Multiple sites on an IIS server

Forum Moderators: open

Message Too Old, No Replies

Multiple sites on an IIS server

Security, how to keep sites separate

Dabrowski

10:33 pm on Sep 11, 2009 (gmt 0)

ok, I have an IIS6 server on 2k3. It's working fine, and I've got a few clients up and running on it.

But before I get too into it, I need to make sure the security is such that a user cannot discover, or mess with other clients' data. Or the system data for that matter.

What's the best way to set up the user permissions for this?

Ocean10000

2:53 pm on Sep 13, 2009 (gmt 0)

What type of access to the clients have to the server currently? FTP? Web Control Panel of some sort? Are you allowing Scripting Asp/Asp.net/PHP ? What about Database Access? Will there be any?

Dabrowski

3:09 pm on Sep 16, 2009 (gmt 0)

They are running FTP, MySQL, PHP.

There's no control panel as such, although they do have PHPMyAdmin.

Ocean10000

10:59 pm on Sep 16, 2009 (gmt 0)

I have found some PHP Links which cover a bit of what you are looking for in relation to PHP itself.

[iis-aid.com...]

[learn.iis.net...]

Ocean10000

1:10 am on Sep 17, 2009 (gmt 0)

FTP - Even though this article is old still has some good advice to keep common problems at bay.

[windowsecurity.com...]

Making sure you have proper ACL on each persons folders is a must so they can not see or access stuff they should not have access too.

Dabrowski

5:44 pm on Sep 17, 2009 (gmt 0)

Thanks, I'll have a look at those.

What I'm unsure about in particular though, is the NTFS and Website User permissions.

Here's my folder structure:

C:
---> Web Root
------> Client
---------> Domain name (most clients have more than one)

I have already removed the 'Domain Users' group from the root of the drive, and assigned the client full access permissions on their own folder.

But the IUSR account can still access each client folder as IIS is using this for access. I'm worried that somebody could upload a PHP script, that, when executed by IIS could be used to interrogate another clients' site.

Do you think it's a good idea to make IIS user the clients' own account as it's anonymous access user, thus blocking IIS access outside the client folder?

marcel

7:13 pm on Sep 17, 2009 (gmt 0)

Do you think it's a good idea to make IIS user the clients' own account as it's anonymous access user, thus blocking IIS access outside the client folder?

This is how I have it setup on my server and as far as I can see it works well. (but I am far from a security expert though...)

Dabrowski

5:31 pm on Sep 18, 2009 (gmt 0)

I wanted to do it this way so PHP has write access to the local filesystem, for uploads etc...

I'm am writing a system which will upload a ZIP file, then PHP would extract it to the server.

It should also deny access to anything outside the client folder.

The only thing I'm not 100% sure about is securing Active Directory, I don't want someone to be able to discover users by browsing the directory.

Ocean10000

1:06 am on Sep 19, 2009 (gmt 0)

Normally you have a firewall block all ports except 80,443,21,20. This would block them from any access to active directory and anything else except from Web and FTP.

Dabrowski

5:38 pm on Sep 19, 2009 (gmt 0)

...unless it's running on the same machine...

3306 for MySQL too btw.

Ocean10000

4:19 pm on Sep 20, 2009 (gmt 0)

Normally with Database servers I make sure the ips are private non-internet routeable IPS, aka a private subnet. So only the servers that need to access it can but everything else can not. And have only the database port exposed even internally, and maybe a remote desktop port exposed.