Re: remove user exe execute permission

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 11/08/03


Date: Fri, 7 Nov 2003 23:42:32 -0800

I think you have an impossible proposition.

The only way I can think of to prevent a user from executing commands is to
disallow them from ever calling CreateProcess* . However, the user also
needs to be able to call CreateProcess* to successfully run CGI Scripts on
the server.

You can't do both because you can't distinguish IIS executing a CGI and the
user executing their own commands using IIS -- they look exactly the same.

The other approach would be to limit the privileges held by the
authenticated user, but that completely depends on the AccessCheck()
implemented by the Win32 API to disallow certain behaviors by privileges.
Playing devil's advocate, you probably can have requirements that do not
match implementation, so it won't be totally useful.

This is why I think allowing Execute permissions on a directory whose
content can be changed by the user is dangerous on any OS.

-- 
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Chris P." <anonymous@discussions.microsoft.com> wrote in message
news:02de01c3a570$606e2fe0$a401280a@phx.gbl...
For sure I want that my customers to run CGI scripts, but
I want to prevent them to download or run system commands
like cmd.exe, net.exe, nbtstat, net share, net user and
others.
NTFS is not enough because they can download anytime this
files under there web root folder, eventually rename and
run.
Is there any way to secure my virtual servers?
Thank you,
Chris P.
MCSE,CCNA
>-----Original Message-----
>Not sure what you're trying to accomplish - let's re-
iterate:
>
>You have .exe etc. files on your Web server:
>
>* You don't want anonymous internet user (IUSR_...) to
run the files on the
>server as CGI scripts? Then don't create (or delete) CGI
mappings; use NTFS
>permissions; or
>
>* You want deny downloads of .exe files? Use NTFS
permissions then; or
>
>* Something else?
>
>-- 
>Svyatoslav Pidgorny, MVP, MCSE
>-= F1 is the key =-
>
>"Chris P" <chris@nospam> wrote in message
>news:008a01c3a49b$cfa85eb0$a601280a@phx.gbl...
>> Hi,
>>
>> I need to remove from IUSR (IIS users) the option to be
>> able to run any file with the following
>> extension .exe,.com,.cmd, .bat.
>>
>> The NTFS permissions are not useful because they have a
>> full control under their IIS web folder to their files.
>>
>> Is there any way to prevent them to be able to download
>> and exe file and run from local web folder under .NET by
>> calling W32_execute_cmd and WMI_execute_cmd.
>>
>> Thank you,
>>
>> Chris
>>
>
>
>.
>


Relevant Pages

  • Re: Searching for Robust Download Automation
    ... to execute a command upon successful transfer. ... ad hoc methods for detecting corrupted/incomplete files, executing ... those commands, and cleaning out the transferred files. ... UUCP has done the things I list above for 20+ years, ...
    (comp.unix.shell)
  • Makeinfo error when attempting to compile binutils-2.18 for AVR target
    ... I'm trying to compile the gnu avr toolchain on Fedora 7. ... config.status: executing depfiles commands ...
    (Fedora)
  • Re: source question
    ... > currently executing using the 'info script' command. ... some main commands ... some filea commands ...
    (comp.lang.tcl)
  • Re: echo commands
    ... The shell script when executed doesn't echo the ... > commands it is executing. ... How to make it echo the commands it ... I will have to modify it in two places. ...
    (comp.unix.shell)
  • Re: utl_file.frename against utl_file.fcopy
    ... I'm executing these commands ... in my Oracle 10.2 Database running on debian linux. ... Puget Sound Oracle Users Group ...
    (comp.databases.oracle.misc)