Actually you hit it right on the button and i'll tell you why. Having your webroot folder in a seperate location from where the default installation protects you from a world of silly exploits and rediculous script kiddie wanna be hacker attacks. This would be the primary reason because if u recall earlier in the year the "Hacked by Chinese" sadmind exploit relied on wwwroot being in its default install location. Thus, you move the folder and you're protected. Also,option 4 of putting the wwwroot on a seperate partition would be the most practical because in the rare case that someone was able to traverse your local folders, they WOULD NOT be able to hop across partitions to get to your critical operating system files. In other words, if the above mentioned exploit depends on cmd.exe being in ../../winnt/system32 , obviously having webroot on d or e, protects you from such an exploit.
May i also add. (IMHO) seperating your webserver and web applciations from the OS partition gives you the freedom to really lock down the OS partition as explicitly as possible thus adding another level of security to your system. Im normally a unix user myself , but ive found its easier to manipulation ACL's in WinNt/2k for specific services when they are physically located in seperate places.. Just my 2 cents. hope it helps. -Terry Jordan -=TheRoadhog=- On Friday 02 November 2001 01:36, you wrote: > OK Everyone, I need some help! >[EMAIL PROTECTED] > I'm trying to articulate the reasons why it's better to place the root of a > website on a separate partition, or at least in a separate directory from > the application which uses IIS as a front-end... > > An example > Client/Server Software program installed at C:\Program > Files\company\productname\ > WWW Files can be installed to: > 1. C:\InetPub\WWWRoot > 2. C:\ProductNameWWW > 3. C:\Program Files\company\ProductName\ProductWWW > 4. C:\Program Files\company\ProductWWW > 5. D:\ > > The website utilizes ADO, OLEDB (via MDAC 2.6 SP1) to connect to a SQL 7 > database that is housed on another server. .ASP is the coding of choice > along with some plain HTML. The machines will be patched up-to-date and > plenty of other security measures will be taken! > > Personally I believe the safest location would be on D:\ (if there's > nothing else on it). My next choice would be option #2, followed by #4. I > don't like the idea of having the webroot be a subfolder of the actual > server files (option 3), and I sure don't like it in the default > C:\InetPub\WWWRoot. Even though I can remove all the default mappings & > virtual directories from WWWRoot I still don't like the fact that some > scriptkiddie script might rely on the existence of a folder called > C:\Inetpub\WWWRoot. > > I know I've read different places in the past some examples of how Option 3 > can be exploited. All of the options on C: could be a problem if a > traversial exploit is used. The problem is I'm having problems searching > for this scenario on the common search engines. I'm getting way too many > false hits that don't address the issue at hand. > > I *do* understand that there's a lot more to hardening an IIS installation > than the placement of the root folder. This is just one of the first > things that popped into my head at a meeting we had, so I mentioned it. > Unfortunately, everyone thinks I'm crazy and cannot see the impact that the > placement of the root folder may have. What sort of concrete evidence is > out there for me to use to support my case? ...Or am I just being too > paranoid about the placement of the root folder?!? -- Terry Jordan Systems Administrator GoAntiques, Inc. v. 614-481-5750 f. 614-481-5751 Shop the GoAntiques Network www.goantiques.com <http://www.goantiques.com> AOL Keyword: GoAntiques
