Preventing 'Sneaky Browsing'

 

If you have a number of users with websites on your server, they can, in the default configuration, read each other's files with FileSystemObject. What if you want to prevent this happening? Here's how.

This article's a little involved, so let's dive right in. My exampe is based on the following scenario, on my local development server. Both sites are mine, let's imagine they're not.

Site 1: RTFM. : The development version of this site.www.tartoos.com

Site 2: Atrax.ws : The development version of my weblog

We want these two sites to be unable to acess each other's files, and to be unable to access sensitive files elsewhere on the server. They could do this with a script like this

The first thing you're going to want to do is tighten down your general NTFS permissions set. Crack open Windows Explorer and set the permissions on each of your sensitive directories to be tighter than the default 'everyone' setting. Right click the folder to tighten, get 'properties', then the security tab. This being a web server, the only people we want to have access to sensitive stuff are administrators, so first Add the Administrators group, with full control. Then remove the Everyone group.www.tartoos.com

NOTE : Of course, this assumes that no-one other than administrators needs access. If anyone else does, you'll have to add them to the rights list.

NOTE 2 : It's quite possible to lock down a little TOO tightly. Your users obviously want access to ASP and any installed components. If you've removed all guest access to any of these files, your users won't be able to use them and will get pretty annoyed at you. MAKE SURE you don't over-lock things, or you'll be scouring the server for stray files and unlocking them when your users find they can't run ASP and complain loudly. (this, folks, is why you'll find shortly that your new users are members of a common group. You can just allow that group access to shared IIS files and components).

Your 'guests' should be able to read and use these required files, but not write to them (imagine some sneaky hacker overwriting Scrrun.dll with a VB component of his own devising, which would do things you don't want people to do?)

Now that we have our drives locked down against our non-administrative users, we're going to need to add two new users and a new group to the computers user/groups list. Go to "Administratiove Tools" on a Windows 2000 system, and open Computer Management. Here we add two new users. one for each site's operator (both are me, but let's pretend I have a split personality.www.tartoos.com

For this demo, the users are 'rtfm' and 'atrax', and I've set their passwords to be the same as their username for simplicity. We need to add these users to a group of their own, I made them part of the 'guests' group for this demo, you may want to make a new group.

Now, we go back to Windows Explorer, find their home directories and add permissions soleley for each user to those directories. RTFM's folder can only be accessed by Administrators and RTFM, Atrax's directory can only be accessed by Atrax and the administrators

That's the NTFS part pretty much done. Now, off to IIS Service Manager.www.tartoos.com

Go to the first website you want to lock down. Get its properties page, go to directory security. We're assuming these are standard 'anonymous access' websites, so should have only anon access enabled. ZYou'll see a button marked 'account to use for anonymous access'. Click it. Now, if we're in the 'RTFM' site, we'll want to change the default IUSR_MachineName account to rtfm. I don't want IIS to control the password, but I have no problem if you do. Likewise in the other site's properties page, set the same.

Now, upload a Sneakybrowser.asp from the link above, and type in:

http://rtfm/sneakbrowser.asp?f=d:\sites\rtfm

This should list files in rtfm's folder. Of course, if you removed too many permissons, it won't work at all. Mine goes well. OK, now try

http://rtfm/sneakbrowser.asp?f=d:\sites\atrax.ws