RE: permission

["Phillips, Mike" <PhillipsMike () otc army mil>]

IMHO, guest users should have the most restrictive possible access to system
hard drives or other information that they can hack. I am not sure, but it
sounds like the guest is using one of your computers to access the Internet.
Otherwise, they should not see anything other than the web site itself. If
my guess is correct, your first line of defense is to control  who gets
access to your computers. We tend to be very restrictive. Only members of
our organization who are visiting here get access under any circumstances.

Regards,

Mike Phillips

-----Original Message-----
From: Kenzo [mailto:kenzo_chin () hotmail com]
Sent: Friday, February 07, 2003 1:47 PM
To: security-basics () securityfocus com
Subject: permission


OK, I need some input from you guys on this.
Our webmaster seems to think that giving the guest internet user read access
to the C drive is OK as long as you don't set IIS to list content and other
stuff that I don't understand, since I don't know anything about running a
website.
I told him that by doing so, most subfolders will also take that permission,
so if someone that knows what they're doing could compromise that account,
they would have read access to almost the whole C drive.
the box is a win2k server with IIS5.  I believe he wants to do this for some
error checking for a C or java program.
The program suppose to check to make sure that the drive has enought space
before it starts writing or copying things and for that it needs read access
to the C drive.
To me, even thought I don't know anything about programing and webhosting,
it doesn't look right from the security point of view.

Please give me some input on this if it's OK or not and why, so that I can
tell him yes it's OK or NO it's not OK because of this and that.

Thanks.