RE: write permissions for IISFrom: Dodol Bali (email@example.com)
- Previous message: William: "Need security proposal for Win2K upgrade..."
- In reply to: chris curtiss: "RE: write permissions for IIS"
- Next in thread: Shane Y. Gibson: "RE: write permissions for IIS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Dodol Bali" <firstname.lastname@example.org> To: "'chris curtiss'" <chrisc@VistaPrint.com>, "'Matej Pfajfar'" <email@example.com>, <firstname.lastname@example.org> Date: Thu, 18 Jul 2002 13:52:29 -0700
Rather than have the doc available via a VDIR, you should really use the
built in IIS binary read and write object that allows you to open a file
and write the binary contents to the client. This way you can completely
hide the temp files. This is useful if you want to avoid unauthorized
users from reading the doc.
From: chris curtiss [mailto:chrisc@VistaPrint.com]
Sent: Wednesday, July 17, 2002 12:56 PM
To: 'Matej Pfajfar'; email@example.com
Subject: RE: write permissions for IIS
You should probably do something like this:
Have the web request come in and have the webserver send the request to
a mid-tier server running MSWord, have that machine do whatever it is
you're going to do, then have Word save off to a third machine (file
server), map the directory from the fileserver as a VDIR in IIS (read
only of course) to the webserver to read the file back and send it to
This way you're not running anything patently unsafe like office on a
machine directly connected to the web, you don't have write permission
in IIS on the directory the files reside in, and you can give word all
the access you think it needs to the directory on the fileserver.
Obviously the fileserver here is optional, but probably nice to have.
I was going to try Bad ASCII Art, but I'm way too untalented.
> -----Original Message-----
> From: Matej Pfajfar [mailto:firstname.lastname@example.org]
> Sent: Wednesday, July 17, 2002 8:03 AM
> To: email@example.com
> Subject: write permissions for IIS
> A web application that my company is developing needs to
> create MS Word
> documents on the fly. It seems that these need to be saved onto disk
> before being shoved down the pipe to the browser, which
> requires IIS to be
> given write permissions to a directorz that is readable from the web.
> I know this isn't quite right for security but it seems that
> there isn't a
> choice - are there any extra precautions we could take? Have
> other people
> found this problem as well?
> Matej Pfajfar
> GPG Public Keys @ http://matejpfajfar.co.uk/keys