About IIS Virtual Directories and File Permissions for Security and Patch Manager

Version 21

    Verified Product Versions

    LANDESK Management Suite 9.5LANDESK Management Suite 9.6LANDESK Management Suite 2016.x

    Description

     

    This document contains the default settings and permissions for IIS Virtual Directories and File System Directories for Patch Manager.

     

    Note: A large number of issues reported to LANDESK related to Patch Manager can be traced back to a permissions change or Group Policy being applied to the core server resulting in a change to the default permissions.  It is important to compare the permissions on the faulty core server with the permissions listed in this document.

     

    A note about default Windows account permissions:

     

    Account Name

    Description

    LocalSystem

    The LocalSystem account is used to run IIS 8.0 services, and is also an option for application pool identities. The LocalSystem account has “Act as part of the operating system” privileges (which allows it unfettered access to Windows). It also has many other privileges by default. Suffice it to say that a process running as LocalSystem has almost full control over your server. Running application pools as LocalSystem is a security risk and needs to be carefully investigated prior to implementation.

    Network Service

    Network Service is a low-privilege account and the default web application pool identity. Network Service is able to access network resources using the computer's machine account (machinename$). Local Service is similar to Network Service, but cannot access other resources on the network (except those that permit anonymous access).

     

     

    When creating a virtual directory to another location on your server or remotely, ensure that the accounts of the site anonymous user (IUSR) and the worker process identity have the required permissions to read and execute as required.

     

    The following is a Microsoft Article about troubleshooting IIS Permissions: Guidelines for Resolving IIS Permissions Problems

     

    The following are essential directories for the LANDESK Security and Compliance Scanning process:

     

    Virtual Dir Name

    Incomingdata

    Directory on disk

    Program Files\LANDESK\Management Suite\IncomingData

    Virtual Dir Properties

    Read, Directory Browsing, Log Visits, Index This Resource

    Directory Security

    Anonymous (IUSR)

    NTFS Permissions

    NT AUTHORITY\IUSR:(RX)

    NT AUTHORITY\IUSR:(OI)(CI)(IO)(GR,GE)

    Corename\LANDESK Management Suite:(OI)(CI)(IO)(GR,GE)

    Corename\LANDESK Administrators:(OI)(CI)(F)

    BUILTIN\Administrators:(OI)(CI)(F)

    LDMS2016\LANDESK Management Suite:(RX)

    NT AUTHORITY\NETWORK SERVICE:(OI)(CI)(F)

    BUILTIN\BUILTIN:(RX)

    BUILTIN\BUILTIN:(OI)(CI)(IO)(GR,GE)

    NT AUTHORITY\SYSTEM:(OI)(CI)(F)

    The purpose of this directory is to help parse incoming scanned data from the client while it is scanning.  

    Note: Use the following command to view NTFS permissions easily:

    • icacls “Program Files\LANDESK\ManagementSuite\incomingdata” to view the NTFS permissions easily  

               (Of course substitute the directory name in each instance for the directory you want to check)

     

    Virtual Dir Name

    ldlogon

    Directory on disk

    Program Files\LANDESK\Management Suite\ldlogon

    Application Pool

    LDAppVulnerability

    Virtual Dir Properties

    Read, Directory Browsing, Log Visits, Index This Resource

    Directory Security

    Anonymous (IUSR)

    NTFS Permissions

    Corename\LANDESK Management Suite:(RX)

    Corename\LANDESK Management Suite:(OI)(CI)(IO)(GR,GE)

    Corename\LANDESK Administrators:(OI)(CI)(F)

    BUILTIN\Administrators:(OI)(CI)(F)

    NT AUTHORITY\SYSTEM:(OI)(CI)(F)

    NT AUTHORITY\IUSR:(RX)

    NT AUTHORITY\IUSR:(OI)(CI)(IO)(GR,GE)

    Everyone:(RX)

    Everyone:(OI)(CI)(IO)(GR,GE)

    NT AUTHORITY\NETWORK SERVICE:(OI)(CI)(F)

     

    *** Ensure that the directory "LDLOGON\VulnerabilityData" and also LDLOGON\AgentBehaviros: also inherit the permissions from LDLOGON.  The VulnerabilityData folder contains the XML information that is used by the vulnerability scanner and contains data about what to scan for.  .XML files are created for each vulnerability type, OS, and bitlevel for the first client to request the information, and then used for each subsequent client.   LDLOGON\AgentBehaviors is used for downloading and applying various agent behaviors.

     

    The following directory is used to help process scan results:

     

    Virtual Dir Name

    WSVulnerabilityCore

    Directory on disk

    Program Files\LANDESK\Management Suite\WSVulnerabilityCore

    Application Pool

    LDAppVulnerability

    Virtual Dir Properties

    Read, Directory Browsing, Log Visits, Index This Resource

    Directory Security

    Anonymous (IUSR)

    NTFS Permissions

    Corename\LANDESK Management Suite:(RX)

    Corename\LANDESK Management Suite:(OI)(CI)(IO)(GR,GE)

    Corename\LANDESK Administrators:(OI)(CI)(F)

    BUILTIN\Administrators:(OI)(CI)(F)

    NT AUTHORITY\SYSTEM:(OI)(CI)(F)

    NT AUTHORITY\IUSR:(RX)

    NT AUTHORITY\IUSR:(OI)(CI)(IO)(GR,GE)

    Everyone:(RX)

    Everyone:(OI)(CI)(IO)(GR,GE)

    NT AUTHORITY\NETWORK SERVICE:(OI)(CI)(F)

     

     

    A few simple tests:

     

    • Can you browse to \\coreservername\wsvulnerabilitycore\vulcore.asmx?  (Try from the core and from a client)
    • If you use the browser (IE, Chrome, Etc) and browse to a patch you want to download, does it show a Save/Run prompt?
    • Is the World Wide Web Server service running on the core server?
    • Is the LDAppVulnerabilityCore Application Pool showing as a running in IIS Management Tools?

    LocalSystem