Why can I upload a file without IIS Write Permission?

re: Why can I upload a file without IIS Write Permission?

Ken Cox [MVP] — Sun, 21 Aug 2005 18:34:20 GMT

This is a helpful analysis.

What users need is a security tool/debugger that analyzes a given Web's configuration and reports on who has access to do what. It needs to take into account the convergence of ASP.Net (including impersonation), IIS, and NTFS security settings.

Web site owners should be able to see at a glance whether the security is actually what they intended.

Ken
Microsoft MVP [ASP.NET]

re: Why can I upload a file without IIS Write Permission?

wpoust — Mon, 22 Aug 2005 05:11:56 GMT

Excellent post.

When I use online help in IIS 5.0 to look up the write privilege I got, "Use this property sheet to change properties for a physical directory in your Web site."

Can you see why people would be confused about the IIS write permission? Do you see why people would stop using online help all together?

Thanks again for the post.

Security with uploading files to IIS

Erno de Weerd — Mon, 22 Aug 2005 13:43:24 GMT

re: Why can I upload a file without IIS Write Permission?

David Wang — Mon, 22 Aug 2005 13:49:13 GMT

Ken - That is a good idea and is something whose bits and pieces that I have been privately writing and tossing together for people to use.

We also tried to do this with tools like AuthDiag which just tackle this problem from an IIS perspective without ASP.Net, and the results are already mixed. I believe the most useful part of the tool is not its auto-analysis reports for the layman but rather its incisive probes which gives insight to professionals that can make sense of it all.

I just think the problem space is very complex, and a self-serve silver bullet nearly impossible.

Thus, I believe in tools that make the underlying information easier to discover, aggregate, and consume. Ultimate responsibility of interpretation should lie in the user's hands.

wpoust - Thanks. I try to elucidate as much as I can. I am not going to pretend that I like IIS product documentation regardless of distribution format. I just know that prior to IIS 6, IIS documentation was not in good shape. We fixed a lot of things in documentation for IIS 6, but there is still a lot more to fix. I also know that documentation quality varies from team to team across Microsoft, so I caution against transplanting prejudice of one product to another, or even one version to another.

//David

re: Why can I upload a file without IIS Write Permission?

George Dennie — Wed, 11 Jul 2007 03:17:30 GMT

Actually, this is a big security issue and should be regarded as a security hole. Complexity is itself a barrier (foundation of cryptography). Essential this complexity implicitly prevents people from securing their systems reliably.

re: Why can I upload a file without IIS Write Permission?

David.Wang — Fri, 13 Jul 2007 14:47:00 GMT

George - I agree with the statement that complexity makes everything, including security, harder.

However, I think the problem is that end-users want cheap software customized to their unique situations and they want it to be simple to administer. And until we build successful AI, I simply do not believe it will ever reconcile.

By its nature, cheap, customizable software which amply satisfy the unique environment of any user will consist of interacting "layers" that compose to form new functionality. But the same composable layers that bring cheap/customizable solutions also expose interactions that increase complexity.

//David

re: Why can I upload a file without IIS Write Permission?

Outtanames999 — Mon, 18 Feb 2008 05:01:01 GMT

Excellent article. Just wondering... could you write one along the same lines adding user permissions on SQL server objects to the mix?

re: Why can I upload a file without IIS Write Permission?

bruno cabral — Thu, 30 Jul 2009 22:05:11 GMT

Put the user

"NT AUTHORITY\Authenticated Users"

under Administrators Groups and you are Free to write/read/execute !!