|Written by||Imar Spaanjaars|
|Listened to||Mini Bar Blues by Fun Lovin' Criminals (Track 13 from the album: 100% Colombian)|
Are you looking to hire an experienced software developer or .NET consultant? Then get in touch with me through my company's web site at devierkoeden.com
Found an interesting article on this site? Got inspired by something you read here? Then consider making a donation with PayPal.
Like this article? Or do you think it sucks? Make yourself heard by casting your vote below.Total number of ratings: 36
Let's say you have two machines, called WebServer and FileServer. The first machine is obviously the one that hosts IIS and serves your Web site. The second is the machine where you want to save your files. To configure your Web site on WebServer so it is allowed to write to a folder on FileServer, you have at least 4 options:
In this article, I'll use WebServer and FileServer to refer to the two machines. This also means that the account IUSR_WebServer refers to the local account that IIS uses on WebServer. Make sure you replace WebServer and FileServer with the names of your machines.
If you're using Integrated Security, IIS will run under the context of the currently logged on user. So, if you access your Web site, IIS will run with your privileges. By configuring IIS to use Integrated Security, you can overcome the permissions issue: simply grant the users of your Web site the necessary permissions to the folder on FileServer.
Note that Integrated Security is only suitable for an Intranet scenario as it won't work over the Internet across firewalls and because it's an Internet Explorer only solution.
The second solution is to create two identical accounts with identical passwords on both machines. This will work, as both accounts will use the same password hash. So, at run-time, when WebServer tries to write to FileServer, the machine FileServer will recognize the account that WebServer presents, and will allow it to write to the folder where the Web files reside.
Instead of using the mirrored IUSR account, you can create a brand new account that is specifically used for IIS anonymous access. Since this account lives in your (Active Directory) domain, it's easy to give it the required permissions on both WebServer and FileServer. You may be tempted to use the the Administrator account for that, but it's recommended not to that. Using the Administrator account for IIS is a great security risk as it allows IIS, and all pages being served by it, to operate with Administrator privileges.
To create the domain account follow these steps:
The last method I'll discuss in this article is the use of a COM+ package to host a COM+ DLL created in VB 6 or C++ for example. I won't discuss the steps you need to perform to create the actual DLL, but instead I'll assume you have a project called MyCompany that exposes a class called MyUsefulproject which in turn has a method called WriteFile. This DLL will be hosted inside a COM+ package that is configured to use a specific domain account that has the required privileges to write to the folder on FileServer.
Dim ObjFileHandler Set ObjFileHandler = Server.CreateObject("MyCompany.MyUsefulproject") ObjFileHandler.WriteFile()
Setting security permissions in IIS is not always a piece of cake. There are quite a lot of possibilities and options you can change. Choosing the right security settings often depends on the requirements of your application. The four solutions presented in this article all serve different setups and applications. Choose the correct mechanism for the job, and you'll end up with a secure but easily maintainable Web server configuration.
Wonder where to go next?
You can read existing comments below
or you can post a comment yourself on this article
Consider making a donation
Please consider making a donation using PayPal. Your donation helps me to pay the bills so I can keep running Imar.Spaanjaars.Com, providing fresh content as often as possible.
I am interested in what you have to say about this article. Feel free to post any comments, remarks or questions you may have about this article. The Talk Back feature is not meant for technical questions that are not directly related to this article. So, a post like "Hey, can you tell me how I can upload files to a MySQL database in PHP?" is likely to be removed. Also spam and unrealistic job offers will be deleted immediately.
When you post a comment, you have to provide your name and the comment. Your e-mail address is optional and you only need to provide it if you want me to contact you. It will not be displayed along with your comment. I got sick and tired of the comment spam I was receiving, so I have protected this page with a simple calculation exercise. This means that if you want to leave a comment, you'll need to complete the calculation before you hit the Post Comment button.
For more information about the Talk Back feature, check out this news item.
Unfortunately, something went wrong and your message or comments have not been submitted successfully.
There's a fair chance things broke down because you tried to post something that looks like HTML. Things that look like HTML include (X)HTML, obviously, XML, ASP.NET markup and c# generics syntax as all of them use the < and > characters.
If that's the case, try altering your message and remove anything that looks like an angled bracket. You can replace them with [ and ] for example so you can still make it look like HTML to some extend.
If, on the other hand, you were trying to spam this web site, I am pretty glad I caught you in the act and stopped you from doing so ;-)
The number you entered is not correct. Please enter the sum of the two numbers again.