This section describes how to set up NTFS permissions on HTTP Commander data files and on user data folders.
Note 1! You can view how to set up NTFS permissions at installation screencast (video) (Recommended)!If you want to check NTFS permissions manually then see information below:
HTTP Commander uses a temporary folder to store temporary files, such as thumbnails, intermediary video files created in video conversion process, zip files for download, and other. The temporary folder configured in the TemporaryFolder parameter and by default is used "%WINDIR%\Temp", or it may be "%USERPROFILE%\AppData\Local\Temp" if the application pool is configured to load the user profile. The user refered here is the application pool identity user. For example, if the application pool is named HttpCommanderPool, the temporary directory may be "C:\Users\HttpCommanderPool\AppData\Local\Temp". Location of the temporary directory depends on the value of TEMP system and user environment variables. To be certain of the location of the temporary folder, refer to the Diagnostics.aspx page in HTTP Commander.
A system-wide temporary folder ("%WINDIR%\Temp") by default provides necessary access to Administrators and System, but not to normal users. A user-specific folder allows access only to the respective user. HTTP Commander requires write access to the temporary folder for application pool account and end-user accounts in Windows version. The result is the default access is inappropriate. The simplest solution is to configure Modify NTFS permission for all required users. This choice, however, creates security vulnerability, users may read and overwrite each other's files. NTFS permissions allow that. A more secure solution is to configure NTFS permissions as follows. Assign Full Control to CREATOR OWNER pseudo-user. Assign Create files, Create folders, Traverse folder permission to the target users. Apply the last permission to "This folder only". Target users will be able to create files and folders in the temporary directory, but they have access to only their files and folders. Access to others files and folders will be denied. Assigning Full control to CREATOR OWNER guaranties that users have full control to their files.
ScreenshotHTTP Commander AuthMode | Resources | Accounts | Permissions | Note |
---|---|---|---|---|
all | HTCOMNET folder | application pool identity | Read | |
Forms with Windows Users, Novell EDirectory | HTCOMNET folder | Anonymous user | Read | 1 |
Windows, Forms with Windows Users | HTCOMNET folder | end-users | Read | |
all | Temporary folder | application pool identity | Modify | |
Windows, Forms with Windows Users | Temporary folder | end-users | Modify | |
all | Data folder | application pool identity | Modify | 2 |
Forms with Windows Users, Novell EDirectory | web.config and HttpCommanderSettings.config files | application pool identity | Modify | |
Windows, Forms with Windows Users | web.config and HttpCommanderSettings.config files | administrators of HTTP Commander | Modify | |
Novell EDirectory | user data folders | application pool identity | Read or Modify depending on your needs | |
Windows, Forms with Windows Users | user data folders | end-user accounts | Read or Modify depending on your needs | 3 |
all | Trash folder | application pool identity | Modify | 4 |
Windows, Forms with Windows Users | Trash folder | end-user accounts | Modify | 4 |
Note 1. Why grant access to anonymous user?
Applies to AuthMode Forms, Forms with Windows users, Novell EDirectory, Auth0.
Normally the web application accesses the file system under the application pool identity, but sometimes the anonymous user is impersonated. Note that ASP.NET Impersonation is disabled in IIS.
You may find out that the web application works without problems even when you have not assigned explicit permissions to an anonymous user account. The typical cause of this issue is that the anonymous user gains access to the file system via permissions assigned to Users group. Another explanation may be the fact that anonymous user matches the application pool identity to which you have assigned Read permissions already.
Why write access is not needed for anonymous user?
The application does not explicitly impersonate the anonymous user to perform its tasks. All work is done under the application pool identity. As for read access to the application's root directory, it is IIS that impersonates the anonymous user to verify access to specific objects.
Note 2. By default, the Data folder is located in the HTCOMNET root folder, but you can move it outside the web server (see DataFolderPath key in the Application settings)!
Note 3.
If you have an existing folder structure for domain users with set permissions,
you don't need to modify existing permissions.
The application impersonates the end-user when processing a user request.
NTFS file system permissions determines the level of access the end-user
gets to the file system through HTTP Commander.
If you want to create a new structure of folders,
you need to apply the necessary NTFS permissions on the folders for the domain users.
Note 4. This applies if you enabled EnableTrash parameter.