how to block/disable windows scripting host ?

From: Akhlaq Khan (akhlaq.khan_at_softechww.com)
Date: 03/10/04

• Next message: puppymalo_at_hotmail.com: "Have I been hacked?"
• Previous message: anonymous_at_discussions.microsoft.com: "Re: Permission Error When Using FSO In ASP!?"
• Next in thread: Jeff Cochran: "Re: how to block/disable windows scripting host ?"
• Reply: Jeff Cochran: "Re: how to block/disable windows scripting host ?"
• Reply: David Wang [Msft]: "Re: how to block/disable windows scripting host ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 10 Mar 2004 21:54:17 +0500

hi,
can u please tell me how can i block WSH scripts and wscript.shell objects
from being created in ASP pages ?
one of my servers recently got hacked and i am desparately looking for a
solution.

thanks,
akhlaq.

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1a886bc34f9beb9c98a130@news-server.columbus.rr.com...
> In article <844101c3e9b3$3fb2dc10$a101280a@phx.gbl>,
> dylanmilks@yahoo.com says...
> > Through my ASP app, I'm using wshell.script to open a cmd
> > window. If I don't pass any parameter to cmd, it works
> > fine. If I try to give it some parameters, it gives
> > me "access is denied".
> >
> > This works:
> > Set oShell = Server.CreateObject("WScript.Shell")
> > Set oExec = oShell.Exec("cmd /c")
> >
> > This returns access denied:
> > Set oShell = Server.CreateObject("WScript.Shell")
> > Set oExec = oShell.Exec("cmd /c dir c:\")
> >
> > Any idea why?
> > How can I get this to work?
>
> You don't want to let it work - IIS should NOT be able to access CMD at
> any time, you will be hacked.
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)

---

• Next message: puppymalo_at_hotmail.com: "Have I been hacked?"
• Previous message: anonymous_at_discussions.microsoft.com: "Re: Permission Error When Using FSO In ASP!?"
• Next in thread: Jeff Cochran: "Re: how to block/disable windows scripting host ?"
• Reply: Jeff Cochran: "Re: how to block/disable windows scripting host ?"
• Reply: David Wang [Msft]: "Re: how to block/disable windows scripting host ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: content static for 24hrs ... if data found the html page is created ... Writing each hit to a database is what springs to my mind. ... The are single purpose servers. ... Would upgrading your servers and writing standard ASP be an acceptable ... (microsoft.public.inetserver.asp.db) IIS State - help appreciated ... I've got three web servers, all running IIS 4 on NT 4. ... Kernel Time: 0:0:5.875 ... Unable to locate ASP page. ... (microsoft.public.inetserver.iis) Re: asp login page ... Not supported on Windows Servers. ... and tutorials on my web site regarding ASP: http://www.takempis.com. ... who did the login scripting? ... (microsoft.public.frontpage.client) WMI in ASP fails on 2003 (err 80041003); works fine on 2000 ... I've searched and seen several threads about problems with using WMI within ... ASP pages. ... Now, all servers are configured to disallow anonymous authentication, and I ... Now, I can make it work by configuring the WMI call to use delegation, like ... (microsoft.public.win32.programmer.wmi) Re: Possible ASP - MYSQL connection problems??? ... I encountered a similar thing when my webhotel swapped servers. ... new servers couldnt interpret includes with relative paths - ... >> I recently have switched from using an Access Database to a MYSQL ... >> database for an ASP page driven website I have developed. ... (microsoft.public.inetserver.asp.db)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)