Best practices for IIS7 security

Post here for help with installing or upgrading mojoPortal pre-compiled release packages. When posting in this forum, please provide all relevant details. You may also want to review the installation or upgrading documentation.

If you have questions about using the source code or working with mojoPortal in Visual Studio, please post in the Developer forum.

Post here for help with installation of mojoPortal pre-compiled release packages

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.

You may also want to review the installation or upgrading documentation.

If you have questions about using the source code or working with mojoPortal in Visual Studio, please post in the Developer forum.

This thread is closed to new posts. You must sign in to post in the forums.
9/22/2010 5:49:28 AM
Gravatar
Total Posts 249

Best practices for IIS7 security

Well, i am new to IIS7.5 and i found it *very* confusing.

I am used to have IUSR_server as the anonymous user, and IWAM_server as the application working process user, and give the appropriate permissions to read and write to the folder.

But this seems to be different

Every application pool can be run under an user. I selected "network service" for the working process, and the same for the anonymous user.

Is that right?

And when I configure the RW permissions, i give to the network service the appropriate rights... right?

9/22/2010 7:05:33 AM
Gravatar
Total Posts 18439

Re: Best practices for IIS7 security

IUSR should remain as the anonymous user and I "think" it only needs read permissions anywhere, I never have had to change permissions for IUSR

The user that is the identity on the application pool is the user who needs permissions, NETWORK SERVICE is commonly used but it can be more secure to use a different user and app pool for each site with least needed permissions. So whatever the user identity on the app pool that is the one who should have read access to the whole web, and read/write/modify on /App_Data and /Data. If the user can still write to other folders after that then you can go back to the root folder and add deny write in file system permissions.

Hope it helps,

Joe

9/22/2010 9:58:17 AM
Gravatar
Total Posts 249

Re: Best practices for IIS7 security

I found this page very interesting http://learn.iis.net/page.aspx/140/understanding-built-in-user-and-group-accounts-in-iis-7/

I feel very strange, because I configured my system like this:

System: Full Control

Administrator: Full Control

IUSR: Read Only

Creator Owner: Full Control

 

But, asp.net apps are able to write on the disk...

Later I will try better...

You must sign in to post in the forums. This thread is closed to new posts.