Re: write permissions for IIS

From: Arvind Shyamsundar (
Date: 07/20/02

Date: 20 Jul 2002 17:41:48 -0000
From: Arvind Shyamsundar <>

('binary' encoding is not supported, stored as-is) In-Reply-To: <>

If I may summarize it looks as though
- your software (ASP pages) accept some requests from the web
- the ASP dynamically generates the Word DOC file
- saves this DOC to a VDIR
- the client later downloads this DOC from the VDIR using a straight HTTP

Based on the above I see the following potential threats:
- that VDIR would have to have WRITE permission for IUSR_<machine> at the
NTFS level; which is a potentially bad idea
- no access control would be enforced on the downloads; meaning users can
potentially lift off other's files

My recommendation would therefore be
- use the ASP page to write the binary stream with appropriate HTTP
headers so that the browser prompts to download the DOC
- thereby no extra directory would be needed etc.
- the drawback is obviously more computation at each request.

Alternatively one can use a out-of-process COM / COM+ application to
create and retrieve these DOC files, thereby
- using DCOMcnfg or equivalent (MTS package identity) can run as non
privileged user
- enforcing access control; the COM component would use some session token
to restrict access to only the user's files
- non-compute intensive; the content creation can be done offline and not
on each request.
- the out of process execution of the COM server would avoid direct WRITE
permissions being required.


Arvind Shyamsundar
Brainbench MVP for Internet Security