IIS & ASP security advice
From: Sabir Ahmedi (sahmedi_at_ramapo.edu)
Date: 04/30/03
- Next message: Tom Kaminski [MVP]: "Re: IIS security settings are reset after I reboot the server"
- Previous message: Karl Levinson [x y] mvp: "Re: IIS security settings are reset after I reboot the server"
- Next in thread: BB: "Re: IIS & ASP security advice"
- Reply: BB: "Re: IIS & ASP security advice"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 30 Apr 2003 16:14:49 -0400
Hi all,
I have a user who has requested special permissions on my IIS 5.0 server. I
do not want to assign read and write permissions to anonymous web usersince
the directories are sub-directories of my IIS home directory. The following
is the user's request and reasoning for these permissions:
The directory /lord/lord_files/ needs to have read and write permissions set
for it and all subdirectories contained within it. This is because the web
wizard uses that directory so that it can create html files. Basically, any
web users will not have access to write, it might be said in the permissions
that they do but IIS does not allow this to happen unless an ASP script is
written to upload a file. Currently there is a single script that allows for
uploading and this is set to a specific directory
"\lord\biewer\orage\schmuck". This is for the application that I have
developed that allows a user to take a database and convert a table within
it into a web page. This script will only write to that directory and upon
completion of the Conversion Wizard it will delete the files that it has
created. This script will not allow an uploading to any other section of the
web server. The script will only allow the upload of .mdb files. This is to
prevent a user from uploading a program or script that would allow entry
into the server. I understand your concern about users, particularly
hackers/crackers having access to this directory. It is true that because
there are read permission on the directory a user could find the directory,
though this would have to be with trial and error. But they would be unable
to view the contents of the directory because the server is not setup to
show the contents. Now if they were able to find a file that had write
permissions they would still be unable to write to this file, or create
their own. They cannot upload any files to this directory because in order
to do so they would need a script (ASP) on the host machine. Because the
only scripts that I have written that deal with writing to a directory are
secure and do not let the user upload their own scripts, and are hard coded
to specific directories, there should be no need to worry about a users
getting access that way. Now the there is one other possibility, an attacker
might be able to write to this directory if they discovered a hole in IIS,
which would allow them to execute arbitrary commands. Although, this is
highly unlikely as long as the server is up to date on the security updates
form Microsoft.
I am not quite sure if most of what he said is true given my limited IIS
experience. Could someone give me a second opinion as to how this could be
done?? Thanks,
Sabir.
- Next message: Tom Kaminski [MVP]: "Re: IIS security settings are reset after I reboot the server"
- Previous message: Karl Levinson [x y] mvp: "Re: IIS security settings are reset after I reboot the server"
- Next in thread: BB: "Re: IIS & ASP security advice"
- Reply: BB: "Re: IIS & ASP security advice"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
