Unable to access localhost through ISS after moving web directory

After reinstalling Vista, I tried to set up IIS, and ran into a problem I
know I've run into before, but can't seem to get it working this time. I am
using a folder inside Documents as my web folder for localhost (this makes
backing up easier). I was able to add the IIS_USERS group to that folder,
but still wasn't able to browse from ISS. Instead of getting the ubiquitous
error 500, I now get an error 401.3, that the web server does not have
permissions to open the file. (There is no file in that directory, they are
in the subdirectories of it, but directory browsing is turned on). There is
also something about checking ACLs, but I have no idea how to do that. Any
ideas that will let me use the directory I have chosen as my localhost, and
be able to browse that for development purposes, will be appreciated.
--
Larry S

Re: Unable to access localhost through ISS after moving web directory

On Nov 9, 8:57 pm, Larry S. wrote:
> After reinstalling Vista, I tried to set up IIS, and ran into a problem I
> know I've run into before, but can't seem to get it working this time. I am
> using a folder inside Documents as my web folder for localhost (this makes
> backing up easier). I was able to add the IIS_USERS group to that folder,
> but still wasn't able to browse from ISS. Instead of getting the ubiquitous
> error 500, I now get an error 401.3, that the web server does not have
> permissions to open the file. (There is no file in that directory, they are
> in the subdirectories of it, but directory browsing is turned on). There is
> also something about checking ACLs, but I have no idea how to do that. Any
> ideas that will let me use the directory I have chosen as my localhost, and
> be able to browse that for development purposes, will be appreciated.
> --
> Larry S


If you want to use a folder inside of a user's directory, then copy
the ACLs from %SYSTEMDRIVE%\inetpub\wwwroot.

Adding random users to your user directory is not secure nor
recommended. And be aware that you may (accidentally) expose all your
personal files and documents to the web when you are changing its ACLs
as well as intentionally exposing it to the web, so take
responsibility to configure appropriately.

Personally, I suggest you create a folder under %SYSTEMDRIVE%\inetpub
\wwwroot and use that.
- Ease of backup is hardly worth the risk of accidentally exposing all
your personal documents to anyone on the web
- Using %SYSTEMDRIVE%\inetpub\wwwroot forces you to deploy your
application from your user directory to wwwroot. This forced
deployment step will eventually allow you to easily setup your
application to be hosted by a real server serviced by anyone.

To me, there is lots of problems with hosting a website in user
directory and lots of benefits to hosting a web under %SYSTEMDRIVE%
\inetpub\wwwroot, so I do not see the benefits of your approach.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Re: Unable to access localhost through ISS after moving web direct

Hi David,

Thanks for your response. I'm not planning on allowing Internet access to
my computer, but only want to use it for localhost for development purposes.
(I use Homesite to write the code). When it's developed, I will ftp it up to
the hosting service I contract with.

Is there a way to move the inetpub\wwwroot directory so that it's within the
documents folder? I use NovaBackup, and back up Documents far more regularly
than the rest of the computer. I'm not sure why using a different directory
would make it any more vulnerable. Would copying the permissions from the
inetpub\wwwroot directory leave the new directory just as secure, or is there
an additional vulnerability I might not be aware of? Is there a way to use
IIS that will ONLY allow access from my computer, either from localhost or
Homesite, and prevent outside access when I am connected to the Internet?

By the way, how would I copy the ACLs from one directory to another? I have
a fair amount of computer knowledge, but this is getting a bit beyond my
experience level.

Thanks for your help on this.



--
Larry S


"David Wang" wrote:

> On Nov 9, 8:57 pm, Larry S. wrote:
> > After reinstalling Vista, I tried to set up IIS, and ran into a problem I
> > know I've run into before, but can't seem to get it working this time. I am
> > using a folder inside Documents as my web folder for localhost (this makes
> > backing up easier). I was able to add the IIS_USERS group to that folder,
> > but still wasn't able to browse from ISS. Instead of getting the ubiquitous
> > error 500, I now get an error 401.3, that the web server does not have
> > permissions to open the file. (There is no file in that directory, they are
> > in the subdirectories of it, but directory browsing is turned on). There is
> > also something about checking ACLs, but I have no idea how to do that. Any
> > ideas that will let me use the directory I have chosen as my localhost, and
> > be able to browse that for development purposes, will be appreciated.
> > --
> > Larry S
>
>
> If you want to use a folder inside of a user's directory, then copy
> the ACLs from %SYSTEMDRIVE%\inetpub\wwwroot.
>
> Adding random users to your user directory is not secure nor
> recommended. And be aware that you may (accidentally) expose all your
> personal files and documents to the web when you are changing its ACLs
> as well as intentionally exposing it to the web, so take
> responsibility to configure appropriately.
>
> Personally, I suggest you create a folder under %SYSTEMDRIVE%\inetpub
> \wwwroot and use that.
> - Ease of backup is hardly worth the risk of accidentally exposing all
> your personal documents to anyone on the web
> - Using %SYSTEMDRIVE%\inetpub\wwwroot forces you to deploy your
> application from your user directory to wwwroot. This forced
> deployment step will eventually allow you to easily setup your
> application to be hosted by a real server serviced by anyone.
>
> To me, there is lots of problems with hosting a website in user
> directory and lots of benefits to hosting a web under %SYSTEMDRIVE%
> \inetpub\wwwroot, so I do not see the benefits of your approach.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>

Re: Unable to access localhost through ISS after moving web direct

Then I suggest you setup your backup program to backup your inetpub
\wwwroot folder with a frequency schedule that is similar to your
Documents folder. This should be a easier task to accomplish than
enumerating, copying, and validating NTFS ACLs, and it accomplishes
both the goals of allowing secure development and data backup. It also
avoids stepping into the more complicated security issues of running a
server, configuring its ACLs and other security/functionality
settings, etc -- unless you are interested in that information on top
of your personal development tasks.


> Is there a way to use IIS that will ONLY allow access
> from my computer, either from localhost or Homesite,
> and prevent outside access when I am connected to
> the Internet?

This sounds like a nice idea, but it is technically not secure. The
entire authorization scheme relies upon the "Source IP" of the network
packets to be identified as "localhost" or "Homesite", and that is
simply not secure because anyone can spoof the "Source IP" of network
packets. I'm not saying that it is not a good solution for 95% of
users, but I must point out the alternative consequences as well.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




On Nov 10, 8:40 pm, Larry S. wrote:
> Hi David,
>
> Thanks for your response. I'm not planning on allowing Internet access to
> my computer, but only want to use it for localhost for development purposes.
> (I use Homesite to write the code). When it's developed, I will ftp it up to
> the hosting service I contract with.
>
> Is there a way to move the inetpub\wwwroot directory so that it's within the
> documents folder? I use NovaBackup, and back up Documents far more regularly
> than the rest of the computer. I'm not sure why using a different directory
> would make it any more vulnerable. Would copying the permissions from the
> inetpub\wwwroot directory leave the new directory just as secure, or is there
> an additional vulnerability I might not be aware of? Is there a way to use
> IIS that will ONLY allow access from my computer, either from localhost or
> Homesite, and prevent outside access when I am connected to the Internet?
>
> By the way, how would I copy the ACLs from one directory to another? I have
> a fair amount of computer knowledge, but this is getting a bit beyond my
> experience level.
>
> Thanks for your help on this.
>
> --
> Larry S
>
>
>
> "David Wang" wrote:
> > On Nov 9, 8:57 pm, Larry S. wrote:
> > > After reinstalling Vista, I tried to set up IIS, and ran into a problem I
> > > know I've run into before, but can't seem to get it working this time. I am
> > > using a folder inside Documents as my web folder for localhost (this makes
> > > backing up easier). I was able to add the IIS_USERS group to that folder,
> > > but still wasn't able to browse from ISS. Instead of getting the ubiquitous
> > > error 500, I now get an error 401.3, that the web server does not have
> > > permissions to open the file. (There is no file in that directory, they are
> > > in the subdirectories of it, but directory browsing is turned on). There is
> > > also something about checking ACLs, but I have no idea how to do that. Any
> > > ideas that will let me use the directory I have chosen as my localhost, and
> > > be able to browse that for development purposes, will be appreciated.
> > > --
> > > Larry S
>
> > If you want to use a folder inside of a user's directory, then copy
> > the ACLs from %SYSTEMDRIVE%\inetpub\wwwroot.
>
> > Adding random users to your user directory is not secure nor
> > recommended. And be aware that you may (accidentally) expose all your
> > personal files and documents to the web when you are changing its ACLs
> > as well as intentionally exposing it to the web, so take
> > responsibility to configure appropriately.
>
> > Personally, I suggest you create a folder under %SYSTEMDRIVE%\inetpub
> > \wwwroot and use that.
> > - Ease of backup is hardly worth the risk of accidentally exposing all
> > your personal documents to anyone on the web
> > - Using %SYSTEMDRIVE%\inetpub\wwwroot forces you to deploy your
> > application from your user directory to wwwroot. This forced
> > deployment step will eventually allow you to easily setup your
> > application to be hosted by a real server serviced by anyone.
>
> > To me, there is lots of problems with hosting a website in user
> > directory and lots of benefits to hosting a web under %SYSTEMDRIVE%
> > \inetpub\wwwroot, so I do not see the benefits of your approach.
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //- Hide quoted text -
>
> - Show quoted text -