - Having "execute" rights on that folder removes a security layer: if an attacker finds a way to upload an executable on the temporary folder and have the system run it, it will run. If you deny the "execute" right, it simply won't work. - The folder is right on top of the most sensitive part of your system: the location of the operating system files. It means that, should someone manage to use a directory traversal bug in a web app that exploits a temporary file, he'll be one step away from the system root and all the interesting things that sits in it.

None of these are really too risky in themselves but a good security relies on security in depth. In this case, I'm pretty sure you can have your PHP app use a different folder than the system's temporary directory to save its temporary files. Best would be to place that on a separate partition, in a folder where the IUSR_* have read/write access but NOT execute permission.