IUSER added to Admin Group- Any issues?

External Since: Mar 30, 2004 Posts: 3

Hi,
We have a ISAPI Filter in our application. When it was deployed on IIS 5.0 (Windows 2000), we did not have any issues. When we deploy the same application
on IIS 6.0 (Windows 2003), it does not work. The following the is the description of the error that we are getting.

Scenario: We are trying to upload the files into our application through the browser. This will get a file from the browser and put it into the Server machine.
When we do the same, we get an error.

Log Attached:
Wed Mar 31 09:49:02 isapidrv[2804]: Thread 9964: [error] ifile.c:216 tmpfile error [13] Permission denied

When we see our log, we see that it fails in the temp file creation.(using windows tmpfile() function).

Possible Work Around: When we add the IUSR_* to the adminstrator groups (from the computer management), tmpfile() function works fine.

Security Issue: We are wondering if there is any security issue if we do this way?

Is there any other way apart from adding the IUSR_* to the adminstrator group.

Thanks
Sreejith

External Since: Aug 25, 2003 Posts: 2419

Yes, there is significant security issue with adding IUSR to Admin Group.
You make your server one crash away from being hacked and completely owned
by the attacker.

You do not need to add IUSR to the administrator group in your situation.
Sure, it works, but it basically elevates privileges such that permissions
failures do not occor -- and that is not the proper way to think about
security. Security is about configuration of minimal permissions to
accomplish a task -- not configuration of maximal permissions such that
tasks cannot fail by denial.

All you need to do is to make sure that the remote user identity that is
executing the code to upload files onto the server has the actual ACLs to
write to the server's filesystem. In other words, if the remote user
identity is IUSR_* , then give IUSR_* write permissions to the folder(s)
where you are trying to upload files. This accurately grants minimal
permissions (write permission to the appropriate folders on the filesystem)
to accomplish a task (upload files by certain user to the server's
filesystem).

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Sreejith" <anonymous.TakeThisOut@discussions.microsoft.com> wrote in message
news:DE3E4E1A-B834-4E3A-86C1-BF26EF8828DB@microsoft.com...
Hi,
We have a ISAPI Filter in our application. When it was deployed on IIS
5.0 (Windows 2000), we did not have any issues. When we deploy the same
application
on IIS 6.0 (Windows 2003), it does not work. The following the is the
description of the error that we are getting.

Scenario: We are trying to upload the files into our application through the
browser. This will get a file from the browser and put it into the Server
machine.
When we do the same, we get an error.

Log Attached:
Wed Mar 31 09:49:02 isapidrv[2804]: Thread 9964: [error] ifile.c:216 tmpfile
error [13] Permission denied

When we see our log, we see that it fails in the temp file creation.(using
windows tmpfile() function).

Possible Work Around: When we add the IUSR_* to the adminstrator groups
(from the computer management), tmpfile() function works fine.

Security Issue: We are wondering if there is any security issue if we do
this way?

Is there any other way apart from adding the IUSR_* to the adminstrator
group.

Thanks
Sreejith