RE: write permissions for IIS

From: Dodol Bali (dodolbali@hotmail.com)
Date: 07/18/02


From: "Dodol Bali" <dodolbali@hotmail.com>
To: "'chris curtiss'" <chrisc@VistaPrint.com>, "'Matej Pfajfar'" <badbytes@freehaven.net>, <focus-ms@securityfocus.com>
Date: Thu, 18 Jul 2002 13:52:29 -0700

Rather than have the doc available via a VDIR, you should really use the
built in IIS binary read and write object that allows you to open a file
and write the binary contents to the client. This way you can completely
hide the temp files. This is useful if you want to avoid unauthorized
users from reading the doc.

-----Original Message-----
From: chris curtiss [mailto:chrisc@VistaPrint.com]
Sent: Wednesday, July 17, 2002 12:56 PM
To: 'Matej Pfajfar'; focus-ms@securityfocus.com
Subject: RE: write permissions for IIS

You should probably do something like this:

Have the web request come in and have the webserver send the request to
a mid-tier server running MSWord, have that machine do whatever it is
you're going to do, then have Word save off to a third machine (file
server), map the directory from the fileserver as a VDIR in IIS (read
only of course) to the webserver to read the file back and send it to
the client.

This way you're not running anything patently unsafe like office on a
machine directly connected to the web, you don't have write permission
in IIS on the directory the files reside in, and you can give word all
the access you think it needs to the directory on the fileserver.

Obviously the fileserver here is optional, but probably nice to have.

I was going to try Bad ASCII Art, but I'm way too untalented.

Good luck,

Chris

> -----Original Message-----
> From: Matej Pfajfar [mailto:badbytes@freehaven.net]
> Sent: Wednesday, July 17, 2002 8:03 AM
> To: focus-ms@securityfocus.com
> Subject: write permissions for IIS
>
>
>
> Hi,
>
> A web application that my company is developing needs to
> create MS Word
> documents on the fly. It seems that these need to be saved onto disk
> before being shoved down the pipe to the browser, which
> requires IIS to be
> given write permissions to a directorz that is readable from the web.
>
> I know this isn't quite right for security but it seems that
> there isn't a
> choice - are there any extra precautions we could take? Have
> other people
> found this problem as well?
>
> Thanks,
>
> Mat
>
> --
> Matej Pfajfar
>
> GPG Public Keys @ http://matejpfajfar.co.uk/keys
>
>
>



Relevant Pages

  • RE: no OWA
    ... have the correct permissions was the "inetpub" folder. ... Correct the settings in IIS: ... click to check the "Hide All Microsoft Services" ...
    (microsoft.public.windows.server.sbs)
  • Re: Minimum NTFS Permissions - Theres such a thing???
    ... ?2001 Microsoft Corporation. ... HOW TO: Set Minimum NTFS Permissions Required for IIS 5.0 to Work WGID:198 ... " List Folder Contents" ...
    (microsoft.public.inetserver.iis.security)
  • Re: FTP control
    ... > I would like to use NTFS security settings to control who ... I would suggest getting a third party FTP server, ... if you set quota and these permissions for that group you can ... Information Server (IIS) Web site, ...
    (microsoft.public.win2000.security)
  • Re: Minimum NTFS Permissions - Theres such a thing???
    ... ?2001 Microsoft Corporation. ... > permissions that you must have to run Internet Information Services ... > third-party applications in an IIS 5.0 environment. ... Open the properties for the %systemroot%\Winnt folder, ...
    (microsoft.public.inetserver.iis.security)
  • Re: Digest Authentication
    ... It sounds like IIS is having problems impersonating the IUSR account, ... In IIS, you do not need Script Source or Write permissions unless you ... But the Digest authentication for windows domain is ...
    (microsoft.public.inetserver.iis)