home links tools blog about

AngryPets Blog

home

Absurd NEW Functionality in Windows 2003


Honestly, this one just makes me mad.

Windows 2003 Server. IIS configured to serve a site out of D:\Webs\mySite\.

In order to ensure that IIS/ASP.NET can serve that site, I've configured everything as needed:
IUSR_<machine_name> and
IIS_WPG
both have read perms (plus I've given NT AUTHORITY\NETWORK SERVICE write access to the Temp ASP.NET files folder in the applicable version of the Framework (in my case 2.0)).
AND (heaven's to betsy... ) because I need to be able to use the FileSystem, and OPEN a file in my web, I've granted NT AUTHORITY\NETWORK SERVICE modify on a directory where needed.

That's a lot of security mumbo jumbo when you think about it but I'm NOT griping about THAT (though somebody should).

I'm griping about what happens when I create a new folder on my desktop called test (drop a sample .aspx into it, etc.), and then COPY/PASTE that into my D:\Webs\mySite\ directory. If I then open a browser and point it at the /test/ directory, I get prompted for my credentials.

Yup. Sure enough. Check the ACLS, and IUSR_<machine_name> and IIS_WPG haven't inherited credentials in that directory - they're completely NOT permitted into a child directory where they've been granted access on the parent.

What gives? (And this isn't just an IIS thing.) I understand the whole notion of traverse checking, but that's actually a different notion (goes the OTHER way around, is truly a security concern). This... this is what? How does this make me more secure, or safe?

Let's look at it this way: If I have a directory called \Financial Docs\, and I've granted Bob in cubicle 37 access to read that directory, and then paste in \September2005\ as a child directory - Bob can't read that directory until I expressly ACL him?

Somebody tell me how that makes sense. Seriously, if I don't want Bob to read that directory then I won't drop it into the share (an EXPLICIT action on my part) - or I'll make sure to DACL him.

Likewise, if I don't want anonymous web users browsing the /underwear/ directory that I drop into my site, I'll DACL that in similar fashion.

I REALLY WANT to be WRONG here. But I've tested it a few times and the results are always the same. What gives? And which service pack screwed me?


posted on Friday, September 23, 2005 8:34 PM
 

Existing Comments:

# re: Absurd NEW Functionality in Windows 2003 - Posted: 9/24/2005 6:22 AM - By: Ayende Rahien
   It's just a matter of inheriting ACL.
Check that the permissions are inheritable, and remember that copy & paste will copy any non inheritable permissions.


# re: Absurd NEW Functionality in Windows 2003 - Posted: 9/26/2005 9:29 AM - By: Michael K. Campbell
   That sounds like a logical solution. It just bugs me that when I add a folder somewhere that it doesn't inherit perms by default. (i.e. If I were storing photo albums in a 'shared' directory, and drug a new album in there, it wouldn't, by default, inherit the perms I had already set up. That's just unacceptable to me.)


Add your own comment:


Go to http://blog.angrypets.com where comments are enabled.