RE: permission

["Curt Rozeboom" <ntguru () fattony net>]

Never Never Never Never EVER give access like that to the root of ANY drive.

Unless you WANT something to go wrong with your system!

Make your programmers do it correctly and program it to function under the
correct security guidelines; they are after all "programmers".  If you allow
a script to access the Root of the drive with a "guest" acct, you are
opening up your system to all scripts, such as scripts that are targeted
towards the %systemroot%. Once that permission is set, you might just as
well just put a link on your web page inviting everyone to crash it, since
that is what you are in effect doing.


Curt 
Consultant/Trainer

-----Original Message-----
From: Kenzo [mailto:kenzo_chin () hotmail com] 
Sent: Friday, February 07, 2003 1:47 PM
To: security-basics () securityfocus com
Subject: permission

OK, I need some input from you guys on this.
Our webmaster seems to think that giving the guest internet user read access
to the C drive is OK as long as you don't set IIS to list content and other
stuff that I don't understand, since I don't know anything about running a
website.
I told him that by doing so, most subfolders will also take that permission,
so if someone that knows what they're doing could compromise that account,
they would have read access to almost the whole C drive.
the box is a win2k server with IIS5.  I believe he wants to do this for some
error checking for a C or java program.
The program suppose to check to make sure that the drive has enought space
before it starts writing or copying things and for that it needs read access
to the C drive.
To me, even thought I don't know anything about programing and webhosting,
it doesn't look right from the security point of view.

Please give me some input on this if it's OK or not and why, so that I can
tell him yes it's OK or NO it's not OK because of this and that.

Thanks.