March 8th, 2006, 10:35 PM
Don't neg me! This is all white hat, pro-security stuff.
Here's the situation:
One of our clients has a site set up within IIS, and each of their clients has a username/login and virtual directory all their own within the one site.
Problem is, if you're logged in, all you have to do is move up a directory to see everyone else's directory, so it's not the least bit secure.
The solution to this is to have isolation turned on. However, you can only activate isolation when creating the site; it is impossible to activate isolation after creation of the site, so supposedly the only way to resolve this blatant security hole is to delete the entire site (which is loaded with a good many of their clients's virtual directories that they FTP into), subdirectories and all, and recreate the whole thing from scratch. Yeah, not exactly practical.
However, I've been told that there are some registry hacks that will allow you to turn on isolation post-creation. So question is: Has anyone heard of this and may be familiar with it? Is there truly a way to hack IIS so that you can set up isolation, thus disallowing users from seeing other users' directories, without having to recreate the entire dang site?