Winbox Security Scheme

WARNING: This documentation covers Parallels H-Sphere versions up to 3.1. For the latest up-to-date Parallels H-Sphere documentation, please proceed to the official Parallels site.

Starting with version 2.5, H-Sphere introduces a new Winbox security scheme. The goal of the new scheme is to get rid of 'LOCAL SYSTEM' identity for application pool processes of IIS 6.0, to simplify some tasks such as managing FrontPage and ASP.NET, and to make H-Sphere accounts hierarchy more structural.

This document considers the following aspects of the new security scheme:

Accounts Hierarchy

Features:

• There are several predefined security groups:
  • HS_ACCTS - contains all accounts created by H-Sphere on this server
  • HS_FTP_ACCTS - contains accounts created by H-Sphere which are used as FTP logins for H-Sphere users
  • HS_IUSR_ACCTS - contains accounts which are used as anonymous for H-Sphere virtual hosts
  • HS_FTP_SUBACCTS - contains accounts which are used as sub FTP logins
• During creation of a user, a special group is being created named as <user name>_group. This group contains all accounts related to a particular H-Sphere account, such as FTP login account, anonymous accounts for every virtual host owned by this user, and sub FTP logins accounts.

• a subaccount is no longer a member of <main account>_group
• <main account>_subaccts group is being created for each account that has subaccounts
• any subaccount of a particular account becomes a member of <main account>_subaccts group
• NTFS permissions to particular subaccount home directory are given explicitly for this subaccount in addition to existing NTFS permissions for this directory

IIS Security Management

Features:

• The FTP account login is not used anymore as anonymous web access for all sites owned by the user. Instead of this, for each virtual host a separate account with random password is being created during virtual host creation procedure.
• The password synchronization IIS feature which requries 'LOCAL SYSTEM' identity for web application process is not used anymore. The reason for this is that this account and randomly generated password is registered in the metabase as anonymous for this particular virtual host.
• An account is being added to HS_ACCTS, HS_IUSR_ACCTS and H-Sphere account group. Each anonymous login has the following format:
  <IUSR_user name>_<virtual host number> where <user name> is H-Sphere FTP account title and <virtual host number> is number of particular virtual web host owned by this H-Sphere account.
• Now each IIS web application process is run under 'NETWORK SERVICE' identity. There is a number of H-Sphere modules run in IIS web processes which should perform some privileged operations such as read/write files or register keys protected by NTFS permissions. That is why H-Sphere creates a special 'HsISAPIAcct' account as a member of the 'Local Administrators' group. This account is used by H-Sphere IIS modules to perform such privileged operations. In addition, its password is being regenerated each time IIS is started for security reason.

NTFS permissions

Windows

The following NTFS permissions are set for a user home directory:

• Local Administrator group: FULL ACCESS
• SYSTEM: FULL ACCESS
• ASPNET account: READ ACCESS
• <FTP account name>_group local group: MODIFY,READ,WRITE,EXECUTE,LIST FOLDER CONTENT

Windows

The following NTFS permissions are set for a user home directory:

• Local Administrator group: FULL ACCESS
• SYSTEM: FULL ACCESS
• NETWORK SERVICE: READ ACCESS
• <FTP account name>_group local group: MODIFY,READ,WRITE,EXECUTE,LIST FOLDER CONTENT

The following permissions are added to <H-Sphere dir>bin directory:

• NETWORK SERVICE: READ,EXECUTE,LIST FOLDER CONTENT

Relevant to both platforms

The following NTFS permissions are used for ODBC DSN registry key:

• Local Administrator group: FULL ACCESS
• SYSTEM: FULL ACCESS
• <FTP account name>_group local group: QUERY VALUE,SET VALUE,CREATE SUBKEY,ENUMERATE SUBKEYS,NOTIFY

FrontPage Server Extensions management notes

The following changes were made to FPSE management as a part of a new scheme:

• Anonymous access is assigned to Browser role for any FPSE enabled virtual host
• <FTP account name>_group local group is set as FPSE administrator for any FPSE enabled virtual host
• HsAuth ISAPI filter is no more used for FPSE enabled virtual hosts

ASP.NET management notes

• The ASP.NET management operations, which enable and disable ASP.NET service for a particular virtual web host, are based on the .NET framework configuration file machine.config.
• The following fragment is added to the machine.config file for a particular virtual host if ASP.NET is being disabled for this virtual host:
  

  <location path="<virtual host domain name>" allowOverride="false">
        <system.web>
                <authorization>
                       <deny users="*"/>
                </authorization>
        </system.web>
  </location>>

• When ASP.NET service is enabled for a particular virtual host, it is being removed from machine.config file, if found.

Migration notes

• During the Winbox upgrade, all existing accounts will be automatically migrated to a new security scheme. This process migrates account settings, web settings, NTFS permissions for home directories and ODBC DSNs, ASP.NET settings, FPSE settings and can take significant time.
• The migration procedure is performed once. If it's necessary for some reason to repeat the migration, the NewSecurity line should be removed from <H-Sphere.NET dir>bininstall.history file.
• Migration process can be monitored using migration log which can be found in the update.log log file of upgrade tool.