RE: write permissions for IIS

From: busu (busu@tpg.com.au)
Date: 03/19/03

  • Next message: lassal: "RE: write permissions for IIS"
    From: "busu" <busu@tpg.com.au>
    To: <focus-ms@securityfocus.com>
    Date: Wed, 19 Mar 2003 20:17:41 +1100
    
    

    Hi,

    I am looking to configure ISA server in reverse proxy configuration.
    Any pointers for configuration file? Also any specific lockdown of OS
    and IIS on ISA server? Thank you
    cb

    ----------------------------------------------------
    This mailbox protected from junk email by Matador
    from MailFrontier, Inc. http://info.mailfrontier.com

    -----Original Message-----
    From: Deus, Attonbitus [mailto:Thor@HammerofGod.com]
    Sent: Thursday, 18 July 2002 4:40 AM
    To: Matej Pfajfar; focus-ms@securityfocus.com
    Subject: Re: write permissions for IIS

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    At 05:02 AM 7/17/2002, Matej Pfajfar wrote:

    >Hi,
    >
    >A web application that my company is developing needs to create MS Word
    >documents on the fly. It seems that these need to be saved onto disk
    >before being shoved down the pipe to the browser, which requires IIS to
    be
    >given write permissions to a directorz that is readable from the web.
    >
    >I know this isn't quite right for security but it seems that there
    isn't a
    >choice - are there any extra precautions we could take? Have other
    people
    >found this problem as well?

    Depending on the web application configuration pooling, you could set up
    a
    COM+ component in Component Services to run under the context of a
    specific
    user- this user/process could be given write-only access to the doc
    directory but not read or execute. The IUSR account could then be given

    read-only access (specifically denying write and execute) to it to
    mitigate
    possible permission abuse. I think it would take some tweaking, but it
    is
    doable.

    AD

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1

    iQA/AwUBPTW6GYhsmyD15h5gEQLmYwCgw3LP07GaUi+fdnb6Cspg82JdJ6AAn1X+
    seYy9pU5Hmf0RoaWRSPPPv/F
    =UJR+
    -----END PGP SIGNATURE-----

    ----------------------------------------------------------------------
    ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data!
    It's as simple as placing additional SQL commands into a Web Form input
    box giving hackers complete access to all your backend systems!
    http://www.spidynamics.com/mktg/sqlinjection33


  • Next message: lassal: "RE: write permissions for IIS"