Re: Can't download exe's from my own site

From: Jack Brewster (jbrewsterPLEASENO@SPAMnthurston.k12.wa.us)
Date: 06/06/02 

From: "Jack Brewster" <jbrewsterPLEASENO@SPAMnthurston.k12.wa.us>
Date: Thu, 6 Jun 2002 08:15:11 -0700

How would a user run an .exe on a website? (Other than buffer overruns,
trojans, etc.)

The way I understand the process is, when a user clicks on a link (any link,
but specifically a .exe for this discussion) that initiates a file transfer
request, not a run request. The file is then downloaded to the user's PC
where they can run it.

Jack

<jcochran at naplesgov dot com (Jeff Cochran)> wrote in message
news:3d115880.113616001@news.supernews.com...
> But less of a security risk (this *is* a security group). I saw a
> study a year or so ago that listed the file extensions and number of
> systems that could use them, and ZIP files were near the top, as were
> PDF and Flash files.
>
> The alternativce is use the EXE files, but make sure you lock the
> system down to prevent malicious execution.
>
> Jeff
>
> >And that requires users to have .zip software and know how to use it. A
> >separate nightmare.
> >
> >Jack
> >
> ><jcochran at naplesgov dot com (Jeff Cochran)> wrote in message
> >news:3d04017b.25803583@news.supernews.com...
> >> >That did it! Thanks. Second question: I removed the .exe from the
> >> >urlscan.ini file in the DenyExtensions section, however does this now
> >allow
> >> >users to run executables also? I dont' want them to execute them, I
want
> >> >them to only download them. Is there a way to turn one feature off
> >without
> >> >the other? Even though I have Execute Permissions to None, it still
lets
> >> >users run an executable unless I put the exe back in the
DenyExtensions.
> >>
> >> You may want to review your permissions, both in IIS and in the NTFS
> >> permissions for the file and folder. Users shouldn't be able to
> >> execute files if they don't have permission. If this is a download
> >> only, you can set the folder to read for the IUSR account and that
> >> should prevent execution.
> >>
> >> Better is to convert all executables to a ZIP file, and block EXE's
> >> using URLScan. But that might be a nightmare if you have a lot of
> >> them.
> >>
> >> Jeff
>

Relevant Pages

  • Re: Required permission settings to allow exe to modify text files
    ... You need to make sure the NTFS permissions on the directory or file allow ... the IUSR account sufficient rights on the txt file. ... I can no longer fully test my cgi because it will no> longer update text files (stored in the same directory as the exe). ... The exe execute permissions> should be accessible to all anonymous users. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Browsers special handling of EXE files
    ... Explorer would then download the EXE. ... runtime tried to download all of your other assemblies, ... allowing these remote EXEs to execute and with more permissions than 1.0. ...
    (microsoft.public.dotnet.vjsharp)
  • Re: IE handling of exe files
    ... Explorer would then download the EXE. ... runtime tried to download all of your other assemblies, ... allowing these remote EXEs to execute and with more permissions than 1.0. ...
    (microsoft.public.dotnet.general)
  • Re: Limiting exe permissions
    ... If I tell my user that I have added code to my exe to make sure its does not ... The other thing is that all of the assemblies used by my application are ... > attributes to reject the permissions that you would prefer the assembly ...
    (microsoft.public.dotnet.security)
  • Re: How do they do that?
    ... For example, I need a script. ... execution engine. ... Now, if you need to create or modify this script during the install process, you would ... >How do some setup merge script files,, with the exe ...
    (microsoft.public.vc.mfc)