Web server read write permissions - Microsoft IIS Web Server and ASP.NET forum at WebmasterWorld - WebmasterWorld

Forum Moderators: open

Message Too Old, No Replies

Web server read write permissions

Allowing a VLE on a web server to connect to a data server on same network.

Bolad

11:32 pm on Oct 2, 2007 (gmt 0)

10+ Year Member

First off, I am a graphic designer who is more used to an Apple environment, so please be gentle with me. I am setting up a website, intranet and VLE (virtual learning environment) for a local school. The VLE we are using is Moodle, which is a PHP based system, and the web server is Windows server 2003 running IIS6 and latest versions of PHP and MySQL.
My problem is this, whilst installing Moodle, we have placed the moodledata folder, the folder where Moodle stores all it's users uploaded files, onto a seperate data server which is on the same internal network. Unfortunately, the installation won't progress any further because it says the user (the web server) needs to have read write permissions so that Moodle can use the folder on the data server. The only way we have figured to do this is to add the web server as a domain controller in active directory so that it is visible to the data server. We are of course hesitant to do this because of any possible security implications.
Is this the only way to do it? If so, will the data on other servers in the network stay totally secure from outside attack? Let me know if I have not been totally clear on any point and I will try to elaborate.
Any help or guidance in this matter would be invaluable to us, please help.

mattur

1:03 pm on Oct 3, 2007 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Been a while since I've configured IIS, but AFAICR you need to either set-up a duplicate IUSER_<webserver name> account on the 2nd box, or run IIS as a network user with appropriate perms.

It is a less secure method than an isolated/DMZ-zone based web server, because an anonymous web user is accessing your internal network share. How secure/insecure will depend on how secure IIS + app are, and how securely-configured your internal network is. HTH.

Bolad

4:08 pm on Oct 3, 2007 (gmt 0)

10+ Year Member

Wow, thanks for the fast reply mattur. I will pass this on to my more technical assistant when he returns off hols next week and see what he thinks. I will be sure to let you know the outcome.
Once again thanks, this is a fantastic site and if I can help anyone on the graphic/design side, I will be sure to offer my assistance.

[edited by: Bolad at 4:08 pm (utc) on Oct. 3, 2007]

aspdaddy

4:19 pm on Oct 3, 2007 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

I dont think that will work, and its very risky to allow anonomous access. You could use radius to authenticate the data requests but its an overhead you dont really need.

For typical Moodle stuff keep it all one one domain, nice and simple. The security is much better if its controlled by AD. If you have remote access to the Moddle server you will need remote access to the Moodle data. Why would you give someone access to moodle and not the data? It makes no sense. Unlews you are hostng moodle on a shared server? bad idea, Moddle eats bandwith big time.

Are you UK based, if you sticky me I can put you in touch with Moddle consultants who can sort it for you.

Bolad

6:32 pm on Oct 3, 2007 (gmt 0)

10+ Year Member

Thanks for your reply aspdaddy. That is kind of what we were thinking, it being a bit of a security risk. being a school, there are servers on the network which do hold sensitive data which we cannot put at risk. The big problem with having the moodledata folder on the web server itself is a matter of space. The server is a Dell blade, and the biggest HD size it will take is, I think, 73gb. As this server will also be hosting the main website and intranet, It wouldn't take long for us to fill the HD with data from around 1000 students and staff.
I am based in the UK so will sticky you after writing this. Thank you for your help.