Search Engine: Elastic

Article ID: 114277, created on Jul 3, 2012, last review on Oct 24, 2015

  • Applies to:
  • Operations Automation 5.5
  • Operations Automation 5.4


Important Note: This article is only applicable to IIS versions >= 7.0. In POA 5.5 the permissions are assigned automatically since POA-82586 implementation in POA 5.5.4

Parallels Operations Automation is able to provide Classic ASP as a part of the Windows shared hosting service. Although Microsoft ceased development of this technology years ago, it will be supported for a significant period, as plenty of applications and websites still use Classic ASP. Thus, hosts may decide to provide Classic ASP to their end-users of Windows shared hosting. By default, any Classic ASP application is permitted to operate with ActiveX COM components that are executed on a local machine on behalf of an IIS anonymous user. There are no specialized security controls (unlike in ASP.NET) for managing permissions for sites that utilize Classic ASP, besides user permissions.

In particular, the FileSystemObject component often is used to access the filesystem of the web server from the website's script. The execution environment does not apply any additional permission restrictions on FileSystemObject. Thus, the script is able to browse system folders and read system configuration files, which allows a potential adversary to learn information about the weak parts of the server.


POA uses a special domain user group, IISAnonUsers, for distinguishing IIS anonymous users from IIS application pool users. The following permission restrictions for IISAnonUsers are safe to apply and make web servers more secure.

C:\ Folder only Deny all
C:\Windows Folder only Deny all but traverse/execute
C:\Windows\Microsoft.NET Recursive Deny all
C:\Windows\System32\drivers\etc Recursive Deny all
C:\Windows\System32\inetsrv\Config Recursive Deny all
C:\Windows\SysWOW64\inetsrv\Config Recursive Deny all

The following steps should be performed:

  1. Log in as the local administrator on the Windows shared hosting server.
  2. Take ownership for the C:\Windows folder with all subfolders and files.
  3. Apply permission restrictions from the table above for the DOMAIN\IISAnonUsers group.
  4. Check that the Classic APS and ASP.NET test scripts still work.
  5. It also is recommended to deny access to cmd.exe (default paths to it: C:\Windows\System32\cmd.exe and C:\Windows\SysWOW64\cmd.exe) to DOMAIN\IISAnonUsers group.

ac82ce33439a9c1feec4ff4f2f638899 caea8340e2d186a540518d08602aa065 5356b422f65bdad1c3e9edca5d74a1ae 2554725ed606193dd9bbce21365bed4e 5b048d9bddf8048a00aba7e0bdadef37 e12cea1d47a3125d335d68e6d4e15e07

Email subscription for changes to this article
Save as PDF