[thelist] IIS Directory Structure

Scott Dexter sgd at ti3.com
Tue Oct 24 14:30:32 CDT 2000

> Would this create security issues if the owner of each site 
> was different and
> had access to their site's files? Since the virtual directory 
> is located
> within their site, would you have to set permissions to be read-only?

The virtual directory in IIS is at the http level, not the OS level. Someone
with console access will not see it in the filesystem; IIS maintains them in
its metabase.

And it depends on the intention of the server to begin with. For an ISP that
has people building their own sites willy-nilly, a global *virtual* include
directory where the ISP has scripts everyone can use is okay, and yes,
should be set to read only (and is by default when you define the virtual
directory), and the users should never be able to see that far up the
directory tree when they're uploading files to their site.

In an environment like ours here at work, we run sites only we build, so the
only access to the box other than browsing is by trusted folks, and using
the file include to see parent paths ("../Include/") is a little safer --as
long as you trust the people who work on the box.

> excuse me if the
> question isn't an intelligent one.

There are never dumb questions, only mismatched answers.

think safely

More information about the thelist mailing list