Welcome to MobyThreads.com!
FAQFAQ      ProfileProfile    Private MessagesPrivate Messages   Log inLog in
All support for the MobyThreads Threaded phpBB MOD can now be found on welsolutions at this forum

w3wp.exe process and file access

  
   Web Hosting and Web Master Forums (Home) -> IIS RSS
Next:  Problems with ASP & ASP.NET in IIS 6.0  
Author Message
johndoe1

External


Since: Mar 18, 2004
Posts: 11



(Msg. 1) Posted: Fri Mar 19, 2004 2:00 am
Post subject: w3wp.exe process and file access
Archived from groups: microsoft>public>inetserver>iis (more info?)
I am looking for some information regarding file access conrol for IIS
6.0 on Windows 2003 and ISAPI Fitlers. What process does an isapi filter run
under normally and how could one go about limiting access to what as a whole
or per isapi filter can access.
The current isapi filter in question is PHP4. Currently it is set up to
run as an isapi filter and because of this it is capable of accessing any
part of the website. Now I can set a base directory in the php config
however if i were to set say C:\inetpub\wwwroot\ as the base directory they
nobody could get out of there but they could peak at each other's stuff. I
was thinking along the lines of being able to cut off access to
C:\inetpub\wwwroot\ (the base direcotry that only contains children
directories) so that the isapi filter could access C:\inetpub\wwwroot\bleah\
but could not access C:\inetpub\wwwroot\
Does any of this make sense? or is any of it possible. Any help or
direction would be greatly appreciated.

 >> Stay informed about: w3wp.exe process and file access 
Back to top
Login to vote
someone9

External


Since: Aug 25, 2003
Posts: 2419



(Msg. 2) Posted: Fri Mar 19, 2004 3:21 am
Post subject: Re: w3wp.exe process and file access [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Your question is about how to isolate one app from another. This has
nothing to do with limiting access of an ISAPI, etc -- it is quite futile to
do that because by definition, it is arbitrary code you implicitly trust by
configuring it. You can control the identity that the ISAPI runs as,
though...

As far as app isolation is concerned, there are only two identities you need
to worry about, and you control configuration for both:
1. The process identity
2. The impersonated identity

Thus, to isolate one app from another, you configure each application with
their own Application Pool that has different process identity, and make
sure that the impersonated identity used on access for each application is
different. In other words:
1. Create four users -- AppPoolUserA, AppPoolUserB, AnonUserA, AnonUserB
2. Setup two AppPools --
AppPoolA with process identity of AppPoolUserA
AppPoolB with process identity of AppPoolUserB
3. Setup two applications --
/AppA pointing to C:\inetpub\wwwroot\AppA using Anonymous
authentication, anon user is AnonUserA, and using AppPoolA
/AppB pointing to C:\inetpub\wwwroot\AppB using Anonymous
authentication, anon user is AnonUserB, and using AppPoolB
4. ACL content under --
C:\inetpub\wwwroot\AppA to AppPoolUserA and AnonUserA
C:\inetpub\wwwroot\AppB to AppPoolUserB and AnonUserB

Now, when someone accesses /AppA, no matter what it does, it can only run as
either AnonUserA or AppPoolUserA (if code manages to call RevertToSelf).
Neither identity has read access to C:\inetpub\wwwroot\AppB, so you have
just locked the user of /AppA to only directories that its identity can
access.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
<johndoe.RemoveThis@driver.net> wrote in message
news:OfxLD9WDEHA.3888@TK2MSFTNGP10.phx.gbl...
I am looking for some information regarding file access conrol for IIS
6.0 on Windows 2003 and ISAPI Fitlers. What process does an isapi filter run
under normally and how could one go about limiting access to what as a whole
or per isapi filter can access.
The current isapi filter in question is PHP4. Currently it is set up to
run as an isapi filter and because of this it is capable of accessing any
part of the website. Now I can set a base directory in the php config
however if i were to set say C:\inetpub\wwwroot\ as the base directory they
nobody could get out of there but they could peak at each other's stuff. I
was thinking along the lines of being able to cut off access to
C:\inetpub\wwwroot\ (the base direcotry that only contains children
directories) so that the isapi filter could access C:\inetpub\wwwroot\bleah\
but could not access C:\inetpub\wwwroot\
Does any of this make sense? or is any of it possible. Any help or
direction would be greatly appreciated.

 >> Stay informed about: w3wp.exe process and file access 
Back to top
Login to vote
user1375

External


Since: Feb 03, 2004
Posts: 423



(Msg. 3) Posted: Fri Mar 19, 2004 2:15 pm
Post subject: Re: w3wp.exe process and file access [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
In IIS, web applications are site/directory based.

Looks like you scenario is different users have their own directories
under C:\inetpub\wwwroot\. Then it make sense that you can create all
these directories as different applications: open a directory's
properties->Directory tab, click Create.

Then create several new application pools and isolate the
applciations above into those pools.

As David said, the next step is to configure the app pools to run
under different accounts. The process identifier is set in an app
pool's properties->Identity tab. Default one is Network Service. The
problem is you may need to clone some new 'Network Service' accounts,
per account only has NTFS permission on one directory.

There are several kinds of necessary permissions of an IIS's process
ID. Take a look at the following article:
INFO: Default Permissions and User Rights for IIS 6.0
http://support.microsoft.com/?id=812614

A shortcut is adding the new account to IIS_WPG group(including
Network Service) and grant Adjust memory quotas for a process, Logon
as a service and Replace a process level token permissions(which
Network Service has) to it.

For thread identitiy, when anonymous access is allowed, it's just the
anonymous account specified in Directory Security->Authentication and
access control(default one is IUSR_<MachieName>). You would need to
clone several 'IUSR' in the same way(review the article above to
check an IUSR's necessary permissions).

And don't forget to remove IIS_WPG from Inetpub\wwwroot.

If you have further questions, please update here. You are always
welcome.
Best regards,

WenJun Zhang
Microsoft Online Support
This posting is provided "AS IS" with no warranties, and confers no
rights.
Get Secure! - www.microsoft.com/security
 >> Stay informed about: w3wp.exe process and file access 
Back to top
Login to vote
johndoe2

External


Since: Mar 19, 2004
Posts: 1



(Msg. 4) Posted: Fri Mar 19, 2004 2:15 pm
Post subject: Re: w3wp.exe process and file access [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Thank You very much. That was the information I was looking for I believe. I will post back with my results or if i have any more questions.
 >> Stay informed about: w3wp.exe process and file access 
Back to top
Login to vote
Display posts from previous:   
Related Topics:
The process cannot access the file... - Can anyone tell me the cause of this error I'm getting when I try to start a website with IIS on Windows Server 2003. I'm also running ISA server. The error is: "The process cannot access the file because it is in use by another process". ...

Error at starting IIS: "the process cannot access the file.. - Hi everyone, I hope you can help me... the problem is:. At the moment to start IIS 6.0 (Windows 2003), the IIS give me this error message: "the process cannot access the file because it is being used by another process". The message is clear a...

IIS6.0: Access Denied to Out of Process Exe Server. - I have a dll that which launches and automates Adobe Acrobat. It works alright if used from VB Script on the desktop or from a vb app on my Windows 2003 Server. HOWEVER, if I want to launch it from within an ASP page is does not work and I find in the....

Restricting access to a file in a folder - Hi, I have a web site with a virtual folder named 'reports' which has lot of dynamically generated PDF files. In the application, depending on the previlages of the loggedin user, the related PDF files will be listed in the page. But if the user types th...

bandwidth checker - revisted - realtime file access app? - I downloaded the suggest app. It works great. Only 24.95. Now, my next question is. Is there an app that can alert me when IIS 5.1 is being accessed, either by ftp or by means of serving pages? And also tell me, real time, what is being accessed? That....
   Web Hosting and Web Master Forums (Home) -> IIS All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]