Re: urlscan configuration for specific cgi apps
From: BB (Bernard_at_3exp.com)
Date: 12/13/02
- Next message: BB: "Re: Can I add a NEW SECTION to URLSCAN?"
- Previous message: Dave: "Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
- In reply to: billemery: "Re: urlscan configuration for specific cgi apps"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "BB" <Bernard_at_3exp.com> Date: Fri, 13 Dec 2002 20:39:04 +0800
No... urlscan is a 'must' have tool if you ask me.
I re-read again Thomas's solution. It's to configure
only allow the 'mycgi.exe' to be executable.
but this I believe with NO urlscan inplace....
if urlscan is installed, the request will be blocked.
And I believe you should have urlscan installed.
take out the '.exe' in 'deny extension', then use
the thomas suggestion to futher secure it....
Rgds.
"billemery" <emery_bill@hotmail.com> wrote in message
news:030701c2a1e4$74a7bac0$8df82ecf@TK2MSFTNGXA02...
> thanks very much, i knew there had to be a way, in other
> words you are saying to not use urlscan.
> thats no problem, i wish i could use urlscan though. slick
> utility.
>
>
> >-----Original Message-----
> >But won't this be blocked by Urlscan again.
> >if .exe is in [Deny Extension] ??
> >
> >Rgds.
> >
> >"Thomas Deml [Msft]" <thomad@online.microsoft.com> wrote
> in message
> >news:eT1hFwaoCHA.2220@TK2MSFTNGP09...
> >> No, not really.
> >>
> >> there is one way to do this though:
> >>
> >> Here is a little trick that allows only a particular
> executable to run
> >> without having to give executable rights to an entire
> virtual directory.
> >> Unfortunately this is not supported via the UI. Here is
> how you do it via
> >> script:
> >> Lets suppose you have a virtual directory called
> cgivdir underneath the
> >root
> >> node of your site. Within this vdir is the CGI program
> you have to run
> >> called mycgi.exe. First you should remove all rights
> from the cgivdir
> >> directory. You do not even have to allow read access or
> allow anonymous
> >> request:
> >>
> >> adsutil.vbs set w3svc/1/root/cgivdir/AccessFlags 0
> >>
> >> adsutil.vbs set w3svc/1/root/cgivdir/AuthFlags 0
> >>
> >> Then you simply create a metadata node for mycgi.exe
> underneath the
> >cgivdir
> >> virtual directory.
> >>
> >> adsutil.vbs create w3svc/1/root/cgivdir/mycgi.exe
> IIsWebFile
> >>
> >> As a last step you only allow the necessary access
> rights to mycgi.exe
> >>
> >> adsutil.vbs set
> w3svc/1/root/cgivdir/mycgi.exe/AccessExecute true
> >>
> >> adsutil.vbs set
> w3svc/1/root/cgivdir/mycgi.exe/AuthAnonymous true
> >>
> >> Now nothing but mycgi.exe can be executed in the
> cgivdir virtual
> >directory.
> >>
> >> If you have no other virtual directory with execute
> access you basically
> >> achieved the goal. To find out if other directories
> have Execute rights
> >try:
> >>
> >> c:\Inetpub\AdminScripts\adsutil.vbs find AccessExecute
> >>
> >> or go through every site and virtual directory in your
> site and look if
> >you
> >> find "Execute permissions" set to "Scripts and
> Executables".
> >>
> >> Hope this helps.
> >> --
> >> Thomas Deml
> >> Lead Program Manager
> >> Internet Information Services
> >> Microsoft Corp.
> >>
> >>
> >>
> >>
> >> "billemery" <emery_bill@hotmail.com> wrote in message
> >> news:09eb01c2a16d$f32bb3f0$8af82ecf@TK2MSFTNGXA03...
> >> > is it possible to configure urlscan so that a
> paticular
> >> > cgi program say prog.exe is allowed but no
> other .exe ?
> >> >
> >> > ie http://www.webpage.com/cgi-bin/prog.exe ?
> parm1....&parmn
> >> > would be allowed.
> >> > the command line could have & in it also separating
> the
> >> > parms.
> >> >
> >> >
> >> >
> >>
> >>
> >
> >.
> >
- Next message: BB: "Re: Can I add a NEW SECTION to URLSCAN?"
- Previous message: Dave: "Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
- In reply to: billemery: "Re: urlscan configuration for specific cgi apps"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
