> 1) The CF install changed the IUSR permissions to the wwwroot > folder to remove read/execute. Why is that necessary? I > understand the explicit deny write, but the anonymous account > must have read to do anything. > > 2) The install did not give the W3WP process account (in this > case, Network Service, the default) read/execute permission > to the location of the CF files, which contains the wildcard > ISAPI extension, necessary for the execution of CF. This > resulted in a 401.3- ACL denied problem until we fixed it. > This is a big oversight in my opinion.
I've never run into either problem on a 32-bit Windows Server 2003 install. But then again, I generally start with default ACLs before I do my CF install, then tighten them after the install. I typically don't use the IUSR_ account specifically for ACLs, I use the "Authenticated Users" group instead. I also don't tighten the CF directory until after the install, either, and I don't grant "Network Service" permissions to the entire CF directory, but rather just to the appropriate wsconfig directory (of course, this means that directory traversal must also be granted). But who am I to argue with someone who names themselves after "Chesty" Puller? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Training: Adobe/Google/Paperthin Certified Partners http://training.figleaf.com/ WebManiacs 2008: the ultimate conference for CF/Flex/AIR developers! http://www.webmaniacsconference.com/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:301738 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
