Hacking IIS

[AngelicKnight]

Don't neg me! This is all white hat, pro-security stuff.

Here's the situation:

One of our clients has a site set up within IIS, and each of their clients has a username/login and virtual directory all their own within the one site.

Problem is, if you're logged in, all you have to do is move up a directory to see everyone else's directory, so it's not the least bit secure.

The solution to this is to have isolation turned on. However, you can only activate isolation when creating the site; it is impossible to activate isolation after creation of the site, so supposedly the only way to resolve this blatant security hole is to delete the entire site (which is loaded with a good many of their clients's virtual directories that they FTP into), subdirectories and all, and recreate the whole thing from scratch. Yeah, not exactly practical.

However, I've been told that there are some registry hacks that will allow you to turn on isolation post-creation. So question is: Has anyone heard of this and may be familiar with it? Is there truly a way to hack IIS so that you can set up isolation, thus disallowing users from seeing other users' directories, without having to recreate the entire dang site?

[Tiger Shark]

Back up... Delete the folder structure... restore... apply the appropriate permissions to the user(s)... relax... Only use a basic backup program that doesn't back up the current ACL's...

[AngelicKnight]

But M$ says no, no, don't do that, bad admin!

After you set the FTP User Isolation mode and finish the FTP Site Creation Wizard or create the site using Iisftp.vbs, do not change the isolation setting manually.

So it's basically saying you better not make any changes without totally deleting the site. Are they just being too stiff about it or what?

LINK

[Tiger Shark]

I'm sorry.. I thought I said delete the whole damn thing....

I must be getting old...

[AngelicKnight]

Oooh ok, so you're saying backup folder structure, delete entire site, recreate site, then restore folder structure, right?

Yeah...I caught that the first time, I was just...um...testing you...

[Tiger Shark]

OK... Maybe I wasn't clear about getting rid of the site...

I'd actually uninstall IIS and reinstall... It only takes 5 mins to do... But it puts you back at "ground zero" so to speak...

[mmelby]

Maybe Im missing something but, if they are logging why can't you restrict them using NTFS rights on the users folders?

It is not the prettiest way but I am doing this on one of my servers and it works with no problems.

[mmelby]

Maybe Im missing something but, if they are in logging why can't you restrict them using NTFS rights on the users folders?

It is not the prettiest way but I am doing this on one of my servers and it works with no problems.

[AngelicKnight]

Maybe Im missing something but, if they are in logging why can't you restrict them using NTFS rights on the users folders?

I was actually wondering the same thing. If that works, why does MS insist upon it being impossible to change isolation after creation? Why can't you just go in and change NTFS permissions?

[mmelby]

I have not tried this with 2003 but I know it works with 2000. Give it a try