-
March 8th, 2006, 11:35 PM
#1
Hacking IIS
Don't neg me! This is all white hat, pro-security stuff.
Here's the situation:
One of our clients has a site set up within IIS, and each of their clients has a username/login and virtual directory all their own within the one site.
Problem is, if you're logged in, all you have to do is move up a directory to see everyone else's directory, so it's not the least bit secure.
The solution to this is to have isolation turned on. However, you can only activate isolation when creating the site; it is impossible to activate isolation after creation of the site, so supposedly the only way to resolve this blatant security hole is to delete the entire site (which is loaded with a good many of their clients's virtual directories that they FTP into), subdirectories and all, and recreate the whole thing from scratch. Yeah, not exactly practical.
However, I've been told that there are some registry hacks that will allow you to turn on isolation post-creation. So question is: Has anyone heard of this and may be familiar with it? Is there truly a way to hack IIS so that you can set up isolation, thus disallowing users from seeing other users' directories, without having to recreate the entire dang site?
-
March 8th, 2006, 11:39 PM
#2
Back up... Delete the folder structure... restore... apply the appropriate permissions to the user(s)... relax... Only use a basic backup program that doesn't back up the current ACL's...
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
March 8th, 2006, 11:45 PM
#3
But M$ says no, no, don't do that, bad admin!
After you set the FTP User Isolation mode and finish the FTP Site Creation Wizard or create the site using Iisftp.vbs, do not change the isolation setting manually.
So it's basically saying you better not make any changes without totally deleting the site. Are they just being too stiff about it or what?
LINK
-
March 8th, 2006, 11:49 PM
#4
I'm sorry.. I thought I said delete the whole damn thing....
I must be getting old...
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
March 8th, 2006, 11:51 PM
#5
Oooh ok, so you're saying backup folder structure, delete entire site, recreate site, then restore folder structure, right?
Yeah...I caught that the first time, I was just...um...testing you...
-
March 9th, 2006, 12:15 AM
#6
OK... Maybe I wasn't clear about getting rid of the site...
I'd actually uninstall IIS and reinstall... It only takes 5 mins to do... But it puts you back at "ground zero" so to speak...
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
March 9th, 2006, 08:49 PM
#7
Maybe Im missing something but, if they are logging why can't you restrict them using NTFS rights on the users folders?
It is not the prettiest way but I am doing this on one of my servers and it works with no problems.
Work... Some days it's just not worth chewing through the restraints...
-
March 9th, 2006, 08:50 PM
#8
Maybe Im missing something but, if they are in logging why can't you restrict them using NTFS rights on the users folders?
It is not the prettiest way but I am doing this on one of my servers and it works with no problems.
Work... Some days it's just not worth chewing through the restraints...
-
March 9th, 2006, 10:00 PM
#9
Maybe Im missing something but, if they are in logging why can't you restrict them using NTFS rights on the users folders?
I was actually wondering the same thing. If that works, why does MS insist upon it being impossible to change isolation after creation? Why can't you just go in and change NTFS permissions?
-
March 9th, 2006, 11:23 PM
#10
I have not tried this with 2003 but I know it works with 2000. Give it a try
Work... Some days it's just not worth chewing through the restraints...
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|