1

I am trying to change the user IIS runs over. I read that IIS might run using IUSR_computer_name user but I am not sure if this rule applies to IIS 7.0

The question is, trying to map the whole filesystem tree I get access denied for some folders. I need access to those folder. So, I decided to change the IIS is using.

Could someone give to me a little hint on how to do that. I spent my whole day trying sets of configurations without success and by now I ended up with this last try.

1 Answers1

5

It is really, really dangerous to run IIS as a user that has access to all folders in the file system. You are asking to be hacked badly (do you really want IIS to access C:\Windows?).

It is better to explicitly grant permission to the user IIS runs under to access the folders you really need IIS to access.

If you really must change the identity IIS runs under, you do that through the application pool configuration. Please see:

http://www.iis.net/learn/manage/configuring-security/application-pool-identities

That article, in addition to providing a detailed procedure to change the IIS identity, provides a great overview on IIS security. I suggest you give it a good read before proceeding.

Eric J.
  • 772
  • 2
  • 14
  • 28
  • You are right. I don´t want users to have access to this folder. But .NET provides no workaround for me to list all the folders I have access cheking one by one. getFiles and getDirectories just return nothing if reaches a folder without permission. I don´t know how to proceed. I want the user to be able to choose any folder he has permission to access to save data(This is why I want to enumerate all folder with user permission to access). –  Nov 27 '12 at 23:39
  • 2
    Why in the world do you want to access the entire file system. There's something seriously wrong with your design. – John Saunders Nov 27 '12 at 23:59
  • Ok, I believe the design is ok. Perhaps I am not making myself very clear. I have a text box. With a onclick event that call a action that creates a treeview. Of course I use jquery aswell. This field stores the path of where the system will upload some files. In the same way I can save my files when I download one wherever I want (of course where I have enough privileges to do that) I want the user to have this capabilitie too. –  Nov 28 '12 at 01:14
  • @GuilhermeLongo Your design is ***NOT*** OK - it is in fact a giant security hole: Accepting an untrusted piece of input (upload path) from the user and letting your web server put arbitrary files at that location violates every principle of secure web programming. Please rethink this. – voretaq7 Dec 01 '12 at 14:14