Server Permission Settings

Discussion in 'ASP General' started by Jess, Jul 11, 2005.

  1. Jess

    Jess Guest

    Hello,

    I'm not sure if I'm in the right area. I have asp pages that call a
    database and sometimes updates it. The pages are under the root the database
    is in a db folder under the root. My server guy isn't too sure what the
    permissions should be on the server to these folders (root & db). Can you
    give me some general instructions for this? Or point me in the right
    direction for the answer?

    Thanks
     
    Jess, Jul 11, 2005
    #1
    1. Advertising

  2. Jess

    Steven Burn Guest

    You need to ensure IUSR_<machine> has read permissions for the root and
    read/write for the database (not the folder it's in)

    "Jess" <> wrote in message
    news:...
    > Hello,
    >
    > I'm not sure if I'm in the right area. I have asp pages that call a
    > database and sometimes updates it. The pages are under the root the

    database
    > is in a db folder under the root. My server guy isn't too sure what the
    > permissions should be on the server to these folders (root & db). Can you
    > give me some general instructions for this? Or point me in the right
    > direction for the answer?
    >
    > Thanks
     
    Steven Burn, Jul 11, 2005
    #2
    1. Advertising

  3. IUSR_MachineName should have read access on the folder(s) containing the ASP
    scripts, and full permissions on the folder containing the MDB file (it
    needs read to access it, change to allow the file to grow as you fill it
    with more data, and write to create the temporary LDB file).

    A bit of information here:
    http://support.microsoft.com/default.aspx/kb/253604

    And lots of troubleshooting for 80004005 errors here:
    http://www.aspfaq.com/2009



    "Jess" <> wrote in message
    news:...
    > Hello,
    >
    > I'm not sure if I'm in the right area. I have asp pages that call a
    > database and sometimes updates it. The pages are under the root the
    > database
    > is in a db folder under the root. My server guy isn't too sure what the
    > permissions should be on the server to these folders (root & db). Can you
    > give me some general instructions for this? Or point me in the right
    > direction for the answer?
    >
    > Thanks
     
    Aaron Bertrand [SQL Server MVP], Jul 11, 2005
    #3
  4. Jess

    Roland Hall Guest

    "Aaron Bertrand [SQL Server MVP]" wrote in message
    news:...
    : IUSR_MachineName should have read access on the folder(s) containing the
    ASP
    : scripts, and full permissions on the folder containing the MDB file (it
    : needs read to access it, change to allow the file to grow as you fill it
    : with more data, and write to create the temporary LDB file).
    :
    : A bit of information here:
    : http://support.microsoft.com/default.aspx/kb/253604
    :
    : And lots of troubleshooting for 80004005 errors here:
    : http://www.aspfaq.com/2009

    Make that modify rights, not full rights.

    --
    Roland Hall
    /* This information is distributed in the hope that it will be useful, but
    without any warranty; without even the implied warranty of merchantability
    or fitness for a particular purpose. */
    Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
    WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
    MSDN Library - http://msdn.microsoft.com/library/default.asp
     
    Roland Hall, Jul 11, 2005
    #4
  5. > Make that modify rights, not full rights.

    What rights are included in full that aren't needed?

    As I explained, you need read obviously, plus you need change if the MDB
    file should grow, plus you need write to create the LDB file.

    A
     
    Aaron Bertrand [SQL Server MVP], Jul 11, 2005
    #5
  6. Jess

    Roland Hall Guest

    "Aaron Bertrand [SQL Server MVP]" <> wrote in message
    news:...
    :> Make that modify rights, not full rights.
    :
    : What rights are included in full that aren't needed?
    :
    : As I explained, you need read obviously, plus you need change if the MDB
    : file should grow, plus you need write to create the LDB file.

    1. It's not create rights, it's write rights.
    2. Permissions are inclusive meaning the next level has all of what the
    previous level has.
    3. With Full Rights you can change permissions and take ownership. That's
    not a good thing to give to an anonymous user or anyone that doesn't need
    it.

    From here: http://www.windowsitlibrary.com/Content/592/1.html#1
    If a user needs all access to a file except to take ownership and change its
    permissions, the Modify permission can be granted. The access allowed by the
    Read, Write, and Read & Execute are automatically granted within the Modify
    permission.

    Nobody should ever have full rights unless they're an admin, backup account
    or SYSTEM. And, no admins should have admin access with their daily user
    account. All admins should have a separate account just for administration.
    It minimizes the risk to the network and allows for a better trail.

    --
    Roland Hall
    /* This information is distributed in the hope that it will be useful, but
    without any warranty; without even the implied warranty of merchantability
    or fitness for a particular purpose. */
    Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
    WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
    MSDN Library - http://msdn.microsoft.com/library/default.asp
     
    Roland Hall, Jul 11, 2005
    #6
  7. > : file should grow, plus you need write to create the LDB file.
    >
    > 1. It's not create rights, it's write rights.


    That's what I said. "You need write to create the LDB file."

    > 3. With Full Rights you can change permissions and take ownership. That's
    > not a good thing to give to an anonymous user or anyone that doesn't need
    > it.


    An anonymous user who can't log in (since Windows controls the password).
    Can you please demonstrate an ASP script that will allow a user of the web
    site to do something silly or worse because IUSR has "full control" rights
    rather than the individual permissions.

    Remember that if someone has access to the file system to change an ASP
    script that IUSR has access to, they have already compromised more than what
    you're worried about. And also remember that I did not suggest adding IUSR
    to the administrators group.
     
    Aaron Bertrand [SQL Server MVP], Jul 12, 2005
    #7
  8. Jess

    Roland Hall Guest

    "Aaron Bertrand [SQL Server MVP]" <> wrote in message
    news:...
    :> : file should grow, plus you need write to create the LDB file.
    : >
    : > 1. It's not create rights, it's write rights.
    :
    : That's what I said. "You need write to create the LDB file."

    Which means you only need modify rights. I hear an echo. (O:=

    : > 3. With Full Rights you can change permissions and take ownership.
    That's
    : > not a good thing to give to an anonymous user or anyone that doesn't
    need
    : > it.
    :
    : An anonymous user who can't log in (since Windows controls the password).

    You're assuming the password is being controlled by the OS. Just because
    it's the default doesn't make it so. You're also assuming it can never be
    compromised. What is the only secure system in the world?

    : Can you please demonstrate an ASP script that will allow a user of the web
    : site to do something silly or worse because IUSR has "full control" rights
    : rather than the individual permissions.

    NTFS permissions do not affect ASP scripts, directly. They affect user
    access. I don't know what the next buffer overflow is going to do and
    giving Full Rights to an account that doesn't need it is a security risk.

    Network security is not rocket science. It's not a task. It is a simple
    philosophy. Never give anyone access they don't need to get their job done.
    It's not a good idea to teach others bad behavior no matter how well
    intended, no matter how safe it appears to be on the surface.

    : Remember that if someone has access to the file system to change an ASP
    : script that IUSR has access to, they have already compromised more than
    what
    : you're worried about.

    I'm always worried about the whole system, not just in part. I never assume
    anything is secure. As stated above, I have a simple philosophy and I
    follow it. It increases my chance for success in securing my network and
    those I support. It's not a good idea to give everyone on the net Full
    Rights to any part of my network.

    : And also remember that I did not suggest adding IUSR
    : to the administrators group.

    I'm aware. I'm not suggesting you don't know something about security,
    however I don't know your level of competency of network security, nor
    anyone else's on the net. My response was based on a philosophy which
    requires following a standard approach when working with permissions. The
    first no-no in network security it to assign Full Rights to any account that
    doesn't need it. It's also the first rule broken by every lazy admin on the
    planet. I also cannot assume the developer is so proficient that they will
    not make the situation worse with sloppy coding. I just cannot predict what
    others will do. I have to assume the worst and act accordingly to minimize
    the risk and the unscheduled downtime. Also, the net user is not my biggest
    threat. It's the users who already have some access to the internal network
    and usually Public Enemy #1 is the soon to be convict I'm working under who
    thinks s/he needs Administrative access because of his/her title.

    --
    Roland Hall
    /* This information is distributed in the hope that it will be useful, but
    without any warranty; without even the implied warranty of merchantability
    or fitness for a particular purpose. */
    Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
    WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
    MSDN Library - http://msdn.microsoft.com/library/default.asp
     
    Roland Hall, Jul 12, 2005
    #8
  9. Jess

    Jess Guest

    Thanks for the help.

    Jess
     
    Jess, Jul 12, 2005
    #9
  10. I'm still not sure what you think "Full Control" grants IUSR that
    read/write/modify does not, but okay.
     
    Aaron Bertrand [SQL Server MVP], Jul 12, 2005
    #10
  11. Aaron Bertrand [SQL Server MVP] wrote:
    > I'm still not sure what you think "Full Control" grants IUSR that
    > read/write/modify does not, but okay.


    It's similar to the difference between making a user an object owner (dbo)
    and granting a user select/update/insert/delete permissions

    "Full" grants the ability to modify permissions for the object. It is one
    step down from object owner.
    "Modify" grants only the ability to create/read/write/delete

    Of course, the terminology varies depending on the OS.

    Bob
    --
    Microsoft MVP -- ASP/ASP.NET
    Please reply to the newsgroup. The email account listed in my From
    header is my spam trap, so I don't check it very often. You will get a
    quicker response by posting to the newsgroup.
     
    Bob Barrows [MVP], Jul 12, 2005
    #11
  12. > "Full" grants the ability to modify permissions for the object. It is one
    > step down from object owner.


    YES! Now can someone please enlighten me as to how a malicious user will
    (a) know that you granted IUSR_ this extra permission, and (b) how they will
    take advantage of it.

    FWIW, I typically grant Full Control because I'm a lazy ignoramus. After
    all, it's checking one box as opposed to three.
     
    Aaron Bertrand [SQL Server MVP], Jul 12, 2005
    #12
  13. Aaron Bertrand [SQL Server MVP] wrote:
    >> "Full" grants the ability to modify permissions for the object. It
    >> is one step down from object owner.

    >
    > YES! Now can someone please enlighten me as to how a malicious user
    > will (a) know that you granted IUSR_ this extra permission, and


    Obviously, unless he has physical/directory access to the machine, in which
    case your goose is already cooked, he won't.

    > (b)
    > how they will take advantage of it.


    No way that I can think of.

    However, that does not invalidate the "least privilege" principle.
    Neglecting it in one specific situation may make it easy to neglect it where
    it really counts.

    >
    > FWIW, I typically grant Full Control because I'm a lazy ignoramus.
    > After all, it's checking one box as opposed to three.


    Again, it depends on the OS. On my machine, clicking Modify causes the lower
    checkboxes to be checked. On older systems, yes, I remember having to check
    multiple checkboxes.

    And I will dispute that "lazy ignoramus" label.

    Bob Barrows
    --
    Microsoft MVP -- ASP/ASP.NET
    Please reply to the newsgroup. The email account listed in my From
    header is my spam trap, so I don't check it very often. You will get a
    quicker response by posting to the newsgroup.
     
    Bob Barrows [MVP], Jul 12, 2005
    #13
  14. Jess

    Roland Hall Guest

    "Aaron Bertrand [SQL Server MVP]" wrote in message
    news:u$...
    :> "Full" grants the ability to modify permissions for the object. It is one
    : > step down from object owner.
    :
    : YES! Now can someone please enlighten me as to how a malicious user will
    : (a) know that you granted IUSR_ this extra permission, and (b) how they
    will
    : take advantage of it.

    Well, then just give the anonymous user Full Rights to your entire web root
    them. How will they know you granted the extra permission? After all, READ
    rights are inclusive to Full Rights. Define "they". They the net user,
    they the local user...?

    : FWIW, I typically grant Full Control because I'm a lazy ignoramus. After
    : all, it's checking one box as opposed to three.

    I'm sorry to hear that. I may have to remove your pedestal. (O:=

    --
    Roland Hall
    /* This information is distributed in the hope that it will be useful, but
    without any warranty; without even the implied warranty of merchantability
    or fitness for a particular purpose. */
    Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
    WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
    MSDN Library - http://msdn.microsoft.com/library/default.asp
     
    Roland Hall, Jul 13, 2005
    #14
  15. Jess

    Roland Hall Guest

    "Jess" wrote in message
    news:...
    : Thanks for the help.

    While we differ slightly in our views, Aaron did direct you to a good
    article to let you know you need at least modify rights on the folder
    containing your database to solve your issue. Good luck to you.

    --
    Roland Hall
    /* This information is distributed in the hope that it will be useful, but
    without any warranty; without even the implied warranty of merchantability
    or fitness for a particular purpose. */
    Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
    WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
    MSDN Library - http://msdn.microsoft.com/library/default.asp
     
    Roland Hall, Jul 13, 2005
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gabor
    Replies:
    1
    Views:
    3,003
    Felix Wu [MSFT]
    Aug 26, 2003
  2. Siegfried Heintze
    Replies:
    0
    Views:
    2,299
    Siegfried Heintze
    Oct 24, 2005
  3. leeanne
    Replies:
    0
    Views:
    1,894
    leeanne
    Sep 24, 2008
  4. donet programmer
    Replies:
    3
    Views:
    1,584
    Gregory A. Beamer
    Nov 20, 2009
  5. William LaMartin

    Mutex and permission settings

    William LaMartin, Oct 22, 2003, in forum: ASP .Net Security
    Replies:
    0
    Views:
    136
    William LaMartin
    Oct 22, 2003
Loading...

Share This Page