Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > Server Permission Settings

Reply
Thread Tools

Server Permission Settings

 
 
Jess
Guest
Posts: n/a
 
      07-11-2005
Hello,

I'm not sure if I'm in the right area. I have asp pages that call a
database and sometimes updates it. The pages are under the root the database
is in a db folder under the root. My server guy isn't too sure what the
permissions should be on the server to these folders (root & db). Can you
give me some general instructions for this? Or point me in the right
direction for the answer?

Thanks
 
Reply With Quote
 
 
 
 
Steven Burn
Guest
Posts: n/a
 
      07-11-2005
You need to ensure IUSR_<machine> has read permissions for the root and
read/write for the database (not the folder it's in)

"Jess" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello,
>
> I'm not sure if I'm in the right area. I have asp pages that call a
> database and sometimes updates it. The pages are under the root the

database
> is in a db folder under the root. My server guy isn't too sure what the
> permissions should be on the server to these folders (root & db). Can you
> give me some general instructions for this? Or point me in the right
> direction for the answer?
>
> Thanks



 
Reply With Quote
 
 
 
 
Aaron Bertrand [SQL Server MVP]
Guest
Posts: n/a
 
      07-11-2005
IUSR_MachineName should have read access on the folder(s) containing the ASP
scripts, and full permissions on the folder containing the MDB file (it
needs read to access it, change to allow the file to grow as you fill it
with more data, and write to create the temporary LDB file).

A bit of information here:
http://support.microsoft.com/default.aspx/kb/253604

And lots of troubleshooting for 80004005 errors here:
http://www.aspfaq.com/2009



"Jess" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello,
>
> I'm not sure if I'm in the right area. I have asp pages that call a
> database and sometimes updates it. The pages are under the root the
> database
> is in a db folder under the root. My server guy isn't too sure what the
> permissions should be on the server to these folders (root & db). Can you
> give me some general instructions for this? Or point me in the right
> direction for the answer?
>
> Thanks



 
Reply With Quote
 
Roland Hall
Guest
Posts: n/a
 
      07-11-2005
"Aaron Bertrand [SQL Server MVP]" wrote in message
news:(E-Mail Removed)...
: IUSR_MachineName should have read access on the folder(s) containing the
ASP
: scripts, and full permissions on the folder containing the MDB file (it
: needs read to access it, change to allow the file to grow as you fill it
: with more data, and write to create the temporary LDB file).
:
: A bit of information here:
: http://support.microsoft.com/default.aspx/kb/253604
:
: And lots of troubleshooting for 80004005 errors here:
: http://www.aspfaq.com/2009

Make that modify rights, not full rights.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp


 
Reply With Quote
 
Aaron Bertrand [SQL Server MVP]
Guest
Posts: n/a
 
      07-11-2005
> Make that modify rights, not full rights.

What rights are included in full that aren't needed?

As I explained, you need read obviously, plus you need change if the MDB
file should grow, plus you need write to create the LDB file.

A


 
Reply With Quote
 
Roland Hall
Guest
Posts: n/a
 
      07-11-2005
"Aaron Bertrand [SQL Server MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
:> Make that modify rights, not full rights.
:
: What rights are included in full that aren't needed?
:
: As I explained, you need read obviously, plus you need change if the MDB
: file should grow, plus you need write to create the LDB file.

1. It's not create rights, it's write rights.
2. Permissions are inclusive meaning the next level has all of what the
previous level has.
3. With Full Rights you can change permissions and take ownership. That's
not a good thing to give to an anonymous user or anyone that doesn't need
it.

From here: http://www.windowsitlibrary.com/Content/592/1.html#1
If a user needs all access to a file except to take ownership and change its
permissions, the Modify permission can be granted. The access allowed by the
Read, Write, and Read & Execute are automatically granted within the Modify
permission.

Nobody should ever have full rights unless they're an admin, backup account
or SYSTEM. And, no admins should have admin access with their daily user
account. All admins should have a separate account just for administration.
It minimizes the risk to the network and allows for a better trail.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp




 
Reply With Quote
 
Aaron Bertrand [SQL Server MVP]
Guest
Posts: n/a
 
      07-12-2005
> : file should grow, plus you need write to create the LDB file.
>
> 1. It's not create rights, it's write rights.


That's what I said. "You need write to create the LDB file."

> 3. With Full Rights you can change permissions and take ownership. That's
> not a good thing to give to an anonymous user or anyone that doesn't need
> it.


An anonymous user who can't log in (since Windows controls the password).
Can you please demonstrate an ASP script that will allow a user of the web
site to do something silly or worse because IUSR has "full control" rights
rather than the individual permissions.

Remember that if someone has access to the file system to change an ASP
script that IUSR has access to, they have already compromised more than what
you're worried about. And also remember that I did not suggest adding IUSR
to the administrators group.


 
Reply With Quote
 
Roland Hall
Guest
Posts: n/a
 
      07-12-2005
"Aaron Bertrand [SQL Server MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
:> : file should grow, plus you need write to create the LDB file.
: >
: > 1. It's not create rights, it's write rights.
:
: That's what I said. "You need write to create the LDB file."

Which means you only need modify rights. I hear an echo. (O:=

: > 3. With Full Rights you can change permissions and take ownership.
That's
: > not a good thing to give to an anonymous user or anyone that doesn't
need
: > it.
:
: An anonymous user who can't log in (since Windows controls the password).

You're assuming the password is being controlled by the OS. Just because
it's the default doesn't make it so. You're also assuming it can never be
compromised. What is the only secure system in the world?

: Can you please demonstrate an ASP script that will allow a user of the web
: site to do something silly or worse because IUSR has "full control" rights
: rather than the individual permissions.

NTFS permissions do not affect ASP scripts, directly. They affect user
access. I don't know what the next buffer overflow is going to do and
giving Full Rights to an account that doesn't need it is a security risk.

Network security is not rocket science. It's not a task. It is a simple
philosophy. Never give anyone access they don't need to get their job done.
It's not a good idea to teach others bad behavior no matter how well
intended, no matter how safe it appears to be on the surface.

: Remember that if someone has access to the file system to change an ASP
: script that IUSR has access to, they have already compromised more than
what
: you're worried about.

I'm always worried about the whole system, not just in part. I never assume
anything is secure. As stated above, I have a simple philosophy and I
follow it. It increases my chance for success in securing my network and
those I support. It's not a good idea to give everyone on the net Full
Rights to any part of my network.

: And also remember that I did not suggest adding IUSR
: to the administrators group.

I'm aware. I'm not suggesting you don't know something about security,
however I don't know your level of competency of network security, nor
anyone else's on the net. My response was based on a philosophy which
requires following a standard approach when working with permissions. The
first no-no in network security it to assign Full Rights to any account that
doesn't need it. It's also the first rule broken by every lazy admin on the
planet. I also cannot assume the developer is so proficient that they will
not make the situation worse with sloppy coding. I just cannot predict what
others will do. I have to assume the worst and act accordingly to minimize
the risk and the unscheduled downtime. Also, the net user is not my biggest
threat. It's the users who already have some access to the internal network
and usually Public Enemy #1 is the soon to be convict I'm working under who
thinks s/he needs Administrative access because of his/her title.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp


 
Reply With Quote
 
Jess
Guest
Posts: n/a
 
      07-12-2005
Thanks for the help.

Jess
 
Reply With Quote
 
Aaron Bertrand [SQL Server MVP]
Guest
Posts: n/a
 
      07-12-2005
I'm still not sure what you think "Full Control" grants IUSR that
read/write/modify does not, but okay.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Settings.settings file with settings for multiple regions donet programmer ASP .Net 3 11-20-2009 03:05 PM
Fixed: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {555F3418-D99E-4E51-800A-6E89CFD8B1D7} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). Skybuck Flying Windows 64bit 1 06-29-2009 06:17 PM
Permission Settings problems. Kardon Coupé Wireless Networking 7 03-08-2005 02:54 AM
update on my local settings folder permission block mentalguy2004 Computer Support 0 09-10-2004 07:32 PM
Mutex and permission settings William LaMartin ASP .Net Security 0 10-22-2003 02:40 PM



Advertisments