Hi,
I have created a new domain within SolidCP and i am checking the website in IIS and i have number of questions about it:
- i can see that in the website > advanced settings > physical path you use "Application user".
- i do see that a new user is created (domain-name_web) with group permission: IIS_IUSRS and SCP_IUSRS.
- i see that the folder for the site has no user "domain-name_web"
- i see that there is no dedicated application pool for the website
questions:
- where can i change the site folder for example from C:HostingSpaces to my custom folder path?
- where can i change in IIS > advanced settings > physical path to specific user?
- how can i create dedicate application pool for each website and make sure it is updated in the iis website
- how can i change settings in application pool->
- 32 bit application
- start mode
- idle time out
- regular time interval
- .net clr version
- how to enable mvc core
thank you
ori
and about the domain-name_web user you create,
what is the idea with the user group "SCP_IUSRS", what it is used for and why not to use only "IIS_IUSRS" ?
it is very important for website security to use separated user, when one site is hacked they cannot continue to the other sites as it is isolated in IIS level and user permissions in the website folder on disk.
Hello,
The default settings your looking for is in serveradmin home --> bottom right --> "policies" (then the web policy settings etc).
It will then set to dedicated app pool user where the users user is 100% used for segregation.
IIS_IUSRS (or solidcp's custom group) is added for IIS Privs but also so you can easily lock the group away from important windows resources (such as system32, syswow etc) .
For a good Windows segregated setup on any windows server you will have to remove the USERS group from all your disks, program files, and windows dir.
A small example of segregation we normally do (without windows/ program files --> as they are program specific) :
1) Add full trust to domain admins or if it's a non-domain server: administrators to the hostingspaces along with the group as mentioned above.
2) Make sure SolidCP Server pool user is member of Administrators and/or Domain Admins
3) Make sure your logged in as Administrator Take ownership of HostingSpaces:
takeown /f C:HostingSpaces /r /d y /a
4) Disable inheritance on HostingSpaces --> make sure only administrators (and Filezilla if applies) remain, remove system etc.
5) Remove users from C
6) Add the following 2 users to C
Local Service
Network Service
With Read & Execute, List folder contents and Read
7) Add the "Administrators File Access" access group to have full control on C:
Take ownsership:
takeown /a /F c:windowssystem32*.exe
takeown /a /F c:windowssyswow64*.exe
Revoke permissions for IIS_IUSRS:
cacls c:windowssystem32*.exe /E /D IIS_IUSRS
cacls c:windowssyswow64*.exe /E /D IIS_IUSRS
##################################################
Windows Firewall
##################################################
For alot of people they have no additional firewall.
make sure you tune it up. for example:
1) if they have no IPv6 make sure you disable all IPv6 allow rules.
2) Disable network filesharing unless you use it.
3) Disable any other rule you think is not needed.
4) Make sure RDP isn't accesable on it's default port
Regards,
Marco
Hi Marco,
thank you for your answer,
when i open the policies>web policy i see at the button web site folders and the path. can you please tell me where can i change the "folders relative Space home" ?
thank you
ori
this post https://solidcp.com/forum/question/change-of-hostingspace-path-does-not-work/ has answered my question
where in the database can i change the folder path if i want to change it for existing hosting space?
