1

I have an win2012/IIS 8 webserver which I am trying to secure. I want to isolate each site/user to their own folder as best as possible.

  • I have moved the websites to "c:\sites\mysiteA\", "c:\sites\mysiteB\" and so on.

  • I have setup separate user accounts for each website and set minimum permissions for the folder (including removing the "Users" group.)

  • removed non essential users from other data folders like the MSSQL database folders.

However "c:\" and all system folders have by default read/execute access for the "Users" group.

I have read that recent editions of IIS are secure out of the box but allowing IIS users to read and execute system files doesn't seem secure to me.

Is it normal to leave the server like this?

Can anyone suggest what the best practice is from this point. Should the "Users" group be removed from "c:\" or perhaps a DENY rule added for IIS users.

These seem like drastic changes and I'm not sure if they would effect the running of IIS or SQL Server 2012. Only the administrator logs into the desktop so there are no other physical users.

David Meagor
  • 41
  • 1
  • 4
  • How are you presuming that an "IIS" user (connecting to a web site) would be able to access "c:\" and all system folders? – joeqwerty Jan 04 '13 at 15:12
  • I presuming that someone has found a venerability and been able to upload a remote shell script. – David Meagor Jan 04 '13 at 16:42
  • 1
    My suggestion would be that you: A. Configure IIS appropriately. B. Configure NTFS permissions on the web site directories appropriately. C. Run the Security Configuration Wizard after you've configured and tested the web sites. D. Don't muck around with any of the default permissions on the C: drive. – joeqwerty Jan 04 '13 at 16:46
  • With the default setup the c:\windows\temp\ folder gives read/write/execute access to the IIS user making it trivial for someone with access to upload an .exe and execute it with that users privileges. I am sure there are other examples. – David Meagor Jan 04 '13 at 23:54
  • Check out the question [IIS AppPoolIdentity and file system write access permissions](http://stackoverflow.com/questions/5437723/iis-apppoolidentity-and-file-system-write-access-permissions/5439658#5439658) over on Stackoverflow. It explains how and why the permissions are set the way they are. – Peter Hahndorf Aug 28 '13 at 18:56

0 Answers0