Re: IIS Lockdown and WSH and Distributed Assembly excecute permission denied
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 01/29/05
- Next message: David Wang [Msft]: "Re: Getting digital signature from SSL handshake"
- Previous message: David Wang [Msft]: "Re: IIsLockdown|AddsWebAnonUserAcct|Can'tLogin->HELP!"
- In reply to: Tim Frawley: "IIS Lockdown and WSH and Distributed Assembly excecute permission denied"
- Next in thread: WenJun Zhang[msft]: "Re: IIS Lockdown and WSH and Distributed Assembly excecute permission denied"
- Reply: WenJun Zhang[msft]: "Re: IIS Lockdown and WSH and Distributed Assembly excecute permission denied"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 29 Jan 2005 01:23:51 -0800
IIS Lockdown by default will install URLScan, which denies all requests
contain ".exe" with 404. It is not possible to configure it to disallow all
.exe except foo.exe and bar.exe. Read documentation for IIS Lockdown and
URLScan for configuration options.
http://www.microsoft.com/technet/security/tools/urlscan.mspx
> Also I have an issue with wsh scripts that we execute on request
> that is related to the IIS Lockdown tool not allowing access to
> this system utility
I do not think IIS Lockdown has any direct effect on your WSH scripts. There
are two ways that these scripts can be invoked:
1. Directly via the URL. This requires a ScriptMap entry in IIS telling it
what executable to execute to handle URL with the given extension. IIS
Lockdown won't remove/disable such ScriptMap entries, so it cannot affect
WSH scripts.
2. Indirectly via something ELSE lauched via the URL (i.e. an EXE makes a
call to the WSH scripts and you make a request to the .EXE). In this case,
IIS has no effect on code launched by something ELSE, like WSH scripts.
However, IIS Lockdown can prevent the "something ELSE" from being directly
launched
-- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Tim Frawley" <tim_frawley@fishgame.state.ak.us> wrote in message news:1106951458.059405.278360@f14g2000cwb.googlegroups.com... We are running applications via distributed assemblies on our intranet site. This requires a stub executable to load the assembly. After running the IIS Lockdown tool 2.1 on IIS 5.0, Win2k server (SP4 with all the latest updates and patches from MS) the executables will no longer run. We get a 404 error. I have attempted to review the options in IIS lockdown but cannot find any setting that will deny access to system utilities like tftp.exe and cmd.exe yet allow our stub executable to run. Also I have an issue with wsh scripts that we execute on request that is related to the IIS Lockdown tool not allowing access to this system utility. What do I need to do before or after running the IIS Lockdown tool that will allow our wsh scripts and selected executables to still run?
- Next message: David Wang [Msft]: "Re: Getting digital signature from SSL handshake"
- Previous message: David Wang [Msft]: "Re: IIsLockdown|AddsWebAnonUserAcct|Can'tLogin->HELP!"
- In reply to: Tim Frawley: "IIS Lockdown and WSH and Distributed Assembly excecute permission denied"
- Next in thread: WenJun Zhang[msft]: "Re: IIS Lockdown and WSH and Distributed Assembly excecute permission denied"
- Reply: WenJun Zhang[msft]: "Re: IIS Lockdown and WSH and Distributed Assembly excecute permission denied"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
