Re: Secure an upload page

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 04/27/04 

Date: Tue, 27 Apr 2004 13:10:01 +1000

"Joe" <anonymous@discussions.microsoft.com> wrote in message
news:47a501c42be9$592a8670$a601280a@phx.gbl...
: Hello Roger thanks for the reply
:
: Define an account that is not granted permissions
: in the FPSE config for the web, but that is granted
: premissions at NTFS level for the upload-to folder.
: Then, when they get that prompt after starting the
: upload this is the account that needs be given.
:
: I created an account in FPSE and with a browse permission
: but it will not allow you to upload the file. I went up to
: a contributor and this didnt work Either
:
: So presently it is at the Author level and you can upload
: the file. What or how would I create this type of account that you
: are speaking of?

Right-click on My Computer and choose Manage. There is a node called "Local
users and groups". This is where you create new user accounts.

You need to give this user appropriate *NTFS* permissions to write files to
the hard disk. If you do not know what NTFS permissions are then I seriously
suggest you hire a consultant to do this work for you, since understanding
file system permissions are a fundamental server administration task.
Alternatively, take a few days off, buy a decent Windows 2003 Admin book and
read it.

I don't know what type of upload control you are using. Any generic upload
control should work just fine with the user in the Browse role. You should
not need to put the user into the Authors role. The Authors role allows that
user to *author* content on your server, which means publishing stuff.

Cheers
Ken

:
: I am not sure about your second answer I do know that I
: can use IIS to protect the page but then after you will
: have to deal with FPSE.This seems like double work.
: I have never used Webdav and the extensions are not
: enabled at this time.
: This page is a subweb but not in the navigational structure
: 2 ASP.net so how can I set a control and limit please?
: as you can tell I am green at this part.
: Thanks
: Joe
:
: >-----Original Message-----
: >You sound to be partly there. There are two ways
: >to continue now:
: >1
: >Define an account that is not granted permissions
: >in the FPSE config for the web, but that is granted
: >premissions at NTFS level for the upload-to folder.
: >Then, when they get that prompt after starting the
: >upload this is the account that needs be given.
: >2.
: >Grant the account browse on the web in the FPSE,
: >and either make you upload page a FPSE subweb
: >that does not allow anonymous access, or tweak the
: >NTFS permissions on the upload page so that the
: >IUSR_/IWAM_ accounts used by the web do not
: >have premissions. Alter the NTFS permission on
: >the upload-to folder as in 1.
: >
: >You would be best off using an upload control or
: >Asp.Net for the upload so that you can exercise
: >control over the size and kinds of things uploaded.
: >
: >If the upload-to folder is within the web, be very
: >very careful about FPSE "correcting" permissions
: >for you, and never ask it to repair the web. It will
: >have an inclination to let all accounts upload unless
: >you have isolated the upload capability in a separate
: >FPSE web that is not allowing anonymous access.
: >
: >--
: >Roger Abell
: >Microsoft MVP (Windows Server System: Security)
: >MCSE (W2k3,W2k,Nt4) MCDBA
: ><anonymous@discussions.microsoft.com> wrote in message
: >news:3d8301c42acc$983df9f0$a401280a@phx.gbl...
: >> Instead, in the IIS manager, locate your folder or file.
: >> Right-click, choose
: >> >properties, on the Directory Security or File Security
: >> tab, click to Edit
: >> >authentication mechanisms. Uncheck "Allow Anonymous
: >> Access".
: >>
: >> I tried this and it only keeps out the page access but
: >> when you go to upload via the page it will ask again
: when
: >> you submit the file I guess because the folder is
: located
: >> inside the web. I did however use ssl forced in the
: >> securuty section of the file in IIS manager
: >>
: >> https://animocracy.com/mysite/File_Upload.htm
: >>
: >> This is the page please go and try to submit a file it
: >> will explain alot. It all works very nicely however It
: is
: >> scary unless I dont give out the password
: >>
: >>
: >> Now create a new Windows account that you will give out
: to
: >> people for the
: >> >purposes of accessing the page (you don't say what OS
: you
: >> have, so I can't
: >> >give you instructions)
: >>
: >> My OS is Server 2003 Enterprise I would like to
: >> create "generic account" per se' just enough to upload.
: >>
: >> If there is a better way to upload to a folder on my
: >> server I would like to know please.
: >>
: >>
: >> >-----Original Message-----
: >> >I don't think you can do this with FPSE security per
: se.
: >> >
: >> >Instead, in the IIS manager, locate your folder or
: file.
: >> Right-click, choose
: >> >properties, on the Directory Security or File Security
: >> tab, click to Edit
: >> >authentication mechanisms. Uncheck "Allow Anonymous
: >> Access".
: >> >
: >> >Now create a new Windows account that you will give out
: >> to people for the
: >> >purposes of accessing the page (you don't say what OS
: you
: >> have, so I can't
: >> >give you instructions)
: >> >
: >> >Now, locate the file on your hard disk, and configure
: >> appropraite NTFS
: >> >permissions (if requires) via Windows Explorer (you
: will
: >> need to give the
: >> >user account Read permissions to the file, plus Write
: >> permissions to
: >> >wherever they are going to save their file).
: >> >
: >> >
: >> >Cheers
: >> >Ken
: >> >
: >> >"Joe" <anonymous@discussions.microsoft.com> wrote in
: >> message
: >> >news:3c4f01c42a81$a6099490$a601280a@phx.gbl...
: >> >: Hello,
: >> >:
: >> >: Need some advice (please) on how to secure an upload
: >> page
: >> >: on my web?
: >> >: As I can see it the page asks for a password as it is
: >> >: which is my admin. account and password.But I want
: this
: >> to
: >> >: be available to others and I cannot of course give
: out
: >> my
: >> >: password.
: >> >: I have however added a user in the FP extensions but
: I
: >> >: feel this is a big a hole in my shell of armor here.
: How
: >> >: can I enable th extensions to allow the upload
: without
: >> >: someone else with FP getting into my web. The browser
: >> is ok
: >> >: Maybe in simpler terms >>How to secure the page and
: >> allow
: >> >: only the upload to say a generic user.
: >> >: Thanks
: >> >: Joe
: >> >:
: >> >:
: >> >
: >> >
: >> >.
: >> >
: >
: >
: >.
: >

Relevant Pages

  • Re: Secure upload page 2
    ... i have seen FP do some VERY strange things also ... There are a few things to take into account here. ... >places very loose permissions). ... Suppose the upload is trying ...
    (microsoft.public.inetserver.iis.security)
  • Re: Secure an upload page
    ... Define an account that is not granted permissions ... upload this is the account that needs be given. ... Grant the account browse on the web in the FPSE, ...
    (microsoft.public.inetserver.iis.security)
  • Re: Secure an upload page
    ... and define a local account (this is what happens if you ... permissions on the folder to receive the upload depends ... > I don't know what type of upload control you are using. ... > not a mathing one in the FPSE with browse it will not work ...
    (microsoft.public.inetserver.iis.security)
  • Re: Secure an upload page
    ... I don't know what type of upload control you are using. ... not a mathing one in the FPSE with browse it will not work ... So if I create a computer account this will be assigned to ...
    (microsoft.public.inetserver.iis.security)
  • Re: Secure an upload page
    ... Define an account that is not granted permissions ... upload this is the account that needs be given. ... I created an account in FPSE and with a browse permission ... >premissions at NTFS level for the upload-to folder. ...
    (microsoft.public.inetserver.iis.security)
Loading