What are the security effects of giving the IIS_IUSRS a Full Control permission?

asp.net asp.net-mvc security iis
32,382

Solution 1

It is easy to confuse IUSR and IIS_IUSRS because of their names but these are two different things:

  1. IIS_IUSRS is the group for IIS Worker Process Accounts. This means the identity that the application pool itself runs under.
  2. IUSR is the anonymous user identity. That means the identity that IIS believes to be the user who is accessing the site. This user is not a member of the IIS_IUSRS group by default.

In IIS 7.0, a built-in account (IUSR) replaces the IUSR_MachineName account. Additionally, a group that is named IIS_IUSRS replaces the IIS_WPG group. [...] The IUSR account resembles a network or local service account. The IUSR_MachineName account is created and used only when the FTP 6 server that is included on the Windows Server 2008 DVD is installed. If the FTP 6 server is not installed, the account is not created. http://support.microsoft.com/kb/981949

IIS_IUSRS is a built-in group has access to all the necessary file and system resources so that an account, when added to this group, can seamlessly act as an application pool identity.

Read similar thread which explains why giving an access to IIS_IUSRS has different effect than giving same access to IUSR:

Here is a good documentation about groups and users used in IIS 7.

By default, IIS_IUSRS has only read & execute (and as a result list folder contents) permissions on the wwwroot. The full control might be too much.

Solution 2

Imagine a website that allows users to upload arbitrary files, that has a bug which causes such files to be saved in the application directory.

In this case, an attacker can upload an aspx file with arbitrary code, overwrite your web.config file, etc.

Far better to give readonly access to the root folder, and only give full control to specific folders that you know won't contain executable code, for example subfolders of App_Data.

Share:
32,382

Related videos on Youtube

Alaa
Author by

Alaa

Software team lead, Microsoft Certified Professional Developer, MSc. IT (Semantic Computer Vision). Key Skills: Project Management, Enterprise SaaS Development, Quality Assurance, Business Analysis, .NET development, Relational and Graph Databases, Content Management Systems, Knowledge Graphs, Artificial Intelligence, Computer Vision, Machine Learning, and Semantic technologies.

Updated on July 11, 2022

Comments

  • Alaa
    Alaa almost 2 years

    What are the the security effects of giving the IIS_IUSRS a Full Control permission on the root folder of ASP.NET websites?

    Why can't I give the full control permission to IUSR only, which is part of IIS_IUSER group?

    Any answer clarifies this conflict, is really appreciated.

    • Brock Hensley
      Brock Hensley about 10 years
      Any user in that group (other websites) will be able to view/modify any file in the foot folder and below. This is typically undesired, but in some scenarios may actually be desired. By giving a single user such as IUSR permissions, it allows you to keep your sites isolated and use multiple users that may share the same base access to C:\Inetpub but not anywhere else other than the individual sites like C:\Inetpub\wwwroot\site1.com\ owned by IUSR1 and C:\Inetpub\wwwroot\site2.com\ owned by IUSR2 for best practices.
    • Alaa
      Alaa about 10 years
      @BrockHensley, Say, the IIS_IUSRS have a full Control permission for all websites and we have site1 and site2, Do you mean that site1 users will be able to view/modify any file in site2? This should be handled by IIS itself, Right?
  • Dave Alperovich
    Dave Alperovich about 10 years
    I'd expand the answer to include read and review privileges. All connection strings, db names, web remote services exposed. Like giving the keys to your house.
  • Akash Kava
    Akash Kava about 10 years
    However, the best option would be to move upload to temporary folder instead of any folder below application root.
  • Alaa
    Alaa about 10 years
    @Joe, Is that so? What kind of user will be able to upload when giving IIS_IUSERS a full permission? Website visitors? would you please help with more details about this conflict.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Forms authentication with requireSSL=true not returning cookie with Secure attribute
Enable HTTP Strict Transport Security (HSTS) in Azure WebRoles
How to restrict/validate file upload filetypes server side on IIS
stopping ZmEu attacks with ASP.NET MVC
Why does my ASP.NET 4.0 web service fail with a compliation error with NetworkService but succeed with LocalSystem
authentication issue with an intranet website running under IIS6
How to disable server-side caching on IIS 7.5 (asp net mvc3)
Configuring IIS 7 & ASP.NET App for URL Routing
IIS tilde vulnerability issue
Resolving the 403.14 error for ASP.NET on Windows Server 2016