IUSR Permissions

[Matt Massie]

I'm made an .ASP application that uses 1 .mdb for login authentication, and
1 for my main database. My page is automated so that 1 file is created and
filled with data from the main .mdb, then the application updates my
database so I know which records have been downloaded and which have not. It
works great if I give IUSR_ sweeping, full control across my \WINNT,
\WINNT\TEMP, and \INETPUB.
As soon as I take away permission from some file or folder that should have
nothing to do with the ASP, like the \inetpub\ftproot, It fails to work. Can
anyone tell me exactly which files and folders an asp application connecting
to an MS Access DB through a Jet Connection, needing to read, execute, and
write in the database? (Now, all asp and mdb files reside in the wwwroot
dir.
Thanks,
Matt Massie

[Matt Massie]

What about DLLs in system32? Are there specific files there that need to be
"permissioned"? Right now, If I drop IUSR full control from WINNT\SYSTEM32,
my program fails. I either 1.let my application run, with security gaps, 2
don't use it or 3. go through the c:\ checking the operability of the
program one file at a time. Are there any programs that will analyze which
resources a particular set of code utilizes?

[Ray at]

IUSR needs to read/write/modify (delete) permissions on the directory that
contains the .mdb. Any time it needs to access the database, it will need
to create an .ldb file in the directory. That is why even if all your site
is going to do is read from the .mdb, you cannot just give read permissions
on the .mdb file itself.

Also, if you're using ODBC, IUSR may need permissions to the %temp% (system)
directory as well, as it creates and deletes temp files in there. The best
thing to do though is use OLEDB and then you won't have to worry about
permissions on %temp%.

Ray at work

"Matt Massie" <rmmassie@comcast.net> wrote in message
news:l5Odnbfm_aOt2DyiRVn-gw@comcast.com...

>
> I'm made an .ASP application that uses 1 .mdb for login authentication,

and

> 1 for my main database. My page is automated so that 1 file is created and
> filled with data from the main .mdb, then the application updates my
> database so I know which records have been downloaded and which have not.

It

> works great if I give IUSR_ sweeping, full control across my \WINNT,
> \WINNT\TEMP, and \INETPUB.
> As soon as I take away permission from some file or folder that should

have

> nothing to do with the ASP, like the \inetpub\ftproot, It fails to work.

Can

> anyone tell me exactly which files and folders an asp application

connecting

> to an MS Access DB through a Jet Connection, needing to read, execute, and
> write in the database? (Now, all asp and mdb files reside in the wwwroot
> dir.
> Thanks,
> Matt Massie
>
>

[Ray at]

I don't really have answers to your questions that I'd be willing to post
thinking that I ~may~ guess correctly. But, how would your application have
security holes if IUSR has permissions on dll's? What is it that you fear
will happen? Are you suspicious of coworkers who will create malicious
applications? Typically, the fact that IUSR is a guest on the machine makes
it a pretty secure account.

Ray at home

"Matt Massie" <rmmassie@comcast.net> wrote in message
news:WcudnRWWs8671zyiRVn-sA@comcast.com...

> What about DLLs in system32? Are there specific files there that need to

be

> "permissioned"? Right now, If I drop IUSR full control from

WINNT\SYSTEM32,

> my program fails. I either 1.let my application run, with security gaps, 2
> don't use it or 3. go through the c:\ checking the operability of the
> program one file at a time. Are there any programs that will analyze which
> resources a particular set of code utilizes?
>
>