"Full trust" installations are safe to give to anyone?

This is an open forum for any mojoPortal topics that don't fall into the other categories.

This thread is closed to new posts. You must sign in to post in the forums.
9/22/2010 10:18:04 AM
Magnetic_dud
Gravatar
Total Posts 251
View Posts

"Full trust" installations are safe to give to anyone?

A client of my company said that they like our mojoportal-based website and wanted to have the same. I instructed them to rent some space and install mojoportal, but they did not understand how to do (as they have a static website made with frontpage)

So, the company "boss" proposed to give them space on our server.

I never did "hosting" and I am not an expert - I just keep a relatively low volume website with no troubles - so, this is my question:

If I give them a "ready-to-use" mojoportal installation, without ftp access, will it be dangerous if it is a "full trust" installation, or, since they cannot write anywhere except in the /data/ folder that is not executable, they cannot run harmful programs on my server?

9/22/2010 10:42:34 AM
Joe Davis
Gravatar
Total Posts 2239
View Posts

Re: "Full trust" installations are safe to give to anyone?

Hi,

While I don't think it is a great idea to just go hosting sites for other people/companies, you have to do what the "boss" requested.

Full-trust will be fine as long as you take a few steps to ensure the site is secure and isolated.

  1. Create a unique Application Pool for the site.
  2. Create a unique local user account on your web server. Do not put this user in any groups. Use this account for the Application Pool identity and the website user.
  3. Create a directory for the website that is not under your website directory and only allow only the unique user access to the directory. Of course, you will want an admin account on the directory for management purposes.
  4. Ensure the unique user can only write data to the App_Data and Data directories in the client's site directory and that those directories are not executable.

That should take care of it.

HTH,
Joe D.

You must sign in to post in the forums. This thread is closed to new posts.