Win2k Web Server Permissions

[Poontos]

In my recent research to lockdown the system drive ($\winnt), I came across this
MSKB:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q271071

Which on a fresh install of 2K, IIS5, and all patches, breaks ASP with the
following:

Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 08/07/2002
Time: 5:43:28 PM
User: Server\IWAM_Server
Computer: Server
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINNT\SYSTEM32\DLLHOST.EXE
New Handle ID: -
Operation ID: {0,83610}
Process ID: 472
Primary User Name: Server$
Primary Domain: NETONE
Primary Logon ID: (0x0,0x3E7)
Client User Name: IWAM_Server
Client Domain: Server
Client Logon ID: (0x0,0x1467E)
Accesses ReadAttributes

Privileges -




Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 08/07/2002
Time: 5:43:28 PM
User: Server\IWAM_Server
Computer: server
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINNT\TEMP
New Handle ID: -
Operation ID: {0,83602}
Process ID: 472
Primary User Name: Server$
Primary Domain: NETONE
Primary Logon ID: (0x0,0x3E7)
Client User Name: IWAM_Server
Client Domain: Server
Client Logon ID: (0x0,0x1467E)
Accesses ReadAttributes

Privileges -


So I went as far as giving IWAM almost full control to the temp folder and RX to
dllhost.exe, on top of the instructions

Does anyone have a solid C$: (Sys drive) file system permissions guideline for a Win2k Web
Server utilizing some ASP and database domains/webs?

Thanks!

 

[Thor86]

ASPs and environment variables are a pain. Not only do you need to give your Winnt/temp and Winnt/system32 folders permission, but also your Program Files/Common Files/ODBC permissions as well, depending on what you are trying to do.

Lots and lots of info on the MS site, but I can tell you from ASP experience, make sure that the IWAM and IUSER accounts have only read/execute access, and CHANGE access to the TEMP folder only.

 

[Poontos]

Thank you for the info, but I was already aware of your points. I am looking for a hardcore breakdown what secure permissions will allow ASP, databases, Web Serving, etc. to still function.

Thank you!

 

[DAM]

i am not sure what youre asking but i usually do not set the whole hard drive under some sort of permission but the folder where i keep the ASP dbs i just have it for read/exec and write just for that folder.




dam()

 

[Poontos]

Originally posted by: DAM
i am not sure what youre asking but i usually do not set the whole hard drive under some sort of permission but the folder where i keep the ASP dbs i just have it for read/exec and write just for that folder.

I want to lockdown the system drive (the neat one with WINNT on it). By default Everyone has full control at the root of the drive and is pretty much propagated down by default, except for several directories & files.

So basically what I am asking and looking for, is a in-depth breakdown of what permissions need to be added after I flush out the Everyone group and add only Admin = Full & System = Full on the system drive. My webs are on a totally different partition, as they should be, so they are not affected, as they work fine. MS's guide provided in my link above, does not allow ASP to work (see my error messages).


Thanks.

 

[Saltin]

I want to lockdown the system drive (the neat one with WINNT on it). By default Everyone has full control at the root of the drive and is pretty much propagated down by default, except for several directories & files.

Poontos, the ACL on the root of C by no means propogates down the entire file structure. Generally, it is not a good idea to mess with root drive permissions.

You will note that Program Files, Winnt, etc are all more granular. You will also do serious damage to user profiles in the Documents and Settings folder if you propogate the permissions from the root drive all the way through the structure. Trust me on this one. I've made the mistake.

 

[bignick]

in order for a lot of programs to work for users (i.e. the IUSR account) users need the following permissions-

'modify' to all folders in %systemroot% (i.e. c:\winnt)
'modify' to all odbc folders in common in the program files folder


note these changes are to folders only, not files. also if your apps don't require users to run common applications (i.e. ping, ipconfig, arp, etc.) then remove their rights from those files.

 

[Poontos]

Originally posted by: Saltin

I want to lockdown the system drive (the neat one with WINNT on it). By default Everyone has full control at the root of the drive and is pretty much propagated down by default, except for several directories & files.

Poontos, the ACL on the root of C by no means propogates down the entire file structure. Generally, it is not a good idea to mess with root drive permissions.

You will note that Program Files, Winnt, etc are all more granular. You will also do serious damage to user profiles in the Documents and Settings folder if you propogate the permissions from the root drive all the way through the structure. Trust me on this one. I've made the mistake.

No mistake to be made with profiles, docs & settings, as the Administrator will be the only account logging on locally. No user profiles to worry about. This is a web server.

If not the Everyone group, then accounts that I do not want to have access to \Winnt etc. The default ACL on the root of C: is VERY LAX, default pretty much anything in Win2K is VERY LAX. If no one has a definitive answer in here, then I will continue on fighting through until I have established a template. No worries.

Bignick,

IUSR account needs modify on all of Winnt on folders only? You sleep at night with this setup?

Non-admin accoounts have no rights to cmd, ping, ftp, etc.

Thanks.

 

[Poontos]

Ne1...