Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Limit access to RAWeb files by other IIS applications and move all user-provided or modifiable files to the App_Data folder #98

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jackbuehner merged 15 commits into from
Jul 20, 2025
Merged

Limit access to RAWeb files by other IIS applications and move all user-provided or modifiable files to the App_Data folder #98

jackbuehner merged 15 commits into from
Jul 20, 2025

Conversation

@jackbuehner
Copy link
Collaborator

@jackbuehner jackbuehner commented Jul 19, 2025
edited
Loading

Currently, any IIS application has read and write access to RAWeb files because we grant read and write access to the IIS_IUSRS account. We grant write access because we need to modify the app settings in Web.config.

To improve security, we now:

  1. Set up an application pool in IIS called "raweb" if it does not already exist. We do not replace it if it already exists, which makes it possible for administrators to change the identity of the raweb application pool to a custom account (e.g., if they need RAWeb to run as an account from a specific domain so that group memberships can be read by RAWeb).
  2. Configure anaonymous authentication for RAWeb to operate as the raweb application pool identity instead of the default IUSR identity.
  3. Remove access to the RAWeb folder from all users and groups except the SYSTEM and Administrators groups.
  4. Assign read-only access to the RAWeb folder for "IIS AppPool\raweb".
  5. Assign write and modify access to the RAWeb/App_Data folder for "IIS AppPool\raweb".

As part of this change, app settings from Web.config and the resources and multiuser-resources folders are now stored in the App_Data folder. Security permissions for resources are now preserved when upgrading or reinstalling RAWeb. The setup script handles the migration of the app settings and resources.

Resolves #97
Resolves #96

Install

Run as an administrator in PowerShell to install this branch:

iwr -UseBasicParsing install.raweb.app/preview/jackbuehner/restricted-permissions | iex

Checklist

Tested on:

  • Server joined to a domain
  • Server not joined to a domain

Tested scenarios:

  • Resources folder migration
  • Multiuser resources folder migration
  • appSettings (policies) migration
  • Permissions-based access to files in the resources folder (security tab in properties)
  • Folder name-based access to files in the multiuser-resources folder
  • Using a different identity for the application pool
  • Editing policies from the web interface
  • Webfeed via Windows RADC
  • Webfeed via Windows App (Android)

@jackbuehner
chore: move app settings from Web.config to `App_Data\appSettings.c…
b9b5bbd 
…onfig`

This change means that we can only grant access to app data rather than all of the app's files, including Web.config. Long term, it is better to remove write access to non-user-provided files so that a vulnerability in the raweb code does not allow code that executes on the server to be modified into something malicious.
@jackbuehner
feat: use PrincipalSearcher instead of UserPrincipal.FindByIdentity
7daa20a 
It is much faster than `UserPrincipal.FindByIdentity`. Using the application pool identity instead of IUSR is an example case that cause `UserPrincipal.FindByIdentity` to slow down.
@jackbuehner
feat!: on installation, configure RAWeb to run in its own application…
849bded 
… pool and authenticate with the application pool's identity; and restict filesystem access for RAWeb files to SYSTEM, Administrators, and the raweb application pool
@jackbuehner
feat: move resources and multiuser-resources to App_Data, and preserv…
881706c 
…e App_Data during reinstall/upgrade
@jackbuehner jackbuehner self-assigned this Jul 19, 2025
@jackbuehner jackbuehner added bug Something isn't working enhancement New feature or request security Related to a security issue or improvement labels Jul 19, 2025
@jackbuehner jackbuehner force-pushed the restricted-permissions branch from 2765558 to fb625e5 Compare July 19, 2025 23:39
jackbuehner and others added 7 commits July 19, 2025 20:00
@jackbuehner
fix: grant Everyone read access to the auth folder
ac81a43 
Otherwise, authentication does not work for non-administrators.
@jackbuehner
fix: restore default access to resources for members of the Users group
072e155
@jackbuehner
fix: handle file paths with forward slashes in `FileSystemUtilities.R…
b8e01e9 
…eader.CanAccessPath`
@jackbuehner
fix: always allow access to favicon.ico and image assets
9d78cf0
@jackbuehner
fix: do not reset resource permissions when preserving resource direc…
be40381 
…tory during reinstall/upgrade

Switching to robocopy and including security permissions and timestamps causes everything about the folder and its subfolders to by preserved.
@jackbuehner
fix: do not output the status of the raweb app pool during install/up…
4689b50 
…grade
@jackbuehner
fix: use the correct principal context when retreiving the authentica…
d483e89 
…ted user's principal
@jackbuehner jackbuehner marked this pull request as ready for review July 20, 2025 04:28
@jackbuehner jackbuehner merged commit b7ef2bf into kimmknight:master Jul 20, 2025
@jackbuehner jackbuehner deleted the restricted-permissions branch July 20, 2025 04:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jackbuehner jackbuehner

Labels

bug Something isn't working enhancement New feature or request security Related to a security issue or improvement

Projects

None yet

Milestone

No milestone

1 participant

@jackbuehner