Following up on my last two blogs, we continue to notice that folks have difficulty properly configuring IIS in a secure manner, because they tend to over-open the security of their system, giving privileges to both the "request identity" and the "process identity" that are above what are required for secure and reliable applications.
Our security guru Nazim wrote a great article on securing IIS here: http://learn.iis.net/page.aspx/583/securing-content-in-iis-through-file-system-acls
I thought I would briefly slice some of his content in a different view. Basically, for each kind of module or content, what privileges should I be giving? So let's take a brief stab (with great credit to Nazim and the work he did). The 3 permissions you may need to give to identities for your content are: Read/List Folder Contents/Execute
If you're running into trouble with this, be sure to use AuthDiag (part of the IIS Diagnostics Toolkit) to understand this further ... http://www.microsoft.com/downloads/details.aspx?familyid=9bfa49bc-376b-4a54-95aa-73c9156706e7&displaylang=en
Here is the breakdown:
Static files and Scripts (.html, jpg, .php, .asp, .stm)
-
Request identity needs READ & List Folder Contents so that your users can get the content
-
Process identity MAY need READ (but depends on the way the handler works) so that the Script Handler code can open/parse the files
Script Handlers (asp.dll, php.dll) - this is the HTTP module or ISAPI module, not the scripts themselves
CGI's (.exe or .com files)
ISAPI Filters
ISAPI Extensions
Native IIS Modules (IIS 7 and above)
Again, as a reminder, depending on your operating system and process model, the "process identity" is different: http://blogs.iis.net/davcox/archive/2009/08/12/what-is-my-iis-code-running-as.aspx
Dave
Comments