IIS Anonymous Security Issue

Hi,

We’re using content editor (as a backend) to update our website frontend
contents (WYSIWYG). The problem is that when we try to update the contents
through this backend, the server is denied and gives us the following message:

” r.a.d.editor5.6.0 Another process is using the resource (ascx/aspx file)
you are trying to update or the ASPNET user (IIS5) / NETWORK SERVICE account
(IIS6) has no write privileges for this file. The changes were not applied”

When we contacted the hosting company, they replied that we have to give
write privileges to the IIS Anonymous user on our server so we can solve this
issue, but this will cause another problem, is that this action will effect
negatively on the server security, and therefore the hackers can hacking our
website easier. They said that this is a Windows Server bug and no solution
for it yet. Kindly, reply to me with what we should do and are the above info
are correct that it can’t be solved in right way?

We're using Windows Server 2003 Standard Edition and the page that we're
trying to update through the content editor is an ASPX.

Regards,

Re: IIS Anonymous Security Issue

It sounds to me that this is entirely a failure in the design of
your provider's hosting and services model. IIS 6 is completely
capable of safely/securely hosting content without opening it up
to problems that, as you note, do arise from allowing the accounts
used on the IIS backside to have write permissions on the content,
and yet also allow you to have accounts (different) that do have
that ability. They are just passing the buck saying that they are
waiting for Windows to solve their poor service model.

Roger

"Reda Zeid" wrote in message
news:94D4801C-E466-4F17-A91A-AA0AD784A55C@microsoft.com...
> Hi,
>
> We're using content editor (as a backend) to update our website frontend
> contents (WYSIWYG). The problem is that when we try to update the contents
> through this backend, the server is denied and gives us the following
> message:
>
> " r.a.d.editor5.6.0 Another process is using the resource (ascx/aspx file)
> you are trying to update or the ASPNET user (IIS5) / NETWORK SERVICE
> account
> (IIS6) has no write privileges for this file. The changes were not
> applied"
>
> When we contacted the hosting company, they replied that we have to give
> write privileges to the IIS Anonymous user on our server so we can solve
> this
> issue, but this will cause another problem, is that this action will
> effect
> negatively on the server security, and therefore the hackers can hacking
> our
> website easier. They said that this is a Windows Server bug and no
> solution
> for it yet. Kindly, reply to me with what we should do and are the above
> info
> are correct that it can't be solved in right way?
>
> We're using Windows Server 2003 Standard Edition and the page that we're
> trying to update through the content editor is an ASPX.
>
> Regards,

Re: IIS Anonymous Security Issue

On Sep 11, 2:52 am, Reda Zeid
wrote:
> Hi,
>
> We're using content editor (as a backend) to update our website frontend
> contents (WYSIWYG). The problem is that when we try to update the contents
> through this backend, the server is denied and gives us the following message:
>
> " r.a.d.editor5.6.0 Another process is using the resource (ascx/aspx file)
> you are trying to update or the ASPNET user (IIS5) / NETWORK SERVICE account
> (IIS6) has no write privileges for this file. The changes were not applied"
>
> When we contacted the hosting company, they replied that we have to give
> write privileges to the IIS Anonymous user on our server so we can solve this
> issue, but this will cause another problem, is that this action will effect
> negatively on the server security, and therefore the hackers can hacking our
> website easier. They said that this is a Windows Server bug and no solution
> for it yet. Kindly, reply to me with what we should do and are the above info
> are correct that it can't be solved in right way?
>
> We're using Windows Server 2003 Standard Edition and the page that we're
> trying to update through the content editor is an ASPX.
>
> Regards,


This is hardly a Windows Server bug. It is a security bug in the
application attempting to modify files on the server. It fails to
correctly authenticate to the server to perform privileged operations
like write files to it, so it relies on the anonymous user, which
requires no authentication, to perform the operation.

Does that sound like a Windows Server security issue, or general
laziness in the application to not authenticate correctly?

Now, the security concern is real. The assignment of blame is
incorrect.

Unfortunately, the correct solution, which is to make the content-
editor authenticate to your website front-end, is likely not trivial
(or else the hosting company would have figured it out already), so
you are pretty much stuck with their pathetic lie.

You either stick with this company and lower your security (which is
their fault, not Microsoft nor Windows Server issue), or you go with
someone else who has a better sense of security and comparable feature
package.

It is certainly possible to secure edit and upload content to Windows
Server 2003 with IIS6.

If you can disclose -- what company told you that this issue is a
Windows Server security bug with no solution yet? I'd like to know so
that I can warn anyone else about such unscrupulous dishonesty.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

RE: IIS Anonymous Security Issue

Thank you for all your comments here, it helped alot to clarify that it's not
a Microsoft bug as I hoped it's not, but now practically, what shall I do to
solve my problem. I can't switch my hosting provider in the current phase, so
please tell me what to do in step-by-step either in my hosting package
configuration or in my developer's work. I appreciate all your efforts in
that because it's so critical and we can't move on without these steps.

Thank you again for Roger and David, I appreciated guys.

Regards,

Reda Zeid.

"Reda Zeid" wrote:

> Hi,
>
> We’re using content editor (as a backend) to update our website frontend
> contents (WYSIWYG). The problem is that when we try to update the contents
> through this backend, the server is denied and gives us the following message:
>
> ” r.a.d.editor5.6.0 Another process is using the resource (ascx/aspx file)
> you are trying to update or the ASPNET user (IIS5) / NETWORK SERVICE account
> (IIS6) has no write privileges for this file. The changes were not applied”
>
> When we contacted the hosting company, they replied that we have to give
> write privileges to the IIS Anonymous user on our server so we can solve this
> issue, but this will cause another problem, is that this action will effect
> negatively on the server security, and therefore the hackers can hacking our
> website easier. They said that this is a Windows Server bug and no solution
> for it yet. Kindly, reply to me with what we should do and are the above info
> are correct that it can’t be solved in right way?
>
> We're using Windows Server 2003 Standard Edition and the page that we're
> trying to update through the content editor is an ASPX.
>
> Regards,

Re: IIS Anonymous Security Issue

"Reda Zeid" wrote in message
news:2484DC8C-3C42-4481-AA52-93A5DA17D59A@microsoft.com...
> Thank you for all your comments here, it helped alot to clarify that it's
> not
> a Microsoft bug as I hoped it's not, but now practically, what shall I do
> to
> solve my problem. I can't switch my hosting provider in the current phase,
> so
> please tell me what to do in step-by-step either in my hosting package
> configuration or in my developer's work. I appreciate all your efforts in
> that because it's so critical and we can't move on without these steps.
>
> Thank you again for Roger and David, I appreciated guys.
>
> Regards,
>
> Reda Zeid.

But we do not know abput your hosting package configuration,
limitations, capabilities.

Hence all I can say is that you should get a decent hosting contracted
so that you can get on with what you need to do instead of expending
your time trying to cope with what they should have done.

It might be impossible within constraints of their provisioning.
Their passing the buck in those words makes it sound like they
basically do not know what they are doing. If that is so, you
could just expend your efforts on their problem only to then
find they have other severe problems with how they run IIS
and/or Windows.

Roger

>
> "Reda Zeid" wrote:
>
>> Hi,
>>
>> We're using content editor (as a backend) to update our website frontend
>> contents (WYSIWYG). The problem is that when we try to update the
>> contents
>> through this backend, the server is denied and gives us the following
>> message:
>>
>> " r.a.d.editor5.6.0 Another process is using the resource (ascx/aspx
>> file)
>> you are trying to update or the ASPNET user (IIS5) / NETWORK SERVICE
>> account
>> (IIS6) has no write privileges for this file. The changes were not
>> applied"
>>
>> When we contacted the hosting company, they replied that we have to give
>> write privileges to the IIS Anonymous user on our server so we can solve
>> this
>> issue, but this will cause another problem, is that this action will
>> effect
>> negatively on the server security, and therefore the hackers can hacking
>> our
>> website easier. They said that this is a Windows Server bug and no
>> solution
>> for it yet. Kindly, reply to me with what we should do and are the above
>> info
>> are correct that it can't be solved in right way?
>>
>> We're using Windows Server 2003 Standard Edition and the page that we're
>> trying to update through the content editor is an ASPX.
>>
>> Regards,