NTFS Permissions for IIS Web Servers

[October 2002]
NTFS Permissions for IIS Web Servers
Careful use of system permissions can protect your Web server from attack
By: Mark Burnett
Focus
InstantDoc #26358
From the October 2002 edition of Windows IT Pro

In January 26, 2000—nearly a month before the official release of Windows 2000—Microsoft released Security Bulletin MS00-006 (Patch Available for "Malformed Hit-Highlighting Argument" Vulnerability), which announced a Microsoft IIS vulnerability that could let an intruder view the source code of server-side documents, including Active Server Pages (ASP) scripts. This vulnerability is a risk because ASP code often contains sensitive information such as passwords or SQL statements that could be useful to intruders. Security experts advise that you set proper NTFS file permissions on your Web server hard disks. Since Win2K's release, Microsoft has released other similar advisories and has repeated the advice to set proper NTFS file permissions.

But which permissions should you set? Many administrators have had the experience of trying to tighten file permissions on a Web server only to discover that they've broken some feature of a Web application. Administrators are therefore wary of changing file permissions on servers that already function properly. But understanding how Web servers and their users interact with the file system will give you the knowledge and confidence to properly set permissions that greatly improve your Web server's security.

User Context
A typical Win2K system runs many processes at any given time. If you open Task Manager and select the Processes tab, you'll see a list of currently running processes. Open View, Select Columns, and you can select additional information about each process. Select the User Name check box and click OK to view a list similar to Figure 1, page 76, that shows which users own each process.

When a user launches a process, the process is launched in that user's context. If that process launches another process, the child process remains in the same user context as its parent. When a process accesses an NTFS volume, that file will always be accessed in that process's user context.

Some services, such as IIS, run under the System context but, for security reasons, will impersonate accounts with lesser privileges—called impersonation—by launching a new process under a different user context. As a result, the new process will make file requests under a different user context. Before you begin to lock down the system, you must first understand how each of these user roles comes into play.

The System Account
The System account, sometimes referred to as LocalSystem, is an internal account the OS uses primarily to launch Windows services. The System account doesn't show up in Local Users and Groups, and you can't remove it from the system. It's a member of the Administrators group, but you can't add it to any other groups. You can set NTFS permissions for the System account, but you can't assign it any user rights.

The System account is powerful. You can't deny the System account the right to change permissions. In other words, if you limit permissions for the System account, it can change those permissions back to the default settings. Microsoft designed this capability to ensure that the OS functions properly. On a default Win2K installation, the System account has full access to every file on an NTFS volume. If intruders can exploit a Windows service running under the System account, they can launch other processes or access files under the System context. Such access makes the System account an attractive target for intruders.

Microsoft recommends that you typically not remove the System account permissions from a file, but in some cases doing so will limit exposure to Win2K vulnerabilities that let intruders launch processes under the System context. One such vulnerability was the .Printer buffer overflow that Microsoft Security Bulletin MS01-023 (Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0 Server) mentions. Therefore, limiting which files the System account can access can sometimes be important.

The Administrator
The built-in Administrator account is another privileged account that you must guard closely. Because you don't want to put too many file restrictions on this account, avoid running services as Administrator and limit access to Web browsing and email when logged on with this account. The Administrator account is a member of the built-in Everyone, Administrators, Authenticated Users, and Users groups. And when you log on to the Administrator account from the console, the account is also a member of the built-in Interactive group.

Prev. page [1] 2 3 4 next page

You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

HI,

This tutorial is good. I download the code and test in my win 2000 server. My question is that whether I can assign NTFS permission to users in member server, not the user from domain.

Thanks

Ganyu Qu- April 21, 2003

ADS BY GOOGLE SPONSORED LINKS

Microsoft® Tech•Ed EMEA 2008 Developers: Learn through hands-on experience with the latest tools and acquire skills to build more streamlined, scalable, and secure applications, Nov. 10-14, 2008 in Barcelona, Spain.

Order Your SharePoint Fundamentals CD!: Learn how to uncover rich information management capabilities with this free SharePoint CD.

Try Idera’s new SQL admin toolset!: 24 essential desktop tools for managing SQL Server for $495.

Evaluating Your Database Infrastructure: The wind of change is in the air for your corporate databases. SQL Server 2008 and other new technologies can mean it is possible to deploy more powerful and effective databases.

True High Availability for SQL Servers: SQL Server DBA’s must ensure that they have some form of protection in place. This seminar gives useful tips on HA and resources that are available for your disaster recovery planning.

Simplify your data management: Affordable multi-database query and design tool-- free trial!

Virtualization Congress Oct. 14-16: Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16 in London.

FEATURED LINKS

Coming This Fall - Deploying SharePoint - Live Event Series: Join SharePoint experts for best practices regarding infrastructure, design, forms configurations, and redundancy. Early Bird Price of $99!

SQL Server Magazine Connections Conference: Don’t miss the premier event for Microsoft developers and DBAs in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).

Find a new job on the all new IT Job Hound!: Search jobs, post your resume, and set up job e-mail alerts!

Virtualization 101 – Live Web Seminar Aug. 21: Get an introduction to all the uses of virtualization and the differences between hosted, hypervisor-based, and OS-level virtualization.

Master SharePoint with 3 eLearning Seminars!: Learn how to customize field types, create scheduled services, and go further with the Content Query Web Part with MVP Andrew Connell. Register today!

Virtualization for Mission-Critical BI with SQL Server: Join this Aug. 20th web seminar to learn a different approach to virtualization for BI-based application infrastructure. Ask questions of live experts!

Windows IT Pro Is Your Definitive Source for BI Tools: Our tools are BI-lateral (relating to both the front and back ends of BI). Build the best platforms and reports with help from SQL Server Magazine. Master data-delivery with solutions in Windows IT Pro. Choose the resource that's right for you.

	SQL Server Magazine Register Subscribe FAQ for Windows WinInfoNews
	Contact Us / Customer Service Editorial Calendar Media Kit Affiliates / Licensing Technical Resources Directory
	Windows IT Pro Office & SharePoint Pro Windows Dev Pro IT Library Connected Home Windows Excavator SuperSite IT Job Hound ITTV

	Copyright © 2008 Penton Media, Inc. All rights reserved. Terms and Use Privacy Statement Reprints and Licensing

Search

Reader Comments

Related Whitepapers

Related eBooks

Related Essential Guides

Related Resources

vLabs Links

SQL Job Openings

ADS BY GOOGLE SPONSORED LINKS

FEATURED LINKS