Important Notice from AspDotNetStorefront
It is with dismay that we report that we have been forced, through the action of hackers, to shut off write-access to this forum. We are keen to leave the wealth of material available to you for research. We have opened a new forum from which our community of users can seek help, support and advice from us and from each other. To post a new question to our community, please visit: http://forums.vortx.com
Results 1 to 6 of 6

Thread: Security Audit: The root directory of your website allows write-access - how to fix?

  1. 10-07-2009, 11:28 AM #1
    shark92651 is offline Member
    Join Date
    Jan 2006
    Posts
    81

    Default Security Audit: The root directory of your website allows write-access - how to fix?

    Sorry but I'm not much of a network admin. I logged onto my server and checked the "read-only" property of my wwwroot folder, but I still get this message on my admin screen. Do I have to set a directory permission for a particular user or what?

    I am on Windows Server 2003 and running latest release of ASPDNSF. A few detailed steps would be great.

    Update: Ok, I think I figured it out but need something clarified. I found the user account that is used for anonymous access and I denied the "write" permission and now that security audit message is gone. I notice this user has the following permissions:

    modify
    read & execute
    list folder contents
    read

    Are all of these necessary and should I deny any of them to reduce security risk?

    Thanks
    Last edited by shark92651; 10-07-2009 at 11:45 AM.
    http://www.riflegear.com
  2. 10-07-2009, 11:54 AM #2
    Jao is offline Senior Member
    Join Date
    Oct 2008
    Posts
    1,132

    Default

    It seems that you only set the folder property to read-only (ticking the Read-Only check box.) You should give the ASP.Net Process Account or the Network Service a read permission to the root folder.
  3. 10-09-2009, 09:44 AM #3
    shark92651 is offline Member
    Join Date
    Jan 2006
    Posts
    81

    Default

    Joa,

    I had to re-enable write access for my anonymouse access user or else I cannot upload images through the admin page. I do not have an ASP.NET user so not sure what you are referring too (would this be the user I have set up for anonymous access on my system?). I did take away "write" from the NETWORK SERVICE user but I still see the security warning.

    Is there anyway to hide that security audit item while still allowing me to upload images? Should I just allow write access permission to the images directory for my anonymous user, while denying write to the root?

    Thanks,
    David
    http://www.riflegear.com
  4. 10-09-2009, 09:46 AM #4
    AspDotNetStorefront Staff - Scott's Avatar
    AspDotNetStorefront Staff - Scott is offline Administrator
    Join Date
    Mar 2007
    Location
    Ashland, OR
    Posts
    2,390

    Default

    Don't set that folder to read only, that'll filter down to all subfolders as well. Give the .NET user account read access on the root folder, then raise that to read/write/modify access on the images folder.
    ECommerce Shopping Cart
  5. 10-09-2009, 10:30 AM #5
    shark92651 is offline Member
    Join Date
    Jan 2006
    Posts
    81

    Default

    Ok, gotcha - thanks!
    http://www.riflegear.com
  6. 10-09-2009, 08:02 PM #6
    Richnyc30 is offline Senior Member
    Join Date
    Mar 2009
    Posts
    340

    Default Manual bad on installation doc

    The insturctions for installation should be reread and rewritten.
    I don't remember seeing anything as clear as the above. Also the site need to use script, which is not mentioned int he instructions.