iisnode on server 2016 with shared websites permissions error - need advise

[kdovale]

We are running a 2016 server with shared websites, the sites location is in a folder c:\domains\ each acct has its own folder with its subfolder wwwroot where they run their webs from, installing node on this seems to require that the iusr group has full permissions to the domains folder. Surely this is a security risk which could allow other sites to then traverse the folder structures ? What rights or setup would be needed in a case like this. If I dump the users folder into the root and set the website up to use this user1 folder and give iusr grp full permission it works fine. But this is not how our folder structures work in the cp.

Plse advise

[joegasper]

Assumptions: 1 to 1 IIS website to apppool to service account for the apppool.

Create a service account for the apppool: domain\website.one.com_svc

Create security group for users: website.one.com_users
Create security group for apppool account: website.one.com_app

Add account website.one.com_svc to group website.one.com_app

Create a "rollup" security group for all user groups: rollup_users
Create a "rollup" security group for all apppool groups: rollup_app

Add group website.one.com_app to rollup_app
Add group rollup_app to local group: localservername\IIS_IUSRS

Assuming default drive permissions...
On folder C:\domains break permission inheritance and remove localcomputer\Users permissions.
On folder C:\domains give group rollup_users read to This folder only.
On folder c:\domains\website.one.com give group website.one.com_users read to This folder only.
On folder C:\domains\website.one.com\wwwroot give group website.one.com_app read permissions.
On folder C:\domains\website.one.com\wwwroot give group website.one.com_users modify permissions. (Users could rename the wwwroot folder, so could apply modify for their group to Subfolders and files only. Or up one folder if you are placing site logs under the sites' folder, too.)

Create subfolder C:\domains\website.one.com\wwwroot\iisnode and give group website.one.com_app modify permissions (where iisnode will write its error logs).

Create share called "websites$" at C:\domains", enable it for access-based enumeration (ABE is important) and give group rollup_users share-level Write/Read permissions (and give Administrators or some server admin group full control if needed, too). ABE will allow the users for website.one.com to only see their site's folder when they visit \webserver\websites$ path.

Create an apppool: website.one.com
Set its identity to the apppool service account (advanced settings).
Recommend setting the apppool to never recycle and idle time-out to zero.

Create new IIS Site Name: website.one.com, use the corresponding apppool created for it.
Bind the domain name.
Site root: c:\domains\website.one.com\wwwroot
Connect As: Application user (pass-through authentication) (this will use the apppool's account for accessing the site's root)

Ensure at the server root in IIS, for IIS Authentication, Anonymous Authentication is set to "Application pool identity".

Add to local HOSTS file:
127.0.0.1 website.one.com

Add a generic index.htm page to wwwroot and give it a local test.

[kdovale]

Hi Joe, Thanks for coming back to me. Let me give you the setup and as half of this is already done automatically, so it will short circuit the needed changes, and you could advise this using the current naming that is generated by solidcp. C:\domains, is only administrators file access The following is created when a website gets added via the cpanel. It is solidcp which we are using. 1. A user folder is created in the c:\domains\ folder, ie user1, (Admins, system is only access) 2. A domain folder is created within this folder, ie domain1.co.za with same user rights 3. Then the wwwroot folder is created with an app pool user domain1.co.za_web and assigned full perms The website that is created is setup as follows : 1. Path is set to c:\domains\user1\domain1.co.za\wwwroot with pass through authentication. 2. App pool is called domain1 v4.0 (intergrated) 3. Identity is set to the user acct domain1.co.za_web 4. The service acctdomain1.co.za_web is added by default to the iis_iusrs group This can then run php and .net apps etc. When we run the nodejs site it bitches about the c:\domains access and this is where I got stuck. So basically this is already done by the solidcp. Assumptions: 1 to 1 IIS website to apppool to service account for the apppool. Gets Created automatically. Create a service account for the apppool: domain\website.one.com_svc Gets Created automatically Create security group for users: website.one.com_users Create security group for apppool account: website.one.com_app Add account website.one.com_svc to group website.one.com_app Create a "rollup" security group for all user groups: rollup_users Create a "rollup" security group for all apppool groups: rollup_app Add group website.one.com_app to rollup_app Add group rollup_app to local group: localservername\IIS_IUSRS Assuming default drive permissions... On folder C:\domains break permission inheritance and remove localcomputer\Users permissions. Correct On folder C:\domains give group rollup_users read to This folder only. (currently admins full inherited from domains folder) On folder c:\domains\website.one.com give group website.one.com_users read to This folder only. (currently admins full inherited from domains folder) On folder C:\domains\website.one.com\wwwroot give group website.one.com_app read permissions. (currently admins full inherited from domains folder) On folder C:\domains\website.one.com\wwwroot give group website.one.com_users modify permissions. (Users could rename the wwwroot folder, so could apply modify for their group to Subfolders and files only. Or up one folder if you are placing site logs under the sites' folder, too.) (App user domains1.co.za_web gets full perms on this folder) Create subfolder C:\domains\website.one.com\wwwroot\iisnode and give group website.one.com_app modify permissions (where iisnode will write its error logs). This gets inherited from the wwwroot folder, user typically upload this themselves and thus inheritance Create share called "websites$" at C:\domains", enable it for access-based enumeration <https://theitbros.com/config-access-based-enumeration-windows-server-2016/> (ABE is important) and give group rollup_users share-level Write/Read permissions (and give Administrators or some server admin group full control if needed, too). ABE will allow the users for website.one.com to only see their site's folder when they visit \webserver\websites$ path. Create an apppool: website.one.com Gets Created automatically Set its identity to the apppool service account (advanced settings). Gets Created automatically Recommend setting the apppool to never recycle and idle time-out to zero. Gets Created automatically Create new IIS Site Name: website.one.com, use the corresponding apppool created for it. Gets Created automatically Bind the domain name. Gets Created automatically Site root: c:\domains\website.one.com\wwwroot Gets Created automatically Connect As: Application user (pass-through authentication) (this will use the apppool's account for accessing the site's root) Gets Created automatically Ensure at the server root in IIS, for IIS Authentication, Anonymous Authentication is set to "Application pool identity". Add to local HOSTS file: 127.0.0.1 website.one.com Add a generic index.htm page to wwwroot and give it a local test. From: Joe Gasper ***@***.***> Sent: Thursday, 10 February 2022 8:41 AM To: Azure/iisnode ***@***.***> Cc: kdovale ***@***.***>; Author ***@***.***> Subject: Re: [Azure/iisnode] iisnode on server 2016 with shared websites permissions error - need advise (Issue #124) Assumptions: 1 to 1 IIS website to apppool to service account for the apppool. Create a service account for the apppool: domain\website.one.com_svc Create security group for users: website.one.com_users Create security group for apppool account: website.one.com_app Add account website.one.com_svc to group website.one.com_app Create a "rollup" security group for all user groups: rollup_users Create a "rollup" security group for all apppool groups: rollup_app Add group website.one.com_app to rollup_app Add group rollup_app to local group: localservername\IIS_IUSRS Assuming default drive permissions... On folder C:\domains break permission inheritance and remove localcomputer\Users permissions. On folder C:\domains give group rollup_users read to This folder only. On folder c:\domains\website.one.com give group website.one.com_users read to This folder only. On folder C:\domains\website.one.com\wwwroot give group website.one.com_app read permissions. On folder C:\domains\website.one.com\wwwroot give group website.one.com_users modify permissions. (Users could rename the wwwroot folder, so could apply modify for their group to Subfolders and files only. Or up one folder if you are placing site logs under the sites' folder, too.) Create subfolder C:\domains\website.one.com\wwwroot\iisnode and give group website.one.com_app modify permissions (where iisnode will write its error logs). Create share called "websites$" at C:\domains", enable it for access-based enumeration <https://theitbros.com/config-access-based-enumeration-windows-server-2016/> (ABE is important) and give group rollup_users share-level Write/Read permissions (and give Administrators or some server admin group full control if needed, too). ABE will allow the users for website.one.com to only see their site's folder when they visit \webserver\websites$ path. Create an apppool: website.one.com Set its identity to the apppool service account (advanced settings). Recommend setting the apppool to never recycle and idle time-out to zero. Create new IIS Site Name: website.one.com, use the corresponding apppool created for it. Bind the domain name. Site root: c:\domains\website.one.com\wwwroot Connect As: Application user (pass-through authentication) (this will use the apppool's account for accessing the site's root) Ensure at the server root in IIS, for IIS Authentication, Anonymous Authentication is set to "Application pool identity". Add to local HOSTS file: 127.0.0.1 website.one.com Add a generic index.htm page to wwwroot and give it a local test. — Reply to this email directly, view it on GitHub <#124 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABXUGTVORTDPIRBFLMEQHHDU2NMV7ANCNFSM5N43DGSA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> . You are receiving this because you authored the thread. <https://github.com/notifications/beacon/ABXUGTVSBXDENHAC4UDNE7DU2NMV7A5CNFSM5N43DGSKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOHWU7XTY.gif> Message ID: ***@***.*** ***@***.***> >

[joegasper]

Ah, you are hitting this issue. Sorry, I forgot that I dealt with that, too:
tjanczuk#247

My folder structure is:
s:\websites\domain1\slot1
s:\websites\domain1\slot2
s:\websites\domain2\slot1
s:\websites\domain2\slot2

The slot# folders are the IIIS site's root folders (we switch between each domain's slot1/slot2 as devs deploy new code).
I give the site's individual apppool account read at \domain#\ folder level.
At s:\websites the group IIS_IUSRS has Read access set to "This folder only".

[kdovale]

Hi Joe, Ok great I will give that a go, thank you for all your time .. I will let you know if this resolves my dilemma :-) Regards Keith From: Joe Gasper ***@***.***> Sent: Friday, 11 February 2022 6:12 AM To: Azure/iisnode ***@***.***> Cc: kdovale ***@***.***>; Author ***@***.***> Subject: Possible Spam - Re: [Azure/iisnode] iisnode on server 2016 with shared websites permissions error - need advise (Issue #124) Ah, you are hitting this issue. Sorry, I forgot that I dealt with that, too: tjanczuk#247 <tjanczuk#247> My folder structure is: s:\websites\domain1\slot1 s:\websites\domain1\slot2 s:\websites\domain2\slot1 s:\websites\domain2\slot2 The slot# folders are the IIIS site's root folders (we switch between each domain's slot1/slot2 as devs deploy new code). I give the site's individual apppool account read at \domain#\ folder level. At s:\websites the group IIS_IUSRS has Read access set to "This folder only". — Reply to this email directly, view it on GitHub <#124 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABXUGTQPSAAI72EUNE3MNQ3U2SECJANCNFSM5N43DGSA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> . You are receiving this because you authored the thread. <https://github.com/notifications/beacon/ABXUGTWWBM6EAC6LHAV2FY3U2SECJA5CNFSM5N43DGSKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOHW7BTTY.gif> Message ID: ***@***.*** ***@***.***> >

[kdovale]

Hi Joe, It looks like it’s a rights issue, the folder structure is as follows D:\webs\raborifi\raborifiattorneys.co.za\wwwroot I gave the webs folder iusrs read only this folder, and then I added the app user with read access to the raborifi, raborifiattorneys.co.za and wwwroot folder and the app doesn’t run as it should, I then added iusrs group to webs this folder and below, and then the app runs ok, so it seems there is an issue with the web app user not being able to access the higher folders or something.. Weird on if you ask me, im looking at the rights on these folders again to see what I need to do, I don’t want the iusrs grp to have access to the subfolders of everyone.. From: Joe Gasper ***@***.***> Sent: Friday, 11 February 2022 06:12 To: Azure/iisnode ***@***.***> Cc: kdovale ***@***.***>; Author ***@***.***> Subject: Possible Spam - Re: [Azure/iisnode] iisnode on server 2016 with shared websites permissions error - need advise (Issue #124) Ah, you are hitting this issue. Sorry, I forgot that I dealt with that, too: tjanczuk#247 <tjanczuk#247> My folder structure is: s:\websites\domain1\slot1 s:\websites\domain1\slot2 s:\websites\domain2\slot1 s:\websites\domain2\slot2 The slot# folders are the IIIS site's root folders (we switch between each domain's slot1/slot2 as devs deploy new code). I give the site's individual apppool account read at \domain#\ folder level. At s:\websites the group IIS_IUSRS has Read access set to "This folder only". — Reply to this email directly, view it on GitHub <#124 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABXUGTQPSAAI72EUNE3MNQ3U2SECJANCNFSM5N43DGSA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> . You are receiving this because you authored the thread. <https://github.com/notifications/beacon/ABXUGTWWBM6EAC6LHAV2FY3U2SECJA5CNFSM5N43DGSKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOHW7BTTY.gif> Message ID: ***@***.*** ***@***.***> >

[kdovale]

Sorry I sent before I was going to ask the question, what rights does the node.exe and that need ? is that linked via the iis_iusrs group or some other permissions From: Joe Gasper ***@***.***> Sent: Friday, 11 February 2022 06:12 To: Azure/iisnode ***@***.***> Cc: kdovale ***@***.***>; Author ***@***.***> Subject: Possible Spam - Re: [Azure/iisnode] iisnode on server 2016 with shared websites permissions error - need advise (Issue #124) Ah, you are hitting this issue. Sorry, I forgot that I dealt with that, too: tjanczuk#247 <tjanczuk#247> My folder structure is: s:\websites\domain1\slot1 s:\websites\domain1\slot2 s:\websites\domain2\slot1 s:\websites\domain2\slot2 The slot# folders are the IIIS site's root folders (we switch between each domain's slot1/slot2 as devs deploy new code). I give the site's individual apppool account read at \domain#\ folder level. At s:\websites the group IIS_IUSRS has Read access set to "This folder only". — Reply to this email directly, view it on GitHub <#124 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABXUGTQPSAAI72EUNE3MNQ3U2SECJANCNFSM5N43DGSA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> . You are receiving this because you authored the thread. <https://github.com/notifications/beacon/ABXUGTWWBM6EAC6LHAV2FY3U2SECJA5CNFSM5N43DGSKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOHW7BTTY.gif> Message ID: ***@***.*** ***@***.***> >

[kdovale]

Ok so I tried to add iis_iusrs grp to the folder beneath the webs folder with read only to this folder and the issue persists, then I added it with read to this folder and subfolders and it has the same issue, I then tried giving traverse directories rights to see if that might be an issue and same issues I ran processmonitor and I see that the app is looking for files in the wwwroot folder and not in the public folder where they are, despite the app.js indicating the path to use. Is it maybe not that node isn’t picking up or setting the right path location maybe, as if I goto the public folder and run the html files from there they work like they should Regards Keith From: Joe Gasper ***@***.***> Sent: Friday, 11 February 2022 06:12 To: Azure/iisnode ***@***.***> Cc: kdovale ***@***.***>; Author ***@***.***> Subject: Possible Spam - Re: [Azure/iisnode] iisnode on server 2016 with shared websites permissions error - need advise (Issue #124) Ah, you are hitting this issue. Sorry, I forgot that I dealt with that, too: tjanczuk#247 <tjanczuk#247> My folder structure is: s:\websites\domain1\slot1 s:\websites\domain1\slot2 s:\websites\domain2\slot1 s:\websites\domain2\slot2 The slot# folders are the IIIS site's root folders (we switch between each domain's slot1/slot2 as devs deploy new code). I give the site's individual apppool account read at \domain#\ folder level. At s:\websites the group IIS_IUSRS has Read access set to "This folder only". — Reply to this email directly, view it on GitHub <#124 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABXUGTQPSAAI72EUNE3MNQ3U2SECJANCNFSM5N43DGSA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> . You are receiving this because you authored the thread. <https://github.com/notifications/beacon/ABXUGTWWBM6EAC6LHAV2FY3U2SECJA5CNFSM5N43DGSKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOHW7BTTY.gif> Message ID: ***@***.*** ***@***.***> >