RE: Auto deploy from W2K machine w/IIS Lockdown applied
From: Bassel Tabbara [MSFT] (basselt@online.microsoft.com)
Date: 12/20/02
- Next message: Mike Moore [MS]: "Re: app config file downloading (not) for winform deployment model"
- Previous message: Norm Dotti: "Auto deploy from W2K machine w/IIS Lockdown applied"
- In reply to: Norm Dotti: "Auto deploy from W2K machine w/IIS Lockdown applied"
- Next in thread: Norm Dotti: "Re: Auto deploy from W2K machine w/IIS Lockdown applied"
- Reply: Norm Dotti: "Re: Auto deploy from W2K machine w/IIS Lockdown applied"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: basselt@online.microsoft.com (Bassel Tabbara [MSFT]) Date: Fri, 20 Dec 2002 17:12:55 GMT
Hi Norm,
The Lockdown tool secures system utilities by putting a deny execute ACE
for the Web Applications group and the Web Anonymous Users group on all
files in underneath the Windows directory. This is done to prevent
successful attacks from executing command-line tools. The Lockdown tool
ACL's the file if it meets the following criteria:
" *.exe
" *.com
There is one exception:
It doesn't put a deny execute ACE for "Web Applications" on DLLHOST.EXE.
This is the executable that hosts out-of-process applications. DLLHOST.EXE
is the executable that the members of the "Web Applications" group have to
start.
Thanks,
Bassel Tabbara
Microsoft, ASP.NET
This posting is provided "AS IS", with no warranties, and confers no rights.
--------------------
| Content-Class: urn:content-classes:message
| From: "Norm Dotti" <normd@knorrassociates.com>
| Sender: "Norm Dotti" <normd@knorrassociates.com>
| Subject: Auto deploy from W2K machine w/IIS Lockdown applied
| Date: Fri, 20 Dec 2002 07:28:28 -0800
| Lines: 11
| Message-ID: <048001c2a83c$71ecbe80$cef82ecf@TK2MSFTNGXA08>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Thread-Index: AcKoPHHspc8v/fjcQXWIJI2RzC/hfQ==
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: TK2MSFTNGXA08 10.40.1.160
| Path: cpmsftngxa09!TK2MSFTNGP08!cpmsftngxa06
| Xref: cpmsftngxa09 microsoft.public.dotnet.framework.aspnet.security:3449
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
|
| I can't seem to get autodeploy to work from a W2K Server
| machine w/the IIS Lockdown applied. I keep getting a 404
| when I try to get the exe (e.g. http://webserver/app.exe).
| If I turn on directory browsing I can see the exe file
| there so I know I'm asking for it correctly. I've got the
| app set up for Script-only in IIS. I've got anonymous
| access set up. I've removed .config from the list of files
| to not download. Does the lockdown tool somehow prevent
| the detection of a .net exe? I'm not all that familiar
| w/what the lockdown tool does behind the scenes. Any help
| would be appreciated.
|
- Next message: Mike Moore [MS]: "Re: app config file downloading (not) for winform deployment model"
- Previous message: Norm Dotti: "Auto deploy from W2K machine w/IIS Lockdown applied"
- In reply to: Norm Dotti: "Auto deploy from W2K machine w/IIS Lockdown applied"
- Next in thread: Norm Dotti: "Re: Auto deploy from W2K machine w/IIS Lockdown applied"
- Reply: Norm Dotti: "Re: Auto deploy from W2K machine w/IIS Lockdown applied"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
