Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IIS6

From: Nicholas Diotte <xphox () xphox net>
Date: 7 Apr 2004 18:15:36 -0000
In-Reply-To: <8858C6182FCC434C9331054F989E01735D33BF () dsw29 wattens swarovski com>

Thomas,

I'm not a 100% sure on this, but I think the problem lies with the default application pool that is created for IIS.  
If I understand correctly, programs assigned to run under it run as "Network Service", which probably does not have the 
correct rights.  I could be completely off ball on this, but you could try creating a user account, and assign it the 
proper permissions to be able to access the files, then run as that user, instead of a network service.  Also don't 
forget to add that newly created user to IIS_WPG group, or you won't get very far...

If this has pointed you in the wrong direction, please forgive me...

Thank you,
Nick


Dear list,

some of our users want to use ftp for changing files with external partners.
We use WS_FTP 4.02 Server and have a http frontend for our users. They
connect to our intranetserver and come to a page where they can create ftp
accounts which are automatically deleted after three days. The site is
programmed in php an the script runs the iftpaddu.exe to create the users.
Until now we used Apache on our intrantserver where everything worked fine.
Now we migrated to IIS6 on Windows 2003 and when a user without admin
permissions runs this script on the intranet page it doesn't work. Local
Admin Users can still use the feature and create users. 
Can you tell me in which user context such a script runs on the IIS and
where i can configure this permission? When logging on to a server with a
non admin user and running the iftpaddu.exe everything works fine - so the
error must be somewhere in the permissions of iis.

Thanks,
Thomas


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: