Re: write permissions for IIS

From: Arvind Shyamsundar (ashyamsundar@hotmail.com)
Date: 07/20/02


Date: 20 Jul 2002 17:41:48 -0000
From: Arvind Shyamsundar <ashyamsundar@hotmail.com>
To: focus-ms@securityfocus.com


('binary' encoding is not supported, stored as-is) In-Reply-To: <20020719123353.56870.qmail@web20502.mail.yahoo.com>

Hi,
If I may summarize it looks as though
- your software (ASP pages) accept some requests from the web
- the ASP dynamically generates the Word DOC file
- saves this DOC to a VDIR
- the client later downloads this DOC from the VDIR using a straight HTTP
download

Based on the above I see the following potential threats:
- that VDIR would have to have WRITE permission for IUSR_<machine> at the
NTFS level; which is a potentially bad idea
- no access control would be enforced on the downloads; meaning users can
potentially lift off other's files

My recommendation would therefore be
- use the ASP page to write the binary stream with appropriate HTTP
headers so that the browser prompts to download the DOC
- thereby no extra directory would be needed etc.
- the drawback is obviously more computation at each request.

Alternatively one can use a out-of-process COM / COM+ application to
create and retrieve these DOC files, thereby
- using DCOMcnfg or equivalent (MTS package identity) can run as non
privileged user
- enforcing access control; the COM component would use some session token
to restrict access to only the user's files
- non-compute intensive; the content creation can be done offline and not
on each request.
- the out of process execution of the COM server would avoid direct WRITE
permissions being required.

HTH,

Arvind Shyamsundar
Brainbench MVP for Internet Security



Relevant Pages

  • Re: PKZIPC, ASP and WSH
    ... does NOT wait for it to finish processing before completing the ASP page ... Go to Services control panel applet and change both the "IIS Admin ... make a request to your ASP page ... Dynamic File, Directly Executable -- these are CGI EXE and ISAPI DLLs ...
    (microsoft.public.scripting.wsh)
  • Re: Double click
    ... I have a form that folks use to report ... >> written with asp, and it submits to an asp page, and the results are ... > the user clicks the submit button a second time, before the first request ... > been received by the server. ...
    (microsoft.public.inetserver.asp.db)
  • Re: HttpContext.Current returns null
    ... Nicholas -- ... Yes, the OP could pass the intrinsic Request, Response, etc, etc ... looking to get the intrinsic objects from the static Current property on ... In classic ASP the solution I ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Using Javascript to branch from one asp page to another and return
    ... It is not vbscript or ASP that is your problem. ... The browser sends a request and the server returns a response. ... If you want to have form2 ask the question and trigger form3 on the server ... You could have javascript send ...
    (microsoft.public.inetserver.asp.general)
  • Re: WriteFile buffers in memory
    ... > you are stuck tying up a couple threads per request. ... > 2) iis run an isapi filter that handles asp.net pages ... > 5) the asp.net worker process keeps a pool of threads to actually process ... >> an ASP page is so I can start the reading at a particular offset. ...
    (microsoft.public.dotnet.framework.aspnet)