Hello,
As far as I can tell, there is no information available on how to set up and configure things like IIS, FTP etc. (web hosting) in SolidCP.
Is there any such information available or is there anyone who can provide the necessary information on how to set this up?
I can without problems add servers/virtual servers for IIS/FTP, but without knowing how this should be configured on the servers, it doesn't really work in a way I'm comfortable with.
For instance, the permissions set on web site directories allows everyone to access the directories and data, this should probably be segregated, like by using unique user accounts for App Pools and NTFS permissions for the web sites, perhaps this is already possible if the root directory structure is configured with the correct permissions for SolidCP (but what are they?).
Hello,
Unfortunately we are far behind on the documentation at this point (it's a large project and a team that works on support/ dev/ etc in their free time there's always plenty to do and little time to do it in).
For web and FTP however it's pretty straight forward.
For IIS FTP
- Assign an ip in IPAddresses to the server(s) in question.
- Add FTP service, select the IP, set the DNS record if you want SolidCP to manage your dns servers
- Apply (this will create the FTP site with the correct settings for you).
For Web:
- Web Sites Shared IP Address : I leave this to All Unassigned (this is the * binding in IIS which is most compatible with SNI certificates).
- Web Sites Public Shared IP: Put in it's actual public ip here, it is not used in configuration but more displayed for the customers incase they need to set dns etc. (it is a mandatory field).
- ASP.NET Mode (2.0/4.0): i always put 64bit
- IIS 8 and above have an SNI checkbox, i would highly recommend selecting this.
- I personally never use Web Publishing due to permission based problems caused within VS it self so i don't touch it.
- for DNS Records add one: [host_name] with value [ip] for all other records i would use value [ip] (which uses the value entered above in shared public ip).
Policies:
- Go to serveradmin home --> bottom right "policies"
- Open up Web Policy
- Select the Dedicated application pool, uncheck any auth besides anon auth.
Now make sure when you do this the dedicated application pool should always be enabled in the Hosting plan section.
Segregation:
- Add full trust to domain admins or if it's a non-domain server: administrators to the hostingspaces along with the group as mentioned above.
- Make sure Websitepanel Server pool user is member of Administrators and/or Domain Admins
- Make sure your logged in as Administrator Take ownership of HostingSpaces:
takeown /f C:HostingSpaces /r /d y /a - Disable inheritance on HostingSpaces --> make sure only administrators (and Filezilla if applies) remain, remove system etc.
- Remove users from C
- Add the following 2 users to C
Local ServiceNetwork Service
With Read & Execute, List folder contents and Read - Add the "Administrators File Access" access group to have full control on C:
##############################################
Deny IIS_IUSRS From System32 and syswow64
########################################
First of all make sure ALL _web users are a member of the IIS_IUSRS group.
If their not please make sure you add them all to that group.
Take ownsership:
takeown /a /F c:windowssystem32*.exetakeown /a /F c:windowssyswow64*.exe
Revoke permissions for IIS_IUSRS:
cacls c:windowssystem32*.exe /E /D IIS_IUSRScacls c:windowssyswow64*.exe /E /D IIS_IUSRS
Thats about it when it comes to segregation.
We have made an automated deploy script a while back which does take care of most of those steps for you which can be used here:
http://installer.solidcp.com/Files/stable/Tools/SolidCP-Configuration-Tool.zip
Do note that the script is still part experimental but should get you what you need.
Hello Marco,
Many thanks for taking the time to put this together and posting it here!
I'll get to work with trying this out immediately, and if something should arise, I'll get back to you here.
Again, thank you!
Do we need to do something extra to stop the Anonymous (_web) user being able to browse the whole drive?
I notice that even though the _web user isn't added to the local "Users" group, it still is a part of it - or is that a misconfiguration my end? (for example, I create a folder with no permissions - using ASP I cannot browse to it. But if I add the "Users" permission, suddenly I can)
Using the standalone install out the box, any shared account is able to access all the session data of any PHP session too, just by browsing to the Windows temp folder.
Hello,
As per default windows every user is part of the Users group.
and Users group by default has read + execute on the whole disk(s).
You will always need to remove it as explained by my segregation step in the previous post.
This would be a security measurement every windows system admin should take on new servers.
Regards,
Marco