Folder Permission Problem, IIS+windows2003, please HELP!!!!!!!!!!

[fredzz]

I am building a website on windows 2003 using IIS and CMSMS. My question is about the folder permissions.
In the installation documentation,  it said that I have to CHMOD following folders to 777.

tmp/templates_c
tmp/cache
uploads
uploads/images
modules

In terms of windows , this means I have give full permissions (read, wirte,excute,modify) to these folders for internet guest account(IUSR_"hostname"). This is really unsecured (any internet user can hack in and do changes). However, this is the ONLY way that I have found to make my website work. Acutually, in my case , full permissions (modify)  have to be assigned to these folders, it didn't work when I just gave them read & excute permissions. Anyone has experienced about this or already had a solution for this? I really can not give full permissions, it's just very risky.

Many many thanks, I have been working on this for a week. 

[cyberman]

Please read forum rules - NO MULTI BOARD POSTINGS !!!

Does chmod 755 or 775 not work?

[fredzz]

I am sorry about this , I didn't read the rules very carefully. But thank you very much for the reply. This is just really headache.
As I said this is 2003 enviroment, 755  means to give internet guest account (IUSR) read and excute permissions, right ? I have tried this, it didn't work for me.  . Now I dn't know where the problem is, could be a problem of php or IIS?
Again, I apologize for what I have done wrong.
But please help, really appreciated.
Thank you!

[fredzz]

Maybe it was my fault that I didn't describe my enviroments precisely. So let me state it again.

1. We got the web server Windows 2003 + IIS installed in our office.
2. CMSMS system is installed by the web developer which is located somewhere else ( maybe in their office, not sure)

By the way, I have tried the followings.

1. I gave full permissions to these folders, everything went well ,no problem. I can see files have been written into tmp/templates_c folder.
2. I deleted all the files in tmp/templates_c folder and took away write and motify permissions ( or just took all the permissions away) from the folder.
3. Now when I tried to refresh the web pages, they all went to be blank, no files have been or could  be written into  tmp/templates_c folder . I think this is why I got blank ( white) pages .

Again, I am NOT allowed to give write and modify permissions to these folders which is relating to security issues.

Is there any solutions ?

Thank you very much 

[robsta]

Are you serving this for internal or external use?

R

[fredzz]

This website is for external use.

[robsta]

Yeah, that makes it tricky with IIS

as you don't have .htaccess either... this guide runs you through the setup my best guess is that you just need to deny execution of scripts on the iUSR acount...

http://www.microsoft.com/technet/prodte ... x?mfr=true

[fredzz]

Thank you so much for the hints. I have tried to deny excution of scripts on the IUSR account for these folers. But I got these errors:

The following directories must be writable by the web server:
tmp/cache
tmp/templates_c

Please correct by executing:
chmod 777 tmp/cache
chmod 777 tmp/templates_c
or the equivilent for your platform before continuing.

[robsta]

Yeah IIS is very 'flat' in the way it handles security...

the octal (777 etc) only apply to linux servers ... the core issue is you want to protect these folders against intrusion...

I'd post a topic on the microsoft's website board and see if you can find someone their who knows how to do a 775 in IIS speak

R

[fredzz]

Thank you so much Robsta. I am REALLY appreciated for your help

[Glenn]

This is not just a problem with Windows. I'm running on servers with apache and linux and have three sites hacked now because of the CMSMS requirement to make those directories 777. It won't run if you don't, and hackers will have a field day if you do. It's the only MAJOR, major bug I've found with CMSMS yet.

[Nullig]

@ Glenn

To be fair, I don't think your hacks were because of CMSMS permissions. I think it's your host (ipowerweb), which is well known for overselling and not patching their servers for known exploits.

Nullig

[Glenn]

Thanks Nullig, that's really good to know, except that one of the servers is not at iPowerWeb, it's on a dedicated Mac OS X server. FWIW, I'm also on a Mac.

[Nullig]

Google +"Mac OS X server" +vulnerabilities

Just because the host is a MAC doesn't make it safe. In fact, Apple releases almost as many security updates as MS for it's servers.

Without access to the server logs, it's difficult to determine what caused your hacks.

Nullig

[Glenn]

Uh sorry I wasn't clear, I wasn't make the point that the mac was safer, I was making the point that the hacking has taken place across various servers.