Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

IIS 7 Application Pool isolation WAS RE: FTP on IIS

from [Ken Schaefer] Network Security [Permanent Link]
Subject: IIS 7 Application Pool isolation WAS RE: FTP on IIS
Date: Thu, 31 Jan 2008 22:36:08 +1100 
Before I mentioned the option of using application pool isolation/sandboxing. 
I've done up a brief blog post that shows how this works, and how to implement 
it in IIS 7.0

http://www.adopenstatic.com/cs/blogs/ken/archive/2008/01/29/15759.aspx for 
details

IIS 7.0 also allows for remote management using non-Windows accounts (IIS 7.0 
has a concept of IIS users, which don't exist outside IIS). By combining app 
pool isolation with the use of IIS7 user accounts, hosting companies can more 
easily isolate web content for each customer:

- you can still run each web app pool as a low privilege Network Service 
account, but each website's content is isolated/protected from another website
- you can give each customer a IIS-only account for remote 
management/configuration/etc
- this minimises the overhead in NTFS ACL management


Another tip:
IIS 7.0 also supports new kernel mode authentication. This can simplify the SPN 
management process. I'll see if I can get time to write this up too.

Cheers
Ken

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On 
Behalf Of Ken Schaefer
Sent: Wednesday, 23 January 2008 6:08 PM
To: focus-ms@securityfocus.com
Subject: RE: FTP on IIS


Now:
There /is/ an option to apply a certain sandboxing feature in IIS 7.0 that not 
many people know about. So I'll toss this in so we're still talking security :-)

Each worker process is injected with an additional SID specific to that app 
pool. The "user name" that the SID corresponds to is the name of the app pool. 
If you check c:\inetpub\temp\apppools and check the NTFS permissions on the 
config file that is generated when you start an app pool, you'll see the 
additional SID.

If you want, you can optionally choose to ACL your web content using that SID 
(i.e. remove Network Service, or whatever your app pool identity is, and using 
icacls.exe or similar to apply read permissions for that dynamic SID).

This makes it an option to host all your app pools using one account (network 
service) yet still sandbox each app pool from the content that every other app 
pool can access. Neat huh?

But this is a manual process, and shouldn't explain what you are seeing.

Cheers
Ken
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Centralizing Event Viewer Logs, Lars Berntzon
Next by Date:  RE: Centralizing Event Viewer Logs, William M. Ryan
Previous by Thread:  RE: FTP on IIS, Thor (Hammer of God)
Next by Thread:  RE: FTP on IIS, Geekwench
Indexes:  [Date] [Thread] [Top] [All Lists]