How to manipulate files inside Inetpub/wwwroot all day without being bugged by UAC

re: How to manipulate files inside Inetpub/wwwroot all day without being bugged by UAC

victor — Thu, 12 Mar 2009 08:01:03 GMT

Thanks very much. Bertrand Le Roy. I will also do some reading from the best parctice.

re: How to manipulate files inside Inetpub/wwwroot all day without being bugged by UAC

Bertrand Le Roy — Wed, 11 Mar 2009 17:30:37 GMT

@Victor: please don't take my advice as the official Microsoft recommendation but only as my opinion. If those developers must publish the development site to the production server, this seems quite normal. I'm not sure what to do if that is not acceptable. One thing you might want to do is turn on write audits on that directory. That won't prevent attacks from insiders but it would enable you to find who's responsible for it.

re: How to manipulate files inside Inetpub/wwwroot all day without being bugged by UAC

victor — Wed, 11 Mar 2009 08:26:56 GMT

I am an IT auditor. I find that there were developers who had modify rights on inetpub directory in the production environment. How risky or dangerous it is? please help

re: How to manipulate files inside Inetpub/wwwroot all day without being bugged by UAC

Bertrand Le Roy — Thu, 15 Mar 2007 07:38:32 GMT

Dean: you're absolutely right, so for a dev machine, the inetpub folder may be dependable and just giving access may be acceptable but on a production server, well, in this case just leave everything on I suppose.

re: How to manipulate files inside Inetpub/wwwroot all day without being bugged by UAC

Speednet — Thu, 15 Mar 2007 05:49:49 GMT

rbuckton, your comments are right on target!

I have been thinking exactly the same thing. What malware is going to try and run the VS2005 IDE?

UAC desperately needs fine-tuning controls, which an advanced user can manipulate. It can be changed to work exactly like a learning firewall, giving the user the ability to remember a rule or ask every time. Wouldn't that be the best approach?

re: How to manipulate files inside Inetpub/wwwroot all day without being bugged by UAC

Dean Harding — Thu, 15 Mar 2007 03:13:07 GMT

> Yes, you're absolutely right, but giving rights on the folder presents the

> same risks as far as shell extensions are concerned.

Except that they WOULDN'T have those rights on every OTHER folder marked Admin-only (System32, Program Files, etc).

I guess it depends on how "valuable" your InetPub folder is compared to those other folders. Either way, I think there are risks doing it both ways... but that's the nature of security; you've got to take risks in the interest of actually being able to DO stuff :)

re: How to manipulate files inside Inetpub/wwwroot all day without being bugged by UAC

David Taylor — Thu, 15 Mar 2007 02:08:45 GMT

Bertrand, like you I have left UAC enabled for the last few months of running Vista.

However I am not that worried if many technical people turn it off as they know how to fix their machine if it gets trashed.

What I care about is that my mother, father and other non-technical people leave it on. We should remember that 95% of people are not very technical, and if that 95% have UAC enabled Vista is a huge win.

re: How to manipulate files inside Inetpub/wwwroot all day without being bugged by UAC

rbuckton — Thu, 15 Mar 2007 02:03:11 GMT

There are times where I wish there was a way to "pre-authorize" certain applications for UAC. I always run Visual Studio elevated and the prompt seems a bit cumbersome in those cases. I think you should be able to authorize certain applications as approved without the need to accept a UAC prompt. You could define the trusted startup parameters for the application (e.g. what are the valid commad line options that can be supplied). Pre-authorized applications would then just need some type of bubble tip after launch that appears above the icon in the taskbar, or differentiate the window with slightly different window chrome (say a red or orangeish cast to the aero glass style) for applications running elevated.

Beyond that I am a big fan of UAC. Vista makes large-scale operations affecting a protected folder efficient by determining up front everything that will need elevation when beginning a copy, move, delete, etc. operation. It's the one-by-one changes that become cumbersome.

One of the more difficult to understand features of UAC is attempting to write a file to a protected location by an application that doesnt understand UAC. Instead of denying the operation, a special folder structure under your profile folders that matches the protected directory structure is created for those files. Vista needs a way to track and merge these changes easily after the fact, rather than having to do it manually.

re: How to manipulate files inside Inetpub/wwwroot all day without being bugged by UAC

Bertrand Le Roy — Thu, 15 Mar 2007 01:34:46 GMT

Yes, you're absolutely right, but giving rights on the folder presents the same risks as far as shell extensions are concerned.

If you have shell extensions that you're unsure about, I guess it's just better to leave UAC on, not give additional permissions and not run as admin...

Ultimately, I see people disabling UAC as a whole and while it would be best to leave it on and bear with the alerts, such tricks can help in that it's better to have it partially on (and know the risks) than have it completely off.

As always, the best protection is skeptical computing.

re: How to manipulate files inside Inetpub/wwwroot all day without being bugged by UAC

Dean Harding — Thu, 15 Mar 2007 01:24:28 GMT

Yes, but running explorer as an administrator also means all your explorer extensions and so on are running as administrator.

I guess it just depends on where you think the threats are coming from :-)