[thelist] NS7.2 on PWS

Ken Schaefer ken at adOpenStatic.com
Wed Mar 26 00:17:19 CST 2003


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "Michele Foster" <michele at wordpro.on.ca>
Subject: Re: [thelist] NS7.2 on PWS


: > If that user account doesn't have permissions to be able to read the
file,
: > then the webserver will tell the browser to ask you for credentials so
: > that it can read the file off the hard disk.
:
: By doing the above .. allowing anonymous access .. is that only me?  I
mean,
: can someone else from the outside now break in (poor choice of words), and
: access my site locally?  Or has this not introduced any additional
security
: concerns?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Well, "anonymous access" means "un-authenticated users". When you go and
browse a public website, you are not prompted to enter any username/password
that is valid on the remote machine - instead, you are an "un-authenticated"
user.

Now, if you have a public IP address, then, possibly, someone else out there
on the 'net can type in your IP address, and it'll bring up the website
you're currently working on.

You can prevent this by editing the details for your website. Goto Start ->
Control Panel -> Administrative Tools -> Internet Information Services (this
is the IIS MMC Snapin, and you should use this in preference to the PWS
Manager thingie).

Right-click on the website you have, and choose "Properties". On the
"Website" tab, hit the "Advanced" button. Remote the entry that is currently
there ("All Unassigned Addresses", port:80), and add instead:

IP Address: 127.0.0.1
Port: 80
Host-header: localhost

Now, you website will only answer to queries to http://localhost/ and also
directed to 127.0.0.1
Since there isn't anyone else on the 'net would can do this (well, not
easily), your website won't be viewable except by a browser running on your
local machine.

In terms of security problems - allowing anonymous access doesn't present
anymore serious security problems than not. You can install a software
firewall (try www.kerio.com : Kerio Personal Firewall) to completely block
external port 80 attempts if you want).

In terms of your other question, wrt to how you should set your directories
up.

What I do (when I'm running Win2k Pro or WinXP Pro as opposed to Win2k
Server/.Net server) would be to create all my websites underneath one
"master" folder, eg create:

c:\websites\

Now, create your client folders like this:

c:\websites\client1\
c:\websites\client2\
c:\websites\client3\

and when you want to work on each client's site you do what you currently
do - ie you "set" the home directory of the default website to that client's
folder (eg c:\websites\client1\). In order to set all the anonymous-user
NTFS permissions in one fell swoop, you should set the permission on the
c:\website folder (ie create RX to the iUSR_<machinename> account), and
check the box that says "Apply to all subfolders and files), which will add
the necessary permissions to all subfolders, and any new files/folders that
you create.

Cheers
Ken



More information about the thelist mailing list