Strange Security Problem

Strange Security Problem

am 03.01.2007 01:23:42 von Slant

Good day!

I'm an Apache user for the most part and am trying to setup an IIS
server on the same system (using port 8000 to resolve obvious
conflicts) for cross-server testing since one of my prod servers is an
IIS server.

I've had Apache/PHP/MySQL setup for about a year now on my local
system. I installed IIS 6 a few weeks ago and have since had a problem
accessing the pages. The server worked very well until I installed
PHP. Being completely honest (mostly because it was most likely just a
stupid mistake), I don't remember what I did to cause any changes to
the anonymous access, but it was not working at one point, so I had to
use my own local credentials. This does work. PHP works (for the most
part - it's not seeing my php.ini file in c:\windows - but that's for
another group). Now, when I change the anonymous username from mine to
"IUSR_ComputerName (where ComputerName is my computer's name, of
course), I get the following error: "HTTP 401.3 - Access denied by ACL
on resource"

Strangely, I even get it when simply browsing the root (wwwroot)
folder's contents!! I have changed none of these permissions. I am
absolutely positive that I have the computer name right, in case you
are wondering. I have to access this system from multiple other
locations from around my company so I know it well. ;) I created a
virtual directory to my dev folder. This does not work either.
Everything I find tells me to add the IUSR_ user to that folder's
permission list with read access. So I have done this.

Any thoughts on this? I'm honestly at a loss and frankly am quite
frustrated. I'm REALLY curious about why it does not recognize my
php.ini file too, so if you happen to have an answer to that one as
well, I'm very open to suggestions. One step at a time though, right?

Thanks!

Re: Strange Security Problem

am 09.01.2007 01:11:03 von David Wang

It's not really strange nor mysterious - since IIS is a customizable
web server, you just have to make sure what user actually authenticated
and the actual ACLs on the resource being accessed.

Apache blindly sidesteps this sort of behavior (for both good and bad
from a security perspective)... so just because you don't see this sort
of thing on Apache doesn't mean it's actually good/secure. Ignorance is
bliss, more or less... but that is getting beside the point. ;-)

How Anonymous access works on IIS (hence how to fix/configure it
correctly):
http://blogs.msdn.com/david.wang/archive/2005/05/27/Access_D enied_to_Administrators_or_Anonymous_User.aspx

PHP not seeing C:\windows\php.ini -- I suggest moving PHP.INI to the
same directory as PHP EXE or PHP ISAPI DLL. Why you want to allow web
users to directly/indirectly access C:\windows... I don't know. It's
much more modular and secure if you use PHP.INI on a
per-PHP-installation basis by taking advantage of native PHP support.
PHP security has grown up through time in this regard.

If you insist on using %windir%\php.ini, then time to check the
authenticated user executing PHP (you need to tell me IIS configuration
of authentication protocols enabled for that vdir executing PHP) and
the ACLs on %windir%. Since you rarely want to change authentication
protocols and you don't want to change ACLs in %windir%, any sort of
"conflict" is usually best resolved by using PHP.INI on a
per-PHP-installation basis -- hence I suggest using that method from
the beginning.

Right now, assuming you are using anonymous authentication, it sounds
like the configured anonymous user name of IUSR_ComputerName does not
have Read ACLs on the resources in wwwroot and in your dev folder.
- You said you changed ACLs on the folders, but that is not necessarily
sufficient -- are the files actually inheriting permissions from its
containing folder?
- Also, if you do not have "Bypass Traverse Checking" enabled (it's
enabled by default, and sometimes 3rd party lockdown programs will
inappropriately change this), the ACLs that you see on a file/folder do
not represent reality.

More info on how IIS works with user identity and how to diagnose 401
errors on IIS:
-
http://blogs.msdn.com/david.wang/archive/2005/06/29/IIS_User _Identity_to_Run_Code_Part_2.aspx
-
http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Di agnose_IIS_401_Access_Denied.aspx



//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//


Slant wrote:
> Good day!
>
> I'm an Apache user for the most part and am trying to setup an IIS
> server on the same system (using port 8000 to resolve obvious
> conflicts) for cross-server testing since one of my prod servers is an
> IIS server.
>
> I've had Apache/PHP/MySQL setup for about a year now on my local
> system. I installed IIS 6 a few weeks ago and have since had a problem
> accessing the pages. The server worked very well until I installed
> PHP. Being completely honest (mostly because it was most likely just a
> stupid mistake), I don't remember what I did to cause any changes to
> the anonymous access, but it was not working at one point, so I had to
> use my own local credentials. This does work. PHP works (for the most
> part - it's not seeing my php.ini file in c:\windows - but that's for
> another group). Now, when I change the anonymous username from mine to
> "IUSR_ComputerName (where ComputerName is my computer's name, of
> course), I get the following error: "HTTP 401.3 - Access denied by ACL
> on resource"
>
> Strangely, I even get it when simply browsing the root (wwwroot)
> folder's contents!! I have changed none of these permissions. I am
> absolutely positive that I have the computer name right, in case you
> are wondering. I have to access this system from multiple other
> locations from around my company so I know it well. ;) I created a
> virtual directory to my dev folder. This does not work either.
> Everything I find tells me to add the IUSR_ user to that folder's
> permission list with read access. So I have done this.
>
> Any thoughts on this? I'm honestly at a loss and frankly am quite
> frustrated. I'm REALLY curious about why it does not recognize my
> php.ini file too, so if you happen to have an answer to that one as
> well, I'm very open to suggestions. One step at a time though, right?
>
> Thanks!