IIS Security and files upload/create
am 02.12.2006 01:08:01 von OrenLevy
Hi Everyone.
I created an ASP page that read info from a DB and create XML / Text files
on the web server folder, the files created can be read by the public.
How can I block any request to create/delete/modify files on the server
unless it is by that page.
I am running IIS 5.0
is there a way to limit the "Write" option in IIS manager only to that page.
Must I give IIS Guest User access to write to that folder?
Can you please direct me to the right place to find information about it.
Thank you very much
Oren Levy
Re: IIS Security and files upload/create
am 04.12.2006 18:52:38 von Roger Abell
I am not sure what you are seeing as the risk factor Oren.
If the area is not accessible via FTP, then a remote client will
not be able to upload and store there unless you have provided
some code in Asp/Asp.Net to handle the upload. A browser
only posts/puts data to a receiving page.
--
Roger Abell
Microsoft MVP (Windows Server : Security)
"Oren Levy" wrote in message
news:682B27C6-4BB9-47D6-A234-A67BD05BD9C6@microsoft.com...
> Hi Everyone.
> I created an ASP page that read info from a DB and create XML / Text files
> on the web server folder, the files created can be read by the public.
> How can I block any request to create/delete/modify files on the server
> unless it is by that page.
> I am running IIS 5.0
> is there a way to limit the "Write" option in IIS manager only to that
> page.
> Must I give IIS Guest User access to write to that folder?
> Can you please direct me to the right place to find information about it.
> Thank you very much
> Oren Levy
>
Re: IIS Security and files upload/create
am 05.12.2006 11:16:40 von David Wang
How to block any request to create/delete/modify files on the server
unless it is by that page:
Turn off "Write" option in IIS. You don't need it at all.
Simply give the user identity which runs the ASP page "NTFS Write
permissions" to the folder. The user identity depends on the
Authentication protocol you configured in IIS. FYI: A common
misunderstanding - this has nothing to do with the "Write" option in
IIS Manager.
Using anonymous authentication and allowing anonymous user will allow
anyone to be able to write - unless you write code to do custom
authorization.
Read the following blog entries for info:
http://blogs.msdn.com/david.wang/archive/2005/08/20/Why-can- I-upload-a-file-without-IIS-Write-Permission.aspx
http://blogs.msdn.com/david.wang/archive/2005/06/29/IIS_User _Identity_to_Run_Code_Part_2.aspx
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
Roger Abell [MVP] wrote:
> I am not sure what you are seeing as the risk factor Oren.
> If the area is not accessible via FTP, then a remote client will
> not be able to upload and store there unless you have provided
> some code in Asp/Asp.Net to handle the upload. A browser
> only posts/puts data to a receiving page.
>
> --
> Roger Abell
> Microsoft MVP (Windows Server : Security)
>
> "Oren Levy" wrote in message
> news:682B27C6-4BB9-47D6-A234-A67BD05BD9C6@microsoft.com...
> > Hi Everyone.
> > I created an ASP page that read info from a DB and create XML / Text files
> > on the web server folder, the files created can be read by the public.
> > How can I block any request to create/delete/modify files on the server
> > unless it is by that page.
> > I am running IIS 5.0
> > is there a way to limit the "Write" option in IIS manager only to that
> > page.
> > Must I give IIS Guest User access to write to that folder?
> > Can you please direct me to the right place to find information about it.
> > Thank you very much
> > Oren Levy
> >