Symptoms
Important Note: This article is only applicable to IIS versions >= 7.0. In POA 5.5 the permissions are assigned automatically since POA-82586 implementation in POA 5.5.4
Parallels Operations Automation is able to provide Classic ASP as a part of the Windows shared hosting service. Although Microsoft ceased development of this technology years ago, it will be supported for a significant period, as plenty of applications and websites still use Classic ASP. Thus, hosts may decide to provide Classic ASP to their end-users of Windows shared hosting. By default, any Classic ASP application is permitted to operate with ActiveX COM components that are executed on a local machine on behalf of an IIS anonymous user. There are no specialized security controls (unlike in ASP.NET) for managing permissions for sites that utilize Classic ASP, besides user permissions.
In particular, the FileSystemObject component often is used to access the filesystem of the web server from the website's script. The execution environment does not apply any additional permission restrictions on FileSystemObject. Thus, the script is able to browse system folders and read system configuration files, which allows a potential adversary to learn information about the weak parts of the server.
Resolution
POA uses a special domain user group, IISAnonUsers, for distinguishing IIS anonymous users from IIS application pool users. The following permission restrictions for IISAnonUsers are safe to apply and make web servers more secure.
Folder | Mode | Permissions |
---|---|---|
C:\ | Folder only | Deny all |
C:\Windows | Folder only | Deny all but traverse/execute |
C:\Windows\Microsoft.NET | Recursive | Deny all |
C:\Windows\System32\drivers\etc | Recursive | Deny all |
C:\Windows\System32\inetsrv\Config | Recursive | Deny all |
C:\Windows\SysWOW64\inetsrv\Config | Recursive | Deny all |
The following steps should be performed:
- Log in as the local administrator on the Windows shared hosting server.
- Take ownership for the
C:\Windows
folder with all subfolders and files. - Apply permission restrictions from the table above for the
DOMAIN\IISAnonUsers
group. - Check that the Classic APS and ASP.NET test scripts still work.
- It also is recommended to deny access to
cmd.exe
(default paths to it:C:\Windows\System32\cmd.exe
andC:\Windows\SysWOW64\cmd.exe
) toDOMAIN\IISAnonUsers
group.