Just for clairity I'm wondering what the best practice is for giving the IUSR_ account write access under IIS 6.0 to a folder. I gave searching on Google a try and on here a try but nothings really pointing me in either direction. From my understanind giving that account write access to a folder in an Internet site would be a bad idea. This site would be a mix of Classic ASP and ASP.NET.
Any one want to chime in on this?
Here are my "I wouldn't do this" statements in order of amount of discomfort they cause me (least to worst):
I wouldn't give anonymous users write access to a folder on a server computer connected to the Internet.
I especially wouldn't give anonymous users write access to a folder on a server computer configured to run scripts.
I really, really, really wouldn't give anonymous users write access to a folder on a server computer configured to run arbitrary executibles.
In short, I wouldn't do it. If you need anonymous users to be able to write to the web server it should be done through scripts that impose some type of sanity checking / validation (size, content, etc) on the uploaded data rather than through a straight HTTP PUT to the filesystem.
I don't know everything about the subject, but I do know that you don't want to do it if you have WebDAV enabled. I ran into this issue a couple years ago and I'm basically copy/pasting my old post on the issue. In short, if you have WebDAV enabled, you can write to the server using PUT commands. Try it out.
PUT /uhoh.txt HTTP/1.1 enter
Host: localhost enter
Content-Length: 6 enter
enter
Scary! enter
At this point it should have accepted it. Check the root of your directory and view your file. You'll see that the owner is IUSR_{computer.name}.