• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

IIS security issue

O

oddyager

Diamond Member
Funky problem here. We have people who are able to read source codes of web apps that were developed even though from the global config (default web site) and even local settings the field "Script Source Access" is disabled. The "Read" field is enabled and so is Log Visits. Is there another setting that overrides this?

Thanks.
 
Do you know the process they are going through to read the source to the web apps (i.e. through webdav, a network share on the server, etc.)? You may be looking in the wrong place.

In the NTFS ACL who has read privilages to the files?
 
Sorry about that. They are going through MS Visual Studio.net 02 and 03 and Visual Studio 6.0. The web apps are placed in the inetpub/wwwroot folder and the ntfs permissions for that are set to allow only admins full control (the users should be looking at them with the iusr_hostname account which shouldn't have admin rights) and the other users have Read access only.
 
Hmm, good question and I'm not sure. I'll have to check with them on that. What would be the difference between the two in temrs of user permissions and rights?
 
If they are using a UNC path it means they are using a regular Windows share, so either than share privilages or NTFS privilages will need to be locked down.

If they are using a HTTP path it means they are (most likely) running over WebDav. You could either disable WebDav (in the event that you arent using it) or lockdown the NTFS privilages.

Generally when your web content is getting accessed with an anonymous account you need only grant privilages to the files to your administrative users and your anonymous account.
 
Well it looks like http. They sent me a screenshot and from what I can see, there is an option (via Web Project Wizard) to Connect to an exisitng Web application on blahblah.domain.com and ther'es a drop down list of all the apps under the inetpub/wwwroot folder. Clicking on any one of them and hitting Finish opens up the app with its code.
 
Actually I can give you the exact steps the users have taken:

Via Visual Studio (using Visual InterDev 6.0), they click on New Web Project. From there it prompts for a server name so they put in the http address of blablah.domain.com and they leave Master mode on. This connects to the server and from there it offers a drop down menu of all available apps.

Of course the obvious question is since they have this software it should entitle them to edit apps? Or shouldn't this prompt for some credentials in order for a user (with this software) to connect to those apps?


EDIT: I'm starting to think this may have something to do with webdav? Since it allows people to read/write to remote web servers it makes some sense. However I have no idea where to even begin to check if its installed. I went to add/remove windows componants and looked through and did not find WebDav.
 
Go to Add\Remove Windows Components, Application Server | Internet Information Services | World Wide Web Service | WebDAV Publishing to remove it. You can also check and see if its installed in the internet information services manager snap in in the mmc under web extensions
 
Hmm, I checked Add/Remove Windows Componants and don't see Application Server. I looked through IIS details also and did not see WebDav. I guess that means its not installed? One person mentioned that because VS InterDev is installed it allows the user full access to whatever web server is on the WAN (regardless which LAN its on) and there is no way to lock it down other then removing the program. There has to be a way. I mean the software has to attempt to authenticate to the web server through some kind of credential (I keep thinking its WebDav but since no trace of it can be find thats visible I'm not so sure now)... hmmm.
 
WebDav has another name: Frontpage 2000 Server Extensions. Look under Internet Information Services again and you should see it. The description says : Enables authoring and administration of websites with Microsoft Frontpage and Visual InterDev.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top