Last post Sep 13, 2007 10:13 AM by OWScott
Sep 07, 2007 07:48 PM|kahanu|LINK
I'm trying to prevent hosting customers on Drive E: to read files and folders on drive c:.
I've denied access to the group of users belonging to the web hosting customers and it works in Classic ASP, but not in PHP. PHP scripts can still read the c: drive.
What are the permissions set on the C: drive to prevent unauthorized access?
Sep 13, 2007 10:13 AM|OWScott|LINK
The ideal configuration is to give each site their own app pool and to set a custom anonymous user per site and a custom user identity on the app pool. This will ensure that all access to disk is under that custom user that you set. Then you only give
those custom users permissions to their site content and nothing else.
HTML, PHP, ASP, ASP.NET and different tasks within each will run as either the app pool identity user or the anonymous user (or authenticated user if the anonymous user is disabled). So, if you have multiple sites in one app pool, that whole group of them
will have more permissions than they need since you'll need to give all of them access together. That's why the 1-to-1 of site to app pool mapping is ideal.
There are other things to consider too so I recommend checking out
www.iis.net; the blogs, forums and other resources and find a hosting whitepaper and read up on that. Doing hosting of untrusted site takes care that you don't leave something open that you're unaware of.
I hope that helps.