Website Security Is...
 
Notifications
Clear all

Website Security Issue

6 Posts
2 Users
0 Reactions
2,671 Views
Posts: 4
Topic starter
(@kryptonsoft)
New Member
Joined: 6 years ago

Hi,
I am new to SolidCP. I installed Windows 2012 with SolidCP Panel.
I created few websites, all .net sites works good. But i have one website that is Classic ASP. It throwing Forbidden Access Denied error.

When i investigated in IIS, i found all websites created without Physical Credentials and using Application Pool Identity. I am using standard default
Application Pools and they are running using Network Service account.

I checked Folder Permissions and all the [Domain]www folders are assigned with correct Anonymous User created permissions, but same Anonymous User account is not assigned to Website in IIS for Physical Path Credentials.

I was previously using Website Panel which creating sites correctly with Physical Credentials set in Website Property, but SolidCP creating site with
Physical Credentials blank and make site Dependent on Application Pool Identity.

This make complete website environment insecure, as any website can read anybody's content.
How can this be fixed ?, where is setting in SolidCP which provide correct site creation behavior using Physical Credentials ? I can't find.
Possibly using Dedicated Application Pool is a wayout, but i have over 400+ sites and it could grow, and I am not sure how Dedicated Application Pool use credentials.
Can somebody help me out to resolve this issue, point me out some settings or whatever.

5 Replies
Posts: 1995
Admin
(@m-tiggelaar)
Noble Member
Joined: 9 years ago

Hello,
I double checked and also tried to reproduce your issue.
I do use Dedicated Application pools but i verified both IIS site aswell as Application pools have the correct user specified.
(i use Active Directory to manage users so they look like domain.localwebsite-domain_web).
The only settings that affect this are located in the Serveradmin home --> bottom right "Policies" --> Web Policies.
I only heard of issues if there's a customized prefix or suffix set in the options.
Regards,
Marco

Reply
Posts: 4
Topic starter
(@kryptonsoft)
New Member
Joined: 6 years ago

Hi Marco,
Thanks to get back me on this. I also use Active Directory so it's same environment, but i am not using Dedicated App Pools. I think using Dedicated App Pool is good idea if it solve security issue and load isolation, the problem is it only assign dedicated app pool at the time of website creation, i have to delete each site and reconfigure.
I checked web policies but i couldn't find any settings which can set Physical Path Credentials in shared app pool.

Reply
Posts: 1995
Admin
(@m-tiggelaar)
Noble Member
Joined: 9 years ago

Actually you can create dedicated application pools for existing sites.
however the "normal" way would mean you open each website property, select dedicated application pool and save (it will then create and set).
with 400 sites not exactly ideal neither.
If you want i can check our devs if they can maybe make a conversion script for ALL websites on the server, however this would be a paid dev project at this time (i can suggest it as a feature, but chances are this won't get picked up for free for quite a while).

Reply
Posts: 4
Topic starter
(@kryptonsoft)
New Member
Joined: 6 years ago

Thank you for the update, we have resources and due to severity nature we taking it on priority and almost moved around 50% accounts to dedicated pool. I am finding Dedicated Pool a better option as i can watch each website CPU/Memory usage now.
I noticed that it create 4 pools for each website, e.g.
<domain> v2.0 (Classic)
<domain> v2.0 (Integrated)
<domain> v4.0 (Classic)
<domain> v4.0 (Integrated)
However based on website .NET settings only 1 pool is to be used. This unnecessary increasing number of application pools in IIS App Pools.
1. I suggest feature in upcoming release, if only one dedicated pool created is better.
2. If in Web Policy, or as a part of Hosting Plan/Package if an option can be provided for App Pool Default resources Settings e.g. CPU Limit, Max Queue Length, and Max Memory Limit it will be amazing to isolate resource usage just like cloudlinux doing.

Reply
Page 1 / 2
Share: