I have some questions regarding security architecture of web server. We have a web developer who is developing an architecture of updating web pages using Active Server Pages(ASP) and HTML.
Basically, the way it works is that the users can update their web sites via the ASP/html form. They typed in the information (such as job announcements, etc.)on the form and click the "update" button. This will add the necessary navigation bars for the page which is a GIF or JPG file and the information on a folder(s) using the "iusr_computername" account in MS IIS web server. To make this happen, I had to give "iusr_computername" Read, Write, Delete permissions to that folder. The "iusr_computername" is an anonymous account used by anyone to browse the web site. My concern is that giving "iusr_computername" Read, Write, Delete permission to a folder on the webserver can be exploited since this web server can be accessed from outside. What do think about this setup ? Thanks, Jaime
