473,406 Members | 2,705 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp / active server pages > questions > server permission settings

Join Bytes to post your question to a community of 473,406 software developers and data experts.

Server Permission Settings

Hello,

I'm not sure if I'm in the right area. I have asp pages that call a
database and sometimes updates it. The pages are under the root the database
is in a db folder under the root. My server guy isn't too sure what the
permissions should be on the server to these folders (root & db). Can you
give me some general instructions for this? Or point me in the right
direction for the answer?

Thanks
Jul 22 '05 #1
14 2188
You need to ensure IUSR_<machine> has read permissions for the root and
read/write for the database (not the folder it's in)

"Jess" <Je**@discussions.microsoft.com> wrote in message
news:5F**********************************@microsof t.com...
Hello,

I'm not sure if I'm in the right area. I have asp pages that call a
database and sometimes updates it. The pages are under the root the database is in a db folder under the root. My server guy isn't too sure what the
permissions should be on the server to these folders (root & db). Can you
give me some general instructions for this? Or point me in the right
direction for the answer?

Thanks

Jul 22 '05 #2
IUSR_MachineName should have read access on the folder(s) containing the ASP
scripts, and full permissions on the folder containing the MDB file (it
needs read to access it, change to allow the file to grow as you fill it
with more data, and write to create the temporary LDB file).

A bit of information here:
http://support.microsoft.com/default.aspx/kb/253604

And lots of troubleshooting for 80004005 errors here:
http://www.aspfaq.com/2009

"Jess" <Je**@discussions.microsoft.com> wrote in message
news:5F**********************************@microsof t.com...
Hello,

I'm not sure if I'm in the right area. I have asp pages that call a
database and sometimes updates it. The pages are under the root the
database
is in a db folder under the root. My server guy isn't too sure what the
permissions should be on the server to these folders (root & db). Can you
give me some general instructions for this? Or point me in the right
direction for the answer?

Thanks

Jul 22 '05 #3
"Aaron Bertrand [SQL Server MVP]" wrote in message
news:eF**************@tk2msftngp13.phx.gbl...
: IUSR_MachineName should have read access on the folder(s) containing the
ASP
: scripts, and full permissions on the folder containing the MDB file (it
: needs read to access it, change to allow the file to grow as you fill it
: with more data, and write to create the temporary LDB file).
:
: A bit of information here:
: http://support.microsoft.com/default.aspx/kb/253604
:
: And lots of troubleshooting for 80004005 errors here:
: http://www.aspfaq.com/2009

Make that modify rights, not full rights.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp
Jul 22 '05 #4
> Make that modify rights, not full rights.

What rights are included in full that aren't needed?

As I explained, you need read obviously, plus you need change if the MDB
file should grow, plus you need write to create the LDB file.

A
Jul 22 '05 #5
"Aaron Bertrand [SQL Server MVP]" <te*****@dnartreb.noraa> wrote in message
news:eQ**************@TK2MSFTNGP12.phx.gbl...
:> Make that modify rights, not full rights.
:
: What rights are included in full that aren't needed?
:
: As I explained, you need read obviously, plus you need change if the MDB
: file should grow, plus you need write to create the LDB file.

1. It's not create rights, it's write rights.
2. Permissions are inclusive meaning the next level has all of what the
previous level has.
3. With Full Rights you can change permissions and take ownership. That's
not a good thing to give to an anonymous user or anyone that doesn't need
it.

From here: http://www.windowsitlibrary.com/Content/592/1.html#1
If a user needs all access to a file except to take ownership and change its
permissions, the Modify permission can be granted. The access allowed by the
Read, Write, and Read & Execute are automatically granted within the Modify
permission.

Nobody should ever have full rights unless they're an admin, backup account
or SYSTEM. And, no admins should have admin access with their daily user
account. All admins should have a separate account just for administration.
It minimizes the risk to the network and allows for a better trail.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp


Jul 22 '05 #6
> : file should grow, plus you need write to create the LDB file.

1. It's not create rights, it's write rights.
That's what I said. "You need write to create the LDB file."
3. With Full Rights you can change permissions and take ownership. That's
not a good thing to give to an anonymous user or anyone that doesn't need
it.


An anonymous user who can't log in (since Windows controls the password).
Can you please demonstrate an ASP script that will allow a user of the web
site to do something silly or worse because IUSR has "full control" rights
rather than the individual permissions.

Remember that if someone has access to the file system to change an ASP
script that IUSR has access to, they have already compromised more than what
you're worried about. And also remember that I did not suggest adding IUSR
to the administrators group.
Jul 22 '05 #7
"Aaron Bertrand [SQL Server MVP]" <te*****@dnartreb.noraa> wrote in message
news:e6**************@TK2MSFTNGP10.phx.gbl...
:> : file should grow, plus you need write to create the LDB file.
: >
: > 1. It's not create rights, it's write rights.
:
: That's what I said. "You need write to create the LDB file."

Which means you only need modify rights. I hear an echo. (O:=

: > 3. With Full Rights you can change permissions and take ownership.
That's
: > not a good thing to give to an anonymous user or anyone that doesn't
need
: > it.
:
: An anonymous user who can't log in (since Windows controls the password).

You're assuming the password is being controlled by the OS. Just because
it's the default doesn't make it so. You're also assuming it can never be
compromised. What is the only secure system in the world?

: Can you please demonstrate an ASP script that will allow a user of the web
: site to do something silly or worse because IUSR has "full control" rights
: rather than the individual permissions.

NTFS permissions do not affect ASP scripts, directly. They affect user
access. I don't know what the next buffer overflow is going to do and
giving Full Rights to an account that doesn't need it is a security risk.

Network security is not rocket science. It's not a task. It is a simple
philosophy. Never give anyone access they don't need to get their job done.
It's not a good idea to teach others bad behavior no matter how well
intended, no matter how safe it appears to be on the surface.

: Remember that if someone has access to the file system to change an ASP
: script that IUSR has access to, they have already compromised more than
what
: you're worried about.

I'm always worried about the whole system, not just in part. I never assume
anything is secure. As stated above, I have a simple philosophy and I
follow it. It increases my chance for success in securing my network and
those I support. It's not a good idea to give everyone on the net Full
Rights to any part of my network.

: And also remember that I did not suggest adding IUSR
: to the administrators group.

I'm aware. I'm not suggesting you don't know something about security,
however I don't know your level of competency of network security, nor
anyone else's on the net. My response was based on a philosophy which
requires following a standard approach when working with permissions. The
first no-no in network security it to assign Full Rights to any account that
doesn't need it. It's also the first rule broken by every lazy admin on the
planet. I also cannot assume the developer is so proficient that they will
not make the situation worse with sloppy coding. I just cannot predict what
others will do. I have to assume the worst and act accordingly to minimize
the risk and the unscheduled downtime. Also, the net user is not my biggest
threat. It's the users who already have some access to the internal network
and usually Public Enemy #1 is the soon to be convict I'm working under who
thinks s/he needs Administrative access because of his/her title.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp
Jul 22 '05 #8
Thanks for the help.

Jess
Jul 22 '05 #9
I'm still not sure what you think "Full Control" grants IUSR that
read/write/modify does not, but okay.
Jul 22 '05 #10
Aaron Bertrand [SQL Server MVP] wrote:
I'm still not sure what you think "Full Control" grants IUSR that
read/write/modify does not, but okay.


It's similar to the difference between making a user an object owner (dbo)
and granting a user select/update/insert/delete permissions

"Full" grants the ability to modify permissions for the object. It is one
step down from object owner.
"Modify" grants only the ability to create/read/write/delete

Of course, the terminology varies depending on the OS.

Bob
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Jul 22 '05 #11
> "Full" grants the ability to modify permissions for the object. It is one
step down from object owner.


YES! Now can someone please enlighten me as to how a malicious user will
(a) know that you granted IUSR_ this extra permission, and (b) how they will
take advantage of it.

FWIW, I typically grant Full Control because I'm a lazy ignoramus. After
all, it's checking one box as opposed to three.
Jul 22 '05 #12
Aaron Bertrand [SQL Server MVP] wrote:
"Full" grants the ability to modify permissions for the object. It
is one step down from object owner.
YES! Now can someone please enlighten me as to how a malicious user
will (a) know that you granted IUSR_ this extra permission, and


Obviously, unless he has physical/directory access to the machine, in which
case your goose is already cooked, he won't.
(b)
how they will take advantage of it.
No way that I can think of.

However, that does not invalidate the "least privilege" principle.
Neglecting it in one specific situation may make it easy to neglect it where
it really counts.

FWIW, I typically grant Full Control because I'm a lazy ignoramus.
After all, it's checking one box as opposed to three.


Again, it depends on the OS. On my machine, clicking Modify causes the lower
checkboxes to be checked. On older systems, yes, I remember having to check
multiple checkboxes.

And I will dispute that "lazy ignoramus" label.

Bob Barrows
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Jul 22 '05 #13
"Aaron Bertrand [SQL Server MVP]" wrote in message
news:u$**************@TK2MSFTNGP12.phx.gbl...
:> "Full" grants the ability to modify permissions for the object. It is one
: > step down from object owner.
:
: YES! Now can someone please enlighten me as to how a malicious user will
: (a) know that you granted IUSR_ this extra permission, and (b) how they
will
: take advantage of it.

Well, then just give the anonymous user Full Rights to your entire web root
them. How will they know you granted the extra permission? After all, READ
rights are inclusive to Full Rights. Define "they". They the net user,
they the local user...?

: FWIW, I typically grant Full Control because I'm a lazy ignoramus. After
: all, it's checking one box as opposed to three.

I'm sorry to hear that. I may have to remove your pedestal. (O:=

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp
Jul 22 '05 #14
"Jess" wrote in message
news:AF**********************************@microsof t.com...
: Thanks for the help.

While we differ slightly in our views, Aaron did direct you to a good
article to let you know you need at least modify rights on the folder
containing your database to solve your issue. Good luck to you.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp
Jul 22 '05 #15
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
IDE / Server file permission problem?
by: cigwork | last post by:
Using VS.NET 2K3 pro. My development environment is set up with project & source files on a network drive and until a recent server hardware failure followed by a restore/rebuild this worked...
.NET Framework
1
ATL Server and access to local drive
by: Leonid | last post by:
Hello I have VC++ .NET 2003 ATL Server project. In one of its method I need to write some information in a local txt file. This txt file and this ATL Server are on the same ‘C: \’ drive. When...
.NET Framework
5
Server Error in '/' Application.
by: Matthew Louden | last post by:
I have no idea what this run-time error about. Any ideas? I already change the web.config file for the attribute <customErrors mode="Off"/> but still not work. Server Error in '/'...
ASP.NET
1
Win2003 Server - Access to the path is denied
by: Jody Gelowitz | last post by:
We are having an issue in that when trying to read a file that is on Server2 from Server1 (through our ASP.NET project), we receive the error: Access to the path "\\Server2\MyShare\MyFile.tif" is...
ASP.NET
2
ASPNET permission to to access SQL Server Express on localhost
by: William LaMartin | last post by:
in Visual Studio 2005 I have a what is now called in 2005 a web site that when run as a file base web connects fine to SQL Express running on the local machine. However, when I publish this web to...
ASP.NET
17
Server Unavailable - ASP.NET 2.0 on Windows XP
by: Jon B | last post by:
Hi All! I have a ASP.NET 2.0 site that works on the Windows 2000 Server. However, when I tried to view this site on my local Windows XP machine, I get "Server Unavailable". If I switch the...
ASP.NET
0
Windows XP Server object, ASP 0178 (0x80070005) The call to Server.CreateObject failed while checking permissions.
by: Bronik | last post by:
I found the best solution to this problem What you need to do is go to event viewer - System Log. Look at the error it will look something like that The machine-default permission settings do...
ASP / Active Server Pages
9
sql server 2005 tools configuration starts when I build a distribution project (VB 2005)
by: Alessandro | last post by:
When I build a setup project under vb2005, starts "Microsoft sql server 2005 Tool" showing "Please wait while windows configures Microsoft sql server 2005 tools" Then it stop with this message:...
Visual Basic .NET
0
Launching out-of-process COM server from Web Form
by: David St. Hilaire | last post by:
Hi, I'm having trouble creating a COM object in my ASP.NET Web Form. The COM object (IFoo) is in a DLL, but it creates another COM object (IBar) that is defined in an out-of-process COM server...
ASP.NET
7
writing permission on SQL server
by: eranby | last post by:
Hi, I connect the SQL server in my application using this code : ConnectionStringSettings settings = ConfigurationManager.ConnectionStrings; con = new...
Microsoft SQL Server
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice
0
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Microsoft Access / VBA

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!