Re: URLScan and an EXE File
From: Herb Martin (news_at_LearnQuick.com)
Date: 07/11/03
- Next message: Jim C: "Another URLScan Question"
- Previous message: David Wang [Msft]: "Re: can't rename dir in IIS or through explorer"
- In reply to: Roger Abell [MVP]: "Re: URLScan and an EXE File"
- Next in thread: David Wang [Msft]: "Re: URLScan and an EXE File"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 10 Jul 2003 20:58:25 -0500
User permissions for the other EXEs that should not
run.
Something like:
cacls *.exe /e /t /d Machine_Domain\IUSR_machinename
(An appropriate group can be used also -- do NOT use
everyone, network users, authenticated users etc with DENY)
Not a bad idea to do this to ALL *.exe *.dll on your system -
The lockdown tool does something like this to all the programs
OUTSIDE your webs, like in System32, on the theory if a hacker
does RUN code they cannot bootstrap through the existing and
powerful system utilies.
[What follows is just personal venting, feel free to ignore....]
Caveat: Having just screwed up my Frontpage extensions for the
5th time, maybe I am not the best person to trust on the subject. <GRIN>
Seriously, I didn't mess them up by myself, the lockdown tool or UrlScan
is did this too me.
The reason I am GOOD with permissions (besides teaching) is from YEARS
of FIGHTING Frontpage and the various Server Extensions or lockdown tool
crappy handling of this.
I LOVE FrontPage, I hate their idea of permissions -- and the stupid
lockdown
tool has hoed me again.
Even auditing is not finding the "file access" problem this time -- ok,
re-think
assumptions....
- Next message: Jim C: "Another URLScan Question"
- Previous message: David Wang [Msft]: "Re: can't rename dir in IIS or through explorer"
- In reply to: Roger Abell [MVP]: "Re: URLScan and an EXE File"
- Next in thread: David Wang [Msft]: "Re: URLScan and an EXE File"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
