Re: IIS 6 / FrontPage Group Isolation
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 07/18/03
- Next message: Bernard: "Re: Can IIS 6 force SSL for Basic Authentication?"
- Previous message: Eric Chamberlain: "Can IIS 6 force SSL for Basic Authentication?"
- In reply to: Scott Muc: "Re: IIS 6 / FrontPage Group Isolation"
- Next in thread: Scott Muc: "Re: IIS 6 / FrontPage Group Isolation"
- Reply: Scott Muc: "Re: IIS 6 / FrontPage Group Isolation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 17 Jul 2003 18:57:03 -0700
CACLS can remove ACEs selectively. It can also add ACE selectively.
CACLS CMD.EXE /E /R Username
Believe me, we do hear your complaints about FrontPage and will be doing
something about it. It's unfortunate that the IIS team doesn't have control
of FPSE (Office team does)... so we have a harder time persuading them on
writing server code vs client code like Office. FPSE is a black box to the
IIS team as well.
Script code should translate to ASP. You just need to make sure that ASP is
directed to interpret the script language correctly (defaults to VBScript).
I regularly shift JScript/VBScript from commandline to ASP without issues.
As for Microsoft.IIsScriptHelper -- you've got the source code to it
(%SYSTEMROOT%\System32\IISScHlp.wsc)... the intention of the admin scripts
is to provide full code samples illustrating how to use documented APIs.
I'm pretty jaded against the Unix Parse and Pray approach to scripting. We
all like what we're familiar with. :-)
-- //David This posting is provided "AS IS" with no warranties, and confers no rights. // "Scott Muc" <smuc@paconline.net> wrote in message news:010701c34c88$8ee5bd70$a401280a@phx.gbl... UGH! I give up! I can't fight this any longer. I tried creating a website using iisweb.vbs, and it complained about the UNC path. I hacked the code removing the UNC checking. I also made it add the IUSR that I wanted and a couple other things to the website. Guess what? I was able to install FP on the site without adding the NETWORK/INTERACTIVE user! WTF? That script is where I grabbed most of my CreateSite code! The only difference is how the iisweb.vbs script connects using WMI. iisweb.vbs uses something called Microsoft.IIsScriptHelper which has zero documentation (at least from googles perspective). That object doesn't work on IIS5, so I tried it on the W2K3 machine... looks like it doesn't translate to ASP very well because I kept on getting WScript errors. I think I am going to resort to writing a script that will remove INTERACTIVE/NETWORK on a nightly basis. Doesn't look like fun since cacls nor xcacls have any flags to remove ACE's. Remind me to make sure my next job is with unix based servers. Scripting doesn't seem to be such a chore on that platform. If I sound grumpy/jaded/pissed it's because I am :-) Scott Muc >-----Original Message----- >>> Just found out something else. Extending FrontPage >>> extensions puts NETWORK/INTERACTIVE and the custom FPSE >>> group in the ACL only when the site was created using my >>> ASP createsite script. >>> >>> If I create the site manually it works fine. Not sure it >>> it will help but I'm attaching the code that creates a >>> website : http://muc-central.com/createsite.txt >> >>Hmmm. I do not really understand this behavior. >> > >What's worse is that if I change one line of my script, >and set the home directory to a local folder, it works >fine. > >>Your script, which by the way is quite similar to settings >>that I use, does not do the FP extending (which of course >>cannot be scripted - only shelled out to owsadm, >repetitively) >> > >I have an ASP script that installs FP using WScript.Shell, >and owsradm.exe. I can post it on-line if you want to >check it out. > >><PS> From the script I see you likely are already using >>separate iusr accounts (i.e. your iusername). However, >>as I understand it, to effect similar for the IWAM with >>IIS 6 you need to have an app pool per distinct authoring >>ownership (sounds like a performance killer doesn't it ?) >>Notice how that clarifies earlier response in other post >>where I was thinking IIS5. >></PS> > >Yes, we are creating seperate IUSRs for every website, and >creating a seperate application pool for every website. I >prefer security/stability over performance enhanced >settings. > > >>> I guess I could create a site with my script, and >>> another manually and do a diff on the metabase >>>properties. > >>We think alike, after reading this last I just cut out >>from further up where is now <PS> > >Tried this, and the metabase settings were the same. > ><-- snip --> > >. >
- Next message: Bernard: "Re: Can IIS 6 force SSL for Basic Authentication?"
- Previous message: Eric Chamberlain: "Can IIS 6 force SSL for Basic Authentication?"
- In reply to: Scott Muc: "Re: IIS 6 / FrontPage Group Isolation"
- Next in thread: Scott Muc: "Re: IIS 6 / FrontPage Group Isolation"
- Reply: Scott Muc: "Re: IIS 6 / FrontPage Group Isolation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
