Web Wiz Support and Community Forums : Forum folder security evaluation

Web Wiz Support and Community Forums : Forum folder security evaluation https://forums.webwiz.net/ Copyright (c) 2006-2013 Web Wiz Forums - All Rights Reserved. Wed, 15 Apr 2026 12:28:22 +0000 Wed, 30 Nov 2005 22:58:37 +0000 http://blogs.law.harvard.edu/tech/rss Web Wiz Forums 12.08 360 https://forums.webwiz.net/RSS_post_feed.asp?TID=17286 <![CDATA[Web Wiz Support and Community Forums]]> https://forums.webwiz.net/forum_images/web_wiz_forums.png https://forums.webwiz.net/ <![CDATA[Forum folder security evaluation : Thanks JJLatWebWiz, dj air and...]]> https://forums.webwiz.net/forum-folder-security-evaluation_topic17286_post94665.html#94665 Author: bhall007
Subject: 17286
Posted: 30 November 2005 at 10:58pm

Thanks JJLatWebWiz, dj air and dpyers, and everyone else for the responses. This is just the answer I was looking for. I really appreciate the great info, and I'm going to pass it along and try to implement this setup.

So, the IUSR_SiteName "anonymous" account ought to have read/write NTFS permissions on the private and upload (if you're using it) folders, and read on everything else?

Thanks!

]]> Wed, 30 Nov 2005 22:58:37 +0000 https://forums.webwiz.net/forum-folder-security-evaluation_topic17286_post94665.html#94665 <![CDATA[Forum folder security evaluation : bhall007 wrote:If you have...]]> https://forums.webwiz.net/forum-folder-security-evaluation_topic17286_post94599.html#94599 Author: JJLatWebWiz
Subject: 17286
Posted: 29 November 2005 at 6:07pm

Originally posted by bhall007 bhall007 wrote:

If you have the database in another private folder outside the root web folder (i.e., C:\Inetpub\private\Website.com), how can you enable the user to upload files to the private folder via FTP?

Make sure you are not confusing the "database" and the "forum code"? The "database" is a single file, the one and only MDB file, and the "forum code" is the rest of the ASP, GIF, and JPG files and the folders. You don't want the users to upload or download or directly touch anything in the same folder as the database. When you use FTP with the credentials supplied by your host to upload files, you usually start at the highest folder that your host has granted you access, which is usually "above" your web root.

Here's a sample folder structure:

Everything in the wwwRoot folder and all subfolders is accessible directly from a web browser. If you know the name of the file in any of those folders, you can enter it into the browser address line and the web server will probably send it to the browser.

Everything outside the wwwRoot folder is a sibling or parent and the web server provides no direct method to access files therein. Files can be accessed above the web root via scripts or other programmatic objects (assuming the anonymous web user has permission). So, in the example above, logs, privatedb, stats, and uploads (not the same as forum/uploads) can only be accessed via a script. The uploads folder above the web root is in case I would want to enable anonymous FTP. You should NEVER (NEVER, NEVER, NEVER) allow anonymous FTP in ANY web folder.

If your private folder is a sibling or parent of the web root, then that is the best place for you forum's Access MDB. Remember, users are not uploading files to the database.

Originally posted by bhall007

bhall007 wrote:

Can you setup a virtual folder/shortcut in FTP that will allow a user to upload to that folder in FTP, but that is inaccessible through HTTP? Or will this have to be done by the administrator directly?

It would be best to not allow users to FTP files at all. Let web users use only the file upload functionality of WWF.

I hope I understood your questions correctly.

]]> Tue, 29 Nov 2005 18:07:20 +0000 https://forums.webwiz.net/forum-folder-security-evaluation_topic17286_post94599.html#94599 <![CDATA[Forum folder security evaluation : Most webhosts are set up the way...]]> https://forums.webwiz.net/forum-folder-security-evaluation_topic17286_post94593.html#94593 Author: dpyers
Subject: 17286
Posted: 29 November 2005 at 5:30pm

Most webhosts are set up the way dj air said.

The problem with allowing users to ftp is that windows hosts don'ttypically support sub-ftp accounts tthat restrict users to be able toexecute ftp only on specific directories. You usually just have one ftpaccount - which allows ftp to any directory under your Username accountin dj airs example.

The work-around is to upload via a script which has access to theproper directory and you control the user's access to the upload scriptby requiring them to login to use it. Unix hosts usually allow sub-ftp.

Uploading via a script is no where near as efficient as ftp. Most hostswill limit your uploads via script to a 2Mb file. You can also run intoscript time-out issues.
]]> Tue, 29 Nov 2005 17:30:29 +0000 https://forums.webwiz.net/forum-folder-security-evaluation_topic17286_post94593.html#94593 <![CDATA[Forum folder security evaluation : ususally you have a set up where...]]> https://forums.webwiz.net/forum-folder-security-evaluation_topic17286_post94565.html#94565 Author: dj air
Subject: 17286
Posted: 29 November 2005 at 2:12pm

ususally you have a set up where you have

Username
l
l
-- website (folder)
l
l
--Private (folder)

yu ussually login to ftp at username level so see both directories.

]]> Tue, 29 Nov 2005 14:12:27 +0000 https://forums.webwiz.net/forum-folder-security-evaluation_topic17286_post94565.html#94565 <![CDATA[Forum folder security evaluation : One last question: If you have...]]> https://forums.webwiz.net/forum-folder-security-evaluation_topic17286_post94499.html#94499 Author: bhall007
Subject: 17286
Posted: 28 November 2005 at 11:10am

One last question: If you have the database in another privatefolder outside the root web folder (i.e.,C:\Inetpub\private\Website.com), how can you enable the user to uploadfiles to the private folder via FTP? Can you setup a virtualfolder/shortcut in FTP that will allow a user to upload to that folderin FTP, but that is inaccessible through HTTP? Or will this haveto be done by the administrator directly?

Thanks!
]]> Mon, 28 Nov 2005 11:10:36 +0000 https://forums.webwiz.net/forum-folder-security-evaluation_topic17286_post94499.html#94499 <![CDATA[Forum folder security evaluation : Thanks JJLatWebWiz and dypers...]]> https://forums.webwiz.net/forum-folder-security-evaluation_topic17286_post94496.html#94496 Author: bhall007
Subject: 17286
Posted: 28 November 2005 at 10:17am

Thanks JJLatWebWiz and dypers for the great info. I'll pass thatalong to my web host and hope that we get it all tied up. Thanks!

Happy Holidays!

]]> Mon, 28 Nov 2005 10:17:18 +0000 https://forums.webwiz.net/forum-folder-security-evaluation_topic17286_post94496.html#94496 <![CDATA[Forum folder security evaluation : bhall007, your administrator is...]]> https://forums.webwiz.net/forum-folder-security-evaluation_topic17286_post94466.html#94466 Author: JJLatWebWiz
Subject: 17286
Posted: 27 November 2005 at 8:18pm

bhall007, your administrator is not correct.

But first, to be clear, when I say "anonymous user" or "anonymous web user", I mean the "IUSR_myaccount" (the actual account name could be anything) that dpyers is talking about. I do not mean the anonymous NT "Guest" account. With inconsequential exceptions, all actions taken by IIS to satisfy a request from a web browser are done on behalf of the "IUSR_myaccount" NT account.

The only folders in which the anonymous web user MUST have write permission are the folders in which the Access MDB is stored and the uploads folder, if you allow uploads. Otherwise, "Read-Only" is best. No "writes" are taking place in any other folders by the anonymous web user, so the extra security is just that, "extra security".

As far as the hacker utilities that dpyers is talking about, I think there are a couple things that make today's hacker utilities more dangerous than 10 years ago, probably most notably is the ADODB.Stream that lets hackers upload files without counting on other COM objects like ASPUpload.]]> Sun, 27 Nov 2005 20:18:24 +0000 https://forums.webwiz.net/forum-folder-security-evaluation_topic17286_post94466.html#94466 <![CDATA[Forum folder security evaluation : I think you're getting confused...]]> https://forums.webwiz.net/forum-folder-security-evaluation_topic17286_post94437.html#94437 Author: dpyers
Subject: 17286
Posted: 27 November 2005 at 1:10pm

I think you're getting confused between anonymous user and your scriptuser. In a normal shared hosting environment, there's three windowsaccounts involved in this discussion...

myaccount - The login account given you to administer and ftp to your web site
IUSR_myaccount - The account your asp scripts run under (IUSR = IIS User).
anonymous - typically an ftp account that allows anyone toftp to/from your web space without loggin in. Unless you want your siteto be used by others to host warez and porn on your bandwidth dime,never allow an anonymous ftp account.

Some web hosts have utilities that allow myaccount to change directory permissions for IUSR_myaccount. The other hosts require that you submit a trouble ticket and they change the permissions.

As JJLatWebWiz noted, IUSR_myaccount should only have read permissions by default. If write permissions are needed for a specific directory, either a myaccount utility or the web host needs to set them to allow the IUSR_myaccount user (your script) to write.

So why do some web host allow read/write permissions for IUSR_myaccount by default? Typically, it's done for financial reasons rather than security reasons.

If IUSR_myaccount has read/write permissions by default,they don't get trouble tickets and complaints from new users saying "myscript don't work"
They don't lay out cash for a utility that allows myaccount to set IUSR_myaccount permissions (Those utilities have their own set of security problems also).
They dont spend time on trouble tickets asking for permission changes.

When your hosting provider is talking about "anonymouse user", he's really talking about the script user - IUSR_myaccount.If they allow the script user to write by default, it's for theirconvenience - not because your site is secure. Time to shop for anew host.

P.S. - I've got three hacker programs that do what JJLatWebWizdescribed - one of them I wrote in VB2 using the windows api about 10years ago so it's not like this is a new security risk.

]]> Sun, 27 Nov 2005 13:10:38 +0000 https://forums.webwiz.net/forum-folder-security-evaluation_topic17286_post94437.html#94437 <![CDATA[Forum folder security evaluation : So, is the administrator of my...]]> https://forums.webwiz.net/forum-folder-security-evaluation_topic17286_post94368.html#94368 Author: bhall007
Subject: 17286
Posted: 26 November 2005 at 12:16pm

So, is the administrator of my hosting provider correct in that anonymous shouldhave write access in the forum folder? If anonymous users onlyhaveread-only access, does the forum software run as another user on alower level when it actually writes changes to the database, etc? If anonymous users are denied write access, then how can they writechanges, etc.? What are the ACL NTFS permissions that should begranted to anonymous? (i.e., Read...)
]]> Sat, 26 Nov 2005 12:16:13 +0000 https://forums.webwiz.net/forum-folder-security-evaluation_topic17286_post94368.html#94368 <![CDATA[Forum folder security evaluation : bhal007, your host's response...]]> https://forums.webwiz.net/forum-folder-security-evaluation_topic17286_post94355.html#94355 Author: JJLatWebWiz
Subject: 17286
Posted: 26 November 2005 at 1:28am

bhal007, your host's response is probably pretty typical. They are confusing "means" with "permission". As a webmaster, we must assume that a hacker will eventually find a means to upload files. When that happens, it may be only permissions that protect your site.

Generally speaking, the forum and all file accesses, whether HTML, JPG, GIF, or ASP, are served in the NT user context of the anonymous web user. When the IIS process attempts to do anything on the server, it's doing it on behalf of the anonymous web user. It's good for the integrity of your files that each site sharing the same server has its own unique user account. That's an important step. But, the anonymous web user on all sites is also a member of the "Everyone" group. And the default permissions on the c:\, c:\windows\, and c:\windows\system32\ folders allow full control by "Everyone". Some hosts wrongly assume that those folders are safe because a web user can only browse folders defined by IIS as web folders.

That's a very dangerous assumption, because it's entirely not true. No web browser could enter "www.somedomain.com/c:\windows\system32\" to produce a list of files in that folder. But, there are some very dangerous hacker tools out there that do just that. I've used such a hacker utility in the form of a single ASP file to upload files to a host's c:\windows\system32\ folder (with their permission). By having appropriate permissions set on your folders, your site would probably be up and running in a few days after the host gets their server running again.

I would respond to your host with a thanks for their advice, but you would like to have the permissions on all folders except the uploads folder in your webspace set to "Read Only" for the anonymous web user account. If they won't do it, I would consider looking for another host who will. The best is a host that lets you set permissions yourself. There are probably several users here who can recommend a such a host.]]> Sat, 26 Nov 2005 01:28:50 +0000 https://forums.webwiz.net/forum-folder-security-evaluation_topic17286_post94355.html#94355