views:

1377

answers:

2

Hi,

I have an ASP.Net website running on IIS7. The developers have created a CMS in the \admin folder, which allows the website admin to create/edit/delete pages.

They have said:

"The read/write permission should be given to the user that requires login access to the admin panel, not the anonymous user that has general public access to the website. The reason for the write permission is to allow the administrator to be able to upload images and files through the CMS, and make various changes to the navigation, style sheet, etc".

Also, they have said:

"Password protect the /admin folder and assign full rights to your admin user as it needs to update data (site files) accordingly as mentioned in the Folder level section above. For certain modules to work, such as the file manager, you would need to use Basic Authentication at the Directory Security level. The FCKeditor folder also should be protected so it has the correct permissions. "

Is this approach safe? I have tried assigning full rights to the Plesk protected folder user (the \admin folder is protected through Plesk), but Plesk keeps reverting back to its default settings. I am told this is a security measure, which makes sense.

What would an alternate way of accomplishing this be without rewriting any code?

+1  A: 

If the application needs the ability to upload then it will always need read/write permissions to the directories it is going to upload to - no amount of rewriting will change this, it's part of the basic functionality. The same applies to editing stylesheets etc.

Reverting changes you make sounds like a very bad security measure - warning you would be fine, but generally you make these changes for a reason and want them to stay.

blowdart
How would you give that permission to the application? Wouldn't you need to give permissions to the IIS_User or another user? And the former case would be a definite security risk!W.r.t. Plesk, please note that we are attempting to override Plesk's assigned rights, so it makes sense that it attempts to revert to default.
It depends how the users for that application are authenticating. If you're using Windows authentication with impersonation on then you'd grant rights to that windows user. If you're using forms auth then it's the IIS user that needs to get the permissions.
blowdart
A: 

Hay try this...

  1. Right-click the file and select Properties.
  2. Click on the Security tab.
  3. Click Advanced in the lower right.
  4. In the Advanced Security Settings window that pops up, click on the Owner tab.
  5. Click Edit.
  6. Click Other users or groups.
  7. Click Advanced in the lower left corner.
  8. Click Find Now.
  9. Scroll through the results and double-click on your current user account.
    1. Click OK to all of the remaining windows except the first Properties window.
    2. Select your user account from the list up top and click Edit.
    3. Select your user account from the list up top again and then in the pane below, check Full control under Allow, or as much control as you need.
    4. You’ll get a security warning, click Yes.
    5. On some files that are essential to Windows, you’ll get a “Unable to save permission changes… access is denied” warning and there’s nothing that you can do about it to the best of my knowledge.
    6. Reconsider why you’re using Windows.
Gagan