Overview
The Security Analyzer reviews your site for potential security issues and provides prescriptive guidance on how to address them. Running the Security Analyzer may produce an error with CheckDiskAccess which checks extra drives/folders access permission outside the website folder.
Prerequisites
- DNN 9+ installation.
Diagnosis
When running the Security Analyzer, the following alert may be received:
CheckDiskAccess showing alert: Checks extra drives/folders access permission outside the website folder
The CheckDiskAccess security alert looks to see if your site is being run with an IIS AppPool user that has permissions to access disk resources outside of the IIS site folder your Evoq site is running in. You will receive this alert if any such access is found. Please review the disk resources listed in your alert. If you have any extensions or customizations that require access to these locations, then you can disregard this message, otherwise, we need to address this. If your system was to be compromised, the attackers can gain access to all of these locations.
This is most likely because the ApplicationPoolIdentity
is assigned membership of the Users
group as well as the IIS_IUSRS
group. ApplicationPoolIdentity
can read and write to that folder because that right is being inherited. Ideally, Users group should have permissions denied on the folders containing websites.
Solution
In the following example, local Drive C access would be denied:
1. Open Windows Explorer at the root of the Server PC.
2. Right-click on C: Drive > Properties
3. Select Security tab > Advanced
4. Click Change Permissions.
5. Click Add.
6. Click Select a Principal and then enter your application pool identity name.
It may be worth double-checking your application pool identity in IIS, just to be certain.
- Confirm which site is using the folder you expect.
- You can confirm by opening IIS and browsing to Connections > Sites > Right-Clicking the website > Click Explore
- Confirm which Application Pool that site is using.
- You can confirm by opening IIS and browsing to Connections > Sites > Right-Clicking the website > Manage Website > Advanced Settings
- Confirm which Identity that Application Pool is using.
- You can confirm by opening IIS and browsing to Connections > Application Pools > Check the website name and the Identity column.
7. Change Type to Deny
8. Change Applies to: This folder only
9. Check the Full Control box, which checks all other boxes.
10. Click OK, then click Apply.
Testing
To test that the Security Analyzer has run successfully without an alert for CheckDiskAccess, you must:
- In your DNN website, go to Settings > Security > Security Analyzer.
- Scroll down to the CheckDiskAccess alert.
You should see a green PASS.
Priyanka Bhotika
Comments