Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-ms > 03 > 030527.html (Request Expert securityfocus.com Support)

RE: write permissions for IIS

From: busu <busu(at)tpg.com.au>
Date: Wed Mar 19 2003 - 04:17:41 EST


Hi,

I am looking to configure ISA server in reverse proxy configuration. Any pointers for configuration file? Also any specific lockdown of OS and IIS on ISA server? Thank you
cb


This mailbox protected from junk email by Matador from MailFrontier, Inc. http://info.mailfrontier.com

-----Original Message-----
From: Deus, Attonbitus [mailto:Thor@HammerofGod.com] Sent: Thursday, 18 July 2002 4:40 AM
To: Matej Pfajfar; focus-ms@securityfocus.com Subject: Re: write permissions for IIS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 05:02 AM 7/17/2002, Matej Pfajfar wrote:

>Hi,
>
>A web application that my company is developing needs to create MS Word
>documents on the fly. It seems that these need to be saved onto disk
>before being shoved down the pipe to the browser, which requires IIS to
be
>given write permissions to a directorz that is readable from the web.
>
>I know this isn't quite right for security but it seems that there
isn't a
>choice - are there any extra precautions we could take? Have other
people
>found this problem as well?

Depending on the web application configuration pooling, you could set up a
COM+ component in Component Services to run under the context of a specific
user- this user/process could be given write-only access to the doc directory but not read or execute. The IUSR account could then be given

read-only access (specifically denying write and execute) to it to mitigate
possible permission abuse. I think it would take some tweaking, but it is
doable.

Do you need help?X

AD

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPTW6GYhsmyD15h5gEQLmYwCgw3LP07GaUi+fdnb6Cspg82JdJ6AAn1X+ seYy9pU5Hmf0RoaWRSPPPv/F
=UJR+
-----END PGP SIGNATURE-----


ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data! It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! http://www.spidynamics.com/mktg/sqlinjection33 Received on Wed Mar 19 16:33:07 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:28 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library