R
RM
I see this question has been asked but not really fully answered (that I
could find).
All of our domains are on their own drive, such as this
f:\wwwdomain1
f:\wwwdomain2
f:\wwwdomain3
and so on.
If we setup a new domain for someone, say wwwdomain3, provide FTP in
access to an outside person so they can upload their own web-pages, it
seems they can easily write this code...
string[] s = Directory.GetDirectories("c:\\Documents and Settings\\");
And get a listing of all the user directories, or
string[] s = Directory.GetDirectories("f:\\wwwdomain2\\");
and get all the files in another domain we host, and so on...
I am not comfortable with this. It seems there is no [x] Disable Parent
Paths checkbox in IIS for ASP.NET, and it seems they suggest relying on
NTFS permissions to stop this kind of thing. I guess I'm not sure the
most elegant way to make it so "every single public website runs as it's
own user with only access to it's own directory". I know IIS runs as the
IIS_USR, I'm not sure even how to set it up if making it so every domain
in IIS runs as it's own locked down user...
A) Is this really the answer?
B) How do you do it?
Thank you
could find).
All of our domains are on their own drive, such as this
f:\wwwdomain1
f:\wwwdomain2
f:\wwwdomain3
and so on.
If we setup a new domain for someone, say wwwdomain3, provide FTP in
access to an outside person so they can upload their own web-pages, it
seems they can easily write this code...
string[] s = Directory.GetDirectories("c:\\Documents and Settings\\");
And get a listing of all the user directories, or
string[] s = Directory.GetDirectories("f:\\wwwdomain2\\");
and get all the files in another domain we host, and so on...
I am not comfortable with this. It seems there is no [x] Disable Parent
Paths checkbox in IIS for ASP.NET, and it seems they suggest relying on
NTFS permissions to stop this kind of thing. I guess I'm not sure the
most elegant way to make it so "every single public website runs as it's
own user with only access to it's own directory". I know IIS runs as the
IIS_USR, I'm not sure even how to set it up if making it so every domain
in IIS runs as it's own locked down user...
A) Is this really the answer?
B) How do you do it?
Thank you