Welcome to WebmasterWorld Guest from 3.226.251.81

Forum Moderators: ocean10000

Message Too Old, No Replies

Multiple sites on an IIS server

Security, how to keep sites separate

     
10:33 pm on Sep 11, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 29, 2007
posts:1147
votes: 0


ok, I have an IIS6 server on 2k3. It's working fine, and I've got a few clients up and running on it.

But before I get too into it, I need to make sure the security is such that a user cannot discover, or mess with other clients' data. Or the system data for that matter.

What's the best way to set up the user permissions for this?

2:53 pm on Sept 13, 2009 (gmt 0)

Administrator

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month

joined:Jan 14, 2004
posts:864
votes: 3


What type of access to the clients have to the server currently? FTP? Web Control Panel of some sort? Are you allowing Scripting Asp/Asp.net/PHP ? What about Database Access? Will there be any?
3:09 pm on Sept 16, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 29, 2007
posts:1147
votes: 0


They are running FTP, MySQL, PHP.

There's no control panel as such, although they do have PHPMyAdmin.

10:59 pm on Sept 16, 2009 (gmt 0)

Administrator

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month

joined:Jan 14, 2004
posts:864
votes: 3


I have found some PHP Links which cover a bit of what you are looking for in relation to PHP itself.

[iis-aid.com...]

[learn.iis.net...]

1:10 am on Sept 17, 2009 (gmt 0)

Administrator

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month

joined:Jan 14, 2004
posts:864
votes: 3


FTP - Even though this article is old still has some good advice to keep common problems at bay.

[windowsecurity.com...]

Making sure you have proper ACL on each persons folders is a must so they can not see or access stuff they should not have access too.

5:44 pm on Sept 17, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 29, 2007
posts:1147
votes: 0


Thanks, I'll have a look at those.

What I'm unsure about in particular though, is the NTFS and Website User permissions.

Here's my folder structure:

C:
---> Web Root
------> Client
---------> Domain name (most clients have more than one)

I have already removed the 'Domain Users' group from the root of the drive, and assigned the client full access permissions on their own folder.

But the IUSR account can still access each client folder as IIS is using this for access. I'm worried that somebody could upload a PHP script, that, when executed by IIS could be used to interrogate another clients' site.

Do you think it's a good idea to make IIS user the clients' own account as it's anonymous access user, thus blocking IIS access outside the client folder?

7:13 pm on Sept 17, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 1, 2005
posts:733
votes: 0


Do you think it's a good idea to make IIS user the clients' own account as it's anonymous access user, thus blocking IIS access outside the client folder?

This is how I have it setup on my server and as far as I can see it works well. (but I am far from a security expert though...)

5:31 pm on Sept 18, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 29, 2007
posts:1147
votes: 0


I wanted to do it this way so PHP has write access to the local filesystem, for uploads etc...

I'm am writing a system which will upload a ZIP file, then PHP would extract it to the server.

It should also deny access to anything outside the client folder.

The only thing I'm not 100% sure about is securing Active Directory, I don't want someone to be able to discover users by browsing the directory.

1:06 am on Sept 19, 2009 (gmt 0)

Administrator

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month

joined:Jan 14, 2004
posts:864
votes: 3


Normally you have a firewall block all ports except 80,443,21,20. This would block them from any access to active directory and anything else except from Web and FTP.
5:38 pm on Sept 19, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 29, 2007
posts:1147
votes: 0


...unless it's running on the same machine...

3306 for MySQL too btw.

4:19 pm on Sept 20, 2009 (gmt 0)

Administrator

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month

joined:Jan 14, 2004
posts:864
votes: 3


Normally with Database servers I make sure the ips are private non-internet routeable IPS, aka a private subnet. So only the servers that need to access it can but everything else can not. And have only the database port exposed even internally, and maybe a remote desktop port exposed.