Migrating a Web Server to IIS 5.0
Migrating a Web Server to IIS 5.0 |
|
Table 3.1 provides guidelines for setting NTFS and IIS 5.0 security on a directory, based on its type of content.
Table 3.1 Basic Web Security Settings
Content |
Directory Name/Type |
NTFS Account |
NTFS Directory Permissions |
IIS 5.0 Virtual Directory Permissions |
| Static (.htm, .gif, .jpg, and so on.) | Content | Authenticated Users | Read | Allow Anonymous Access. Allow Read permissions. Directory Browsing okay. |
| ASP pages | ASP pages | Authenticated Users | Execute | Allow Anonymous Access. Allow Read permissions. For Execute Permissions, choose Scripts only. Directory Browsing okay. |
| ASP-page includes | Includes | Authenticated Users | Execute | Allow Read permissions. |
| Server-side includes | Content | Authenticated Users | Execute | Disable Anonymous Access. For Execute Permissions, choose Script or Execute permissions. |
| CGI scripts | Scripts | Authenticated Users | Execute | Disable Anonymous Access. For Execute Permissions, choose Scripts only. Disable Read, Write, and Directory browsing. |
| ISAPI server extensions | ISAPI Extensions | Authenticated Users | Execute | Disable Anonymous Access. For Execute Permissions, choose Execute. Disable Read, Write, and Directory browsing. |
| ISAPI filters | ISAPI Filters | Authenticated Users | Execute | Disable Anonymous Access. For Execute Permissions, select Execute. Disable Read, Write, and Directory browsing. |
| Executable CGI applications | CGI bin | Authenticated Users | Execute | Disable Anonymous Access. For Execute Permissions, choose Execute. Disable Read, Write, and Directory browsing. |
| Databases | Databases | For remote databases, share out the directory and enable the Guest account for the IIS 5.0 Web service that accesses the share. | Security depends on the database. * See note that follows. |
Security depends on the database. |
| Microsoft® Component Object Model (COM) and Microsoft® Distributed Component Object Model (DCOM) components | Components | ** See note that follows. | Disable Anonymous Access. Enable Execute permissions only. Disable Read, Write, and Directory browsing. |
|
| Downloadable executable files | Downloads | Authenticated Users | Read | Enable Read permissions only. Disable Execute permissions or the file will execute rather than download. |
Note *Whenever possible, keep Microsoft® Access databases on the same computer as IIS 5.0. There isn’t a secure way for an IIS 5.0 application to connect to an Access database located on a networked drive.
**In general, you should place COM and DCOM components in a directory with Execute permissions only. Place COM and DCOM components that need to write to data files in the same directory with the data files and enable both Execute and Write permissions. Be aware that setting Write permissions on a components directory creates the potential for intruders to upload and run an executable file on your server.
To help prevent unauthorized access to a directory