Re: Filesystemobject security IIS question...
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 11/20/03
- Previous message: PL: "ICF on mutihomed system"
- In reply to: Agustin: "Re: Filesystemobject security IIS question..."
- Next in thread: Agustin: "Re: Filesystemobject security IIS question..."
- Reply: Agustin: "Re: Filesystemobject security IIS question..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 20 Nov 2003 02:27:51 -0800
Well, FileSystemObject is legacy code, so no development will happen on it.
Directory Bind does not make sense because it is a Policy definition and not
a Feature. Thus, it makes sense for a web-app or its administrator to
define valid areas of access by Policy, and all code running within that
area must obey policy. Sort of like the way FileAccess works in .Net.
I do not fully understand your other question considering anonymous
accounts. If you give an anonymous user account for every user on your
system, that certainly allows you to define which user can read/execute what
by fine-grained ACL.
As for "riskiness" -- If you are not running IIS6, you really have no choice
on the process identity in the inproc case (any code that runs
RevertToSelf() will become localsystem), so you need to control what code
people can upload and run.
-- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // "Agustin" <agustinchernitskyNOSPAM@hotmail.com> wrote in message news:bpfq8s$1o5bmc$1@ID-48235.news.uni-berlin.de... Hi David, The script I tested this with uses full path (ie: c:\inetpub\dir1). So turning parent paths won´t work. If I Deny List Data / Read Data for IUSR in inetpub, would that work? To what other directories should I deny IUSR read? I was thinking of C:\ There should be a directory bind for FSO (ie binding the FSO only to c:\inetpub\ and higher). Thanks a lot David! "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:OcEQXbprDHA.2304@tk2msftngp13.phx.gbl... > Make sure the identity that the script runs as does not have Read > permissions where it shouldn't. > > Why do you have Everyone:F on inetpub -- remove it. You can set IUSR:Deny > on inetpub if you then reset the include directory to allow IUSR:R . In > particular, turn off ASPParentPaths if you don't want ASP pages being able > to read any file it can access on the hard drive. > > -- > //David > IIS > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "Agustin" <agustinchernitskyNOSPAM@hotmail.com> wrote in message > news:bpe1hu$1lh816$1@ID-48235.news.uni-berlin.de... > Hi Guys, > > I have the following problem. My IIS dir structure is as follows: > > c:\inetpub\site1 > c:\inetpub\site2 > c:\inetpub\siten > > The inetpub folder has this permissions: > EVERYONE: Full - this folder, sub folders and files > INTERACTIVE: RX - this folder, sub folders > NETWORK: RX - this folder, sub folders > SYSTEM: RX - this folder, sub folders > > And for some sites (in general): > IUSR: RX - this folder, sub folders > IUSR: R - Files only > System: F > Administrators: F > User: RXW - this folder, sub folders > User: RW - Files > > I uploaded a directory browsing script and found out that I could browser my > entire hard disk. > > Can someone point me out what NTFS permissions I have to place and where to > stop this script from browsing out of its boundaries or listing the root dir > (ie inetpub and below)? > > I placed IUSR deny List Data / Read Data in c:\inetpub, but this gave me > problems with include files.... > > Any ideas?? > > Thanks! > > Agustin > > > > > > > >
- Previous message: PL: "ICF on mutihomed system"
- In reply to: Agustin: "Re: Filesystemobject security IIS question..."
- Next in thread: Agustin: "Re: Filesystemobject security IIS question..."
- Reply: Agustin: "Re: Filesystemobject security IIS question..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
