Re: remove user exe execute permission
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: Fri, 7 Nov 2003 23:42:32 -0800
I think you have an impossible proposition.
The only way I can think of to prevent a user from executing commands is to
disallow them from ever calling CreateProcess* . However, the user also
needs to be able to call CreateProcess* to successfully run CGI Scripts on
You can't do both because you can't distinguish IIS executing a CGI and the
user executing their own commands using IIS -- they look exactly the same.
The other approach would be to limit the privileges held by the
authenticated user, but that completely depends on the AccessCheck()
implemented by the Win32 API to disallow certain behaviors by privileges.
Playing devil's advocate, you probably can have requirements that do not
match implementation, so it won't be totally useful.
This is why I think allowing Execute permissions on a directory whose
content can be changed by the user is dangerous on any OS.
-- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // "Chris P." <firstname.lastname@example.org> wrote in message news:email@example.com... For sure I want that my customers to run CGI scripts, but I want to prevent them to download or run system commands like cmd.exe, net.exe, nbtstat, net share, net user and others. NTFS is not enough because they can download anytime this files under there web root folder, eventually rename and run. Is there any way to secure my virtual servers? Thank you, Chris P. MCSE,CCNA >-----Original Message----- >Not sure what you're trying to accomplish - let's re- iterate: > >You have .exe etc. files on your Web server: > >* You don't want anonymous internet user (IUSR_...) to run the files on the >server as CGI scripts? Then don't create (or delete) CGI mappings; use NTFS >permissions; or > >* You want deny downloads of .exe files? Use NTFS permissions then; or > >* Something else? > >-- >Svyatoslav Pidgorny, MVP, MCSE >-= F1 is the key =- > >"Chris P" <chris@nospam> wrote in message >news:firstname.lastname@example.org... >> Hi, >> >> I need to remove from IUSR (IIS users) the option to be >> able to run any file with the following >> extension .exe,.com,.cmd, .bat. >> >> The NTFS permissions are not useful because they have a >> full control under their IIS web folder to their files. >> >> Is there any way to prevent them to be able to download >> and exe file and run from local web folder under .NET by >> calling W32_execute_cmd and WMI_execute_cmd. >> >> Thank you, >> >> Chris >> > > >. >