Start a conversation

How to resolve the CheckDiskAccess Security Analyzer alert

Overview

The Security Analyzer reviews your site for potential security issues and provides prescriptive guidance on how to address them. Running the Security Analyzer may produce an error with CheckDiskAccess which checks extra drives/folders access permission outside the website folder.

 

Prerequisites

  • DNN 9+ installation.

 

Diagnosis

When running the Security Analyzer, the following alert may be received:

CheckDiskAccess showing alert: Checks extra drives/folders access permission outside the website folder

The CheckDiskAccess security alert looks to see if your site is being run with an IIS AppPool user that has permissions to access disk resources outside of the IIS site folder your Evoq site is running in. You will receive this alert if any such access is found. Please review the disk resources listed in your alert. If you have any extensions or customizations that require access to these locations, then you can disregard this message, otherwise, we need to address this. If your system was to be compromised, the attackers can gain access to all of these locations.

This is most likely because the ApplicationPoolIdentity is assigned membership of the Users group as well as the IIS_IUSRS group. ApplicationPoolIdentity can read and write to that folder because that right is being inherited. Ideally, Users group should have permissions denied on the folders containing websites.

 

Solution

In the following example, local Drive C access would be denied:

1. Open Windows Explorer at the root of the Server PC.
2. Right-click on C: Drive > Properties
3. Select Security tab > Advanced


4. Click Change Permissions.


5. Click Add.
6. Click Select a Principal and then enter your application pool identity name.

It may be worth double-checking your application pool identity in IIS, just to be certain.

  • Confirm which site is using the folder you expect.
    • You can confirm by opening IIS and browsing to Connections > Sites > Right-Clicking the website > Click Explore
  • Confirm which Application Pool that site is using.
    • You can confirm by opening IIS and browsing to Connections > Sites > Right-Clicking the website > Manage Website > Advanced Settings
  • Confirm which Identity that Application Pool is using.
    • You can confirm by opening IIS and browsing to Connections > Application Pools > Check the website name and the Identity column.

7. Change Type to Deny
8. Change Applies to: This folder only


9. Check the Full Control box, which checks all other boxes.
10. Click OK, then click Apply.

 

Testing

To test that the Security Analyzer has run successfully without an alert for CheckDiskAccess, you must:

  1. In your DNN website, go to Settings > Security > Security Analyzer.
  2. Scroll down to the CheckDiskAccess alert.

You should see a green PASS.

2020-05-25_1144.png

 

Choose files or drag and drop files
Was this article helpful?
Yes
No
  1. Priyanka Bhotika

  2. Posted

Comments