Re: URL scan question
From: David Wang [Msft] (someone@online.microsoft.com)
Date: 02/12/03
- Next message: David Wang [Msft]: "Re: Lockdown tool for .Net server"
- Previous message: Guoqi Zheng: "Re: SSL"
- In reply to: Milo: "URL scan question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "David Wang [Msft]" <someone@online.microsoft.com> Date: Tue, 11 Feb 2003 22:41:13 -0800
Unfortunately, it's an all or none proposition on extension names for
URLScan.
This is an often requested feature for URLScan.
It is perfectly fine to allow EXE on a website (you allow them to be
downloaded). You only have to be concerned about the vdir having "Scripts
and Executables" permission, which is what allows the EXE to execute on the
server. As long as you don't allow .EXE and "Scripts and Executables" on
the same vdir, you are fine (i.e. on a download directory, I'd only allow
Read permissions and maybe Browse. No Script, No Executables, No Write.
-- //David This posting is provided "AS IS" with no warranties, and confers no rights. // "Milo" <Milo145@hotmail.com> wrote in message news:084c01c2d218$23ba3890$3001280a@phx.gbl... I've been using URL scan for awhile not and I'm very pleased with how well it works. Resently I've started posting winzip self extraction file on my site for users to download. We'll to enable the self extraction files to work I have to comment out the Deny executables as follows ;.exe This is turn opens up all kinds of security concerns because now .exe's can be run against my web server. My question for the group does anyone else host self extraction files while using URL scan and how did they get around this problem? Is there any way to just limit URL scan to allow only that one file to be executed? TIA, Milo
- Next message: David Wang [Msft]: "Re: Lockdown tool for .Net server"
- Previous message: Guoqi Zheng: "Re: SSL"
- In reply to: Milo: "URL scan question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
