Re: urlscan configuration for specific cgi apps

From: BB (Bernard_at_3exp.com)
Date: 12/12/02


From: "BB" <Bernard_at_3exp.com>
Date: Thu, 12 Dec 2002 21:12:21 +0800


But won't this be blocked by Urlscan again.
if .exe is in [Deny Extension] ??

Rgds.

"Thomas Deml [Msft]" <thomad@online.microsoft.com> wrote in message
news:eT1hFwaoCHA.2220@TK2MSFTNGP09...
> No, not really.
>
> there is one way to do this though:
>
> Here is a little trick that allows only a particular executable to run
> without having to give executable rights to an entire virtual directory.
> Unfortunately this is not supported via the UI. Here is how you do it via
> script:
> Lets suppose you have a virtual directory called cgivdir underneath the
root
> node of your site. Within this vdir is the CGI program you have to run
> called mycgi.exe. First you should remove all rights from the cgivdir
> directory. You do not even have to allow read access or allow anonymous
> request:
>
> adsutil.vbs set w3svc/1/root/cgivdir/AccessFlags 0
>
> adsutil.vbs set w3svc/1/root/cgivdir/AuthFlags 0
>
> Then you simply create a metadata node for mycgi.exe underneath the
cgivdir
> virtual directory.
>
> adsutil.vbs create w3svc/1/root/cgivdir/mycgi.exe IIsWebFile
>
> As a last step you only allow the necessary access rights to mycgi.exe
>
> adsutil.vbs set w3svc/1/root/cgivdir/mycgi.exe/AccessExecute true
>
> adsutil.vbs set w3svc/1/root/cgivdir/mycgi.exe/AuthAnonymous true
>
> Now nothing but mycgi.exe can be executed in the cgivdir virtual
directory.
>
> If you have no other virtual directory with execute access you basically
> achieved the goal. To find out if other directories have Execute rights
try:
>
> c:\Inetpub\AdminScripts\adsutil.vbs find AccessExecute
>
> or go through every site and virtual directory in your site and look if
you
> find "Execute permissions" set to "Scripts and Executables".
>
> Hope this helps.
> --
> Thomas Deml
> Lead Program Manager
> Internet Information Services
> Microsoft Corp.
>
>
>
>
> "billemery" <emery_bill@hotmail.com> wrote in message
> news:09eb01c2a16d$f32bb3f0$8af82ecf@TK2MSFTNGXA03...
> > is it possible to configure urlscan so that a paticular
> > cgi program say prog.exe is allowed but no other .exe ?
> >
> > ie http://www.webpage.com/cgi-bin/prog.exe ?parm1....&parmn
> > would be allowed.
> > the command line could have & in it also separating the
> > parms.
> >
> >
> >
>
>



Relevant Pages

  • Re: urlscan configuration for specific cgi apps
    ... without having to give executable rights to an entire virtual directory. ... Lets suppose you have a virtual directory called cgivdir underneath the root ... If you have no other virtual directory with execute access you basically ...
    (microsoft.public.inetserver.iis.security)
  • Re: urlscan configuration for specific cgi apps
    ... i wish i could use urlscan though. ... >> Lets suppose you have a virtual directory called ... cgivdir underneath the ... >> If you have no other virtual directory with execute ...
    (microsoft.public.inetserver.iis.security)
  • Re: urlscan configuration for specific cgi apps
    ... but this I believe with NO urlscan inplace.... ... >>> without having to give executable rights to an entire ... >>> Lets suppose you have a virtual directory called ... >>> If you have no other virtual directory with execute ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS error with .com in virtual directory name
    ... IIS rejects the client request with a 403.1 error - ... execute access forbidden. ... IIS seems to think that the virtual directory name ... > - In Internet Services Manager right click on the virtual directory, ...
    (microsoft.public.inetserver.iis)
  • Re: IIS error with .com in virtual directory name
    ... "Virtual Directory Names with Executable Extensions Are Not Used Correctly" ... Kristofer Gafvert - IIS MVP ... execute access forbidden. ... > - In Internet Services Manager double click on the virtual directory, ...
    (microsoft.public.inetserver.iis)