I am looking for either a best practice, supported, guide from Microsoft or a bloggers/developers guide of the same. Or both.
I am setting up some servers for hosting and I want to configure them with just enough permissions. I have done this before where I modified the Medium trust and gave it database permissions etc but I only briefed over it.
I want to setup solid machines with the respective, common, permissions that people use. Is there maybe a resource that explains in detail what each trust level has by default? That way I could compare and go from there.
To start the security, I have made a rule on my machines that I only create dedicated application pools per site/user. I know Microsoft say that each website is virtually seperate, even in the shared application pool space, but I just don't trust it.
I also know I shouldn't run in Full Trust as I am opening up my server to all kinds of attacks.
I have a bit of knowledge on this but not enough so hopefully you lot can help me. I'm not wanting to be spoon fed what to do, I have no problem figuring it out, I just can't find the info to start with.
I appreciate your help.
Anthony
I'm running: Windows 2008 RC2 64 bit with IIS7.5 and a combination of 2.0/3.5 and 4.0 application pools.
The strict best practice is "don't let anything do anything to anything" but that is counterproductive in general -- if you aren't taking HTTP requests, you don't have a working HTTP application server.
That said, your question is very general and very nebulous. The first key question is "what sort of hosting scenario is this?" For example, full trust isn't necessarily a bad thing in a dedicated scenario, or even a shared server between "friendly" apps that should trust each other. But it is bad in a hotel server situation where you've got random guests sharing space.
The second question is what sorts of apps are you hosting? You've got completely different frontages depending on what you are doing -- spammers don't try as hard as thieves. Spies try even harder.