IIS Virtual Directories and File Permissions for Security and Patch Manager


    Verified Product Versions

    LANDESK Management Suite 9.5LANDESK Management Suite 9.6

    This document contains the default settings and permissions for IIS Virtual Directories and File System Directories for Patch Manager.

     

    Note: A large number of issues reported to LANDesk related to Patch Manager can be traced back to a permissions change or Group Policy being applied to the core server resulting in a change to the default permissions.  It is important to compare the permissions on the faulty core server with the permissions listed in this document.

     

    A note about default Windows account permissions:

     

    • Local System : Completely trusted account, moreso than the administrator account. There is nothing on a single box that this account can not do and it has the right to access the network as the machine (this requires Active Directory and granting the machine account permissions to something)
    • Network Service : Limited service account that is meant to run standard least-privileged services. This account is far more limited than Local System (or even Administrator) but still has the right to access the network as the machine (see caveat above).
    • Local Service : A limited service account that is very similar to Network Service and meant to run standard least-privileged services. However unlike Network Service it has no ability to access the network as the machine.
    • IUSR: Understanding Built-In User and Group Accounts in IIS 7 : The Official Microsoft IIS Site

     

    The following is an excellent Microsoft Article about troubleshooting IIS Permissions: https://msdn.microsoft.com/en-us/library/aa954062.aspx


    The following are essential directories for the LANDESK Security and Compliance Scanning process:




    Virtual Dir Name

    Incomingdata

    Directory on disk

    Program Files\LANDESK\Management Suite\IncomingData

    Virtual Dir Properties

    Read, Directory Browsing, Log Visits, Index This Resource

    Directory Security

    Anonymous (IUSR)

    NTFS Permissions



    NT AUTHORITY\IUSR: (RX)

    NT AUTHORITY\IUSR: (OI)(CI)(IO)(GR,GE)

    CoreName\LANDesk Management Suite: (OI)(CI)(IO)(GR,GE)

    CoreName\LANDesk Administrators: (OI)(CI)(F)

    BUILTIN\Administrators: (OI)(CI)(F)

    CoreName\LANDesk Management Suite: (RX)

    NT AUTHORITY\NETWORK SERVICE: (OI)(CI)(F)

    BUILTIN\BUILTIN: (RX)

    BUILTIN\BUILTIN: (OI)(CI)(IO)(GR,GE)

    NT AUTHORITY\SYSTEM: (OI)(CI)(F)

    The purpose of this directory is to help parse incoming scanned data from the client while it is scanning.  

    Note: Use the following command to view NTFS permissions easily:

    • icacls “Program Files\LANDESK\ManagementSuite\incomingdata” to view the NTFS permissions easily  

               (Of course substitute the directory name in each instance for the directory you want to check)

     

    Virtual Dir Name

    ldlogon

    Directory on disk

    Program Files\LANDESK\Management Suite\ldlogon

    Application Pool

    LDAppVulnerability

    Virtual Dir Properties

    Read, Directory Browsing, Log Visits, Index This Resource

    Directory Security

    Anonymous (IUSR)

    NTFS Permissions

    CoreName\LANDesk Management Suite:(RX)

    CoreName\LANDesk Management Suite:(OI)(CI)(IO)(GR,GE)

    CoreName\LANDesk Administrators:(OI)(CI)(F)

    BUILTIN\Administrators:(OI)(CI)(F)

    NT AUTHORITY\SYSTEM:(OI)(CI)(F)

    NT AUTHORITY\IUSR:(RX)

    NT AUTHORITY\IUSR:(OI)(CI)(IO)(GR,GE)

    Everyone:(RX)

    Everyone:(OI)(CI)(IO)(GR,GE)

    NT AUTHORITY\NETWORK SERVICE:(OI)(CI)(F)


    *** Ensure that the directory "LDLOGON\VulnerabilityData" also inherits the permissions from LDLOGON

    The VulnerabilityData folder contains the XML information that is used by the vulnerability scanner and contains data about what to scan for.  .XML files are created for each vulnerability type, OS, and bitlevel for the first client to request the information, and then used for each subsequ client.

     

    The following directory is used to help process scan results:

     

    Virtual Dir Name

    WSVulnerabilityCore

    Directory on disk

    Program Files\LANDESK\Management Suite\WSVulnerabilityCore

    Application Pool

    LDAppVulnerability

    Virtual Dir Properties

    Read, Directory Browsing, Log Visits, Index This Resource

    Directory Security

    Anonymous (IUSR)

    NTFS Permissions

    CoreName\LANDesk Management Suite:(RX)

    CoreName\LANDesk Management Suite:(OI)(CI)(IO)(GR,GE)

    CoreName\LANDesk Administrators:(OI)(CI)(F)

    BUILTIN\Administrators:(OI)(CI)(F)

    NT AUTHORITY\SYSTEM:(OI)(CI)(F)

    NT AUTHORITY\IUSR:(RX)

    NT AUTHORITY\IUSR:(OI)(CI)(IO)(GR,GE)

    Everyone:(RX)

    Everyone:(OI)(CI)(IO)(GR,GE)

    NT AUTHORITY\NETWORK SERVICE:(OI)(CI)(F)

     

     

    A few simple tests:

     

    • Can you browse to \\coreservername\wsvulnerabilitycore\vulcore.asmx   ?
    • If you use the browser (IE, Chrome, Etc) and browse to a patch you want to download, does it show a Save/Run prompt?
    • Is the World Wide Web Server service running on the core server?
    • Is the LDAppVulnerabilityCore Application Pool showing as a running in IIS Management Tools?