Server Permission Settings

[Jess]

Hello,

I'm not sure if I'm in the right area. I have asp pages that call a
database and sometimes updates it. The pages are under the root the database
is in a db folder under the root. My server guy isn't too sure what the
permissions should be on the server to these folders (root & db). Can you
give me some general instructions for this? Or point me in the right
direction for the answer?

Thanks

 

[Steven Burn]

You need to ensure IUSR_<machine> has read permissions for the root and
read/write for the database (not the folder it's in)

 

[Aaron Bertrand [SQL Server MVP]]

IUSR_MachineName should have read access on the folder(s) containing the ASP
scripts, and full permissions on the folder containing the MDB file (it
needs read to access it, change to allow the file to grow as you fill it
with more data, and write to create the temporary LDB file).

A bit of information here:
http://support.microsoft.com/default.aspx/kb/253604

And lots of troubleshooting for 80004005 errors here:
http://www.aspfaq.com/2009

 

[Roland Hall]

in message
: IUSR_MachineName should have read access on the folder(s) containing the
ASP
: scripts, and full permissions on the folder containing the MDB file (it
: needs read to access it, change to allow the file to grow as you fill it
: with more data, and write to create the temporary LDB file).
:
: A bit of information here:
: http://support.microsoft.com/default.aspx/kb/253604
:
: And lots of troubleshooting for 80004005 errors here:
: http://www.aspfaq.com/2009

Make that modify rights, not full rights.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp

 

[Aaron Bertrand [SQL Server MVP]]

Make that modify rights, not full rights.

What rights are included in full that aren't needed?

As I explained, you need read obviously, plus you need change if the MDB
file should grow, plus you need write to create the LDB file.

A

 

[Roland Hall]

:> Make that modify rights, not full rights.
:
: What rights are included in full that aren't needed?
:
: As I explained, you need read obviously, plus you need change if the MDB
: file should grow, plus you need write to create the LDB file.

1. It's not create rights, it's write rights.
2. Permissions are inclusive meaning the next level has all of what the
previous level has.
3. With Full Rights you can change permissions and take ownership. That's
not a good thing to give to an anonymous user or anyone that doesn't need
it.

From here: http://www.windowsitlibrary.com/Content/592/1.html#1
If a user needs all access to a file except to take ownership and change its
permissions, the Modify permission can be granted. The access allowed by the
Read, Write, and Read & Execute are automatically granted within the Modify
permission.

Nobody should ever have full rights unless they're an admin, backup account
or SYSTEM. And, no admins should have admin access with their daily user
account. All admins should have a separate account just for administration.
It minimizes the risk to the network and allows for a better trail.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp

 

[Aaron Bertrand [SQL Server MVP]]

: file should grow, plus you need write to create the LDB file.

1. It's not create rights, it's write rights.

That's what I said. "You need write to create the LDB file."

3. With Full Rights you can change permissions and take ownership. That's
not a good thing to give to an anonymous user or anyone that doesn't need
it.

An anonymous user who can't log in (since Windows controls the password).
Can you please demonstrate an ASP script that will allow a user of the web
site to do something silly or worse because IUSR has "full control" rights
rather than the individual permissions.

Remember that if someone has access to the file system to change an ASP
script that IUSR has access to, they have already compromised more than what
you're worried about. And also remember that I did not suggest adding IUSR
to the administrators group.

 

[Roland Hall]

:> : file should grow, plus you need write to create the LDB file.
: >
: > 1. It's not create rights, it's write rights.
:
: That's what I said. "You need write to create the LDB file."

Which means you only need modify rights. I hear an echo. (O:=

: > 3. With Full Rights you can change permissions and take ownership.
That's
: > not a good thing to give to an anonymous user or anyone that doesn't
need
: > it.
:
: An anonymous user who can't log in (since Windows controls the password).

You're assuming the password is being controlled by the OS. Just because
it's the default doesn't make it so. You're also assuming it can never be
compromised. What is the only secure system in the world?

: Can you please demonstrate an ASP script that will allow a user of the web
: site to do something silly or worse because IUSR has "full control" rights
: rather than the individual permissions.

NTFS permissions do not affect ASP scripts, directly. They affect user
access. I don't know what the next buffer overflow is going to do and
giving Full Rights to an account that doesn't need it is a security risk.

Network security is not rocket science. It's not a task. It is a simple
philosophy. Never give anyone access they don't need to get their job done.
It's not a good idea to teach others bad behavior no matter how well
intended, no matter how safe it appears to be on the surface.

: Remember that if someone has access to the file system to change an ASP
: script that IUSR has access to, they have already compromised more than
what
: you're worried about.

I'm always worried about the whole system, not just in part. I never assume
anything is secure. As stated above, I have a simple philosophy and I
follow it. It increases my chance for success in securing my network and
those I support. It's not a good idea to give everyone on the net Full
Rights to any part of my network.

: And also remember that I did not suggest adding IUSR
: to the administrators group.

I'm aware. I'm not suggesting you don't know something about security,
however I don't know your level of competency of network security, nor
anyone else's on the net. My response was based on a philosophy which
requires following a standard approach when working with permissions. The
first no-no in network security it to assign Full Rights to any account that
doesn't need it. It's also the first rule broken by every lazy admin on the
planet. I also cannot assume the developer is so proficient that they will
not make the situation worse with sloppy coding. I just cannot predict what
others will do. I have to assume the worst and act accordingly to minimize
the risk and the unscheduled downtime. Also, the net user is not my biggest
threat. It's the users who already have some access to the internal network
and usually Public Enemy #1 is the soon to be convict I'm working under who
thinks s/he needs Administrative access because of his/her title.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp

 

[Jess]

Thanks for the help.

Jess

 

[Aaron Bertrand [SQL Server MVP]]

I'm still not sure what you think "Full Control" grants IUSR that
read/write/modify does not, but okay.

 

[Bob Barrows [MVP]]

I'm still not sure what you think "Full Control" grants IUSR that
read/write/modify does not, but okay.

It's similar to the difference between making a user an object owner (dbo)
and granting a user select/update/insert/delete permissions

"Full" grants the ability to modify permissions for the object. It is one
step down from object owner.
"Modify" grants only the ability to create/read/write/delete

Of course, the terminology varies depending on the OS.

Bob

 

[Aaron Bertrand [SQL Server MVP]]

"Full" grants the ability to modify permissions for the object. It is one

step down from object owner.

YES! Now can someone please enlighten me as to how a malicious user will
(a) know that you granted IUSR_ this extra permission, and (b) how they will
take advantage of it.

FWIW, I typically grant Full Control because I'm a lazy ignoramus. After
all, it's checking one box as opposed to three.

 

[Bob Barrows [MVP]]

YES! Now can someone please enlighten me as to how a malicious user
will (a) know that you granted IUSR_ this extra permission, and

Obviously, unless he has physical/directory access to the machine, in which
case your goose is already cooked, he won't.

(b)
how they will take advantage of it.

No way that I can think of.

However, that does not invalidate the "least privilege" principle.
Neglecting it in one specific situation may make it easy to neglect it where
it really counts.

FWIW, I typically grant Full Control because I'm a lazy ignoramus.
After all, it's checking one box as opposed to three.

Again, it depends on the OS. On my machine, clicking Modify causes the lower
checkboxes to be checked. On older systems, yes, I remember having to check
multiple checkboxes.

And I will dispute that "lazy ignoramus" label.

Bob Barrows

 

[Roland Hall]

in message
:> "Full" grants the ability to modify permissions for the object. It is one
: > step down from object owner.
:
: YES! Now can someone please enlighten me as to how a malicious user will
: (a) know that you granted IUSR_ this extra permission, and (b) how they
will
: take advantage of it.

Well, then just give the anonymous user Full Rights to your entire web root
them. How will they know you granted the extra permission? After all, READ
rights are inclusive to Full Rights. Define "they". They the net user,
they the local user...?

: FWIW, I typically grant Full Control because I'm a lazy ignoramus. After
: all, it's checking one box as opposed to three.

I'm sorry to hear that. I may have to remove your pedestal. (O:=

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp

 

[Roland Hall]

in message
: Thanks for the help.

While we differ slightly in our views, Aaron did direct you to a good
article to let you know you need at least modify rights on the folder
containing your database to solve your issue. Good luck to you.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp