Setting Anonymous "Write and Execute" Permission to a folder

Dear IIS Users:

I have an application accessible by anyone on the internet ('Anonymous
access') and the application's directory has 'Write' and 'Execute'
permissions set.

Am I vulnerable to having someone be able to upload a malicious file
and cause harm even though ftp nor Webdav is not enabled to that
folder?

I assume that the only avenue for attack in this scenario would be by
using buffer overlows posted to my exe. Is this correct or not?

And if so, would creating a max buffer size for both get and post
operations plus stripping out everything and keeping only alpha-
numeric and special url characters? Would I still be vulnerable?

Please advise.

Jeff

Re: Setting Anonymous "Write and Execute" Permission to a folder

Hi,

Are you talking about setting NTFS permissions? Or setting the permissions
in IIS Manager?

Confusingly, both these permissions Write and Execute, refer to permissions
that can be set in both NTFS ACLs, and also in IIS Manager.

Cheers
Ken

wrote in message
news:8053029e-e070-45bb-81c0-1bfb83356aef@j20g2000hsi.google groups.com...
> Dear IIS Users:
>
> I have an application accessible by anyone on the internet ('Anonymous
> access') and the application's directory has 'Write' and 'Execute'
> permissions set.
>
> Am I vulnerable to having someone be able to upload a malicious file
> and cause harm even though ftp nor Webdav is not enabled to that
> folder?
>
> I assume that the only avenue for attack in this scenario would be by
> using buffer overlows posted to my exe. Is this correct or not?
>
> And if so, would creating a max buffer size for both get and post
> operations plus stripping out everything and keeping only alpha-
> numeric and special url characters? Would I still be vulnerable?
>
> Please advise.
>
> Jeff

Re: Setting Anonymous "Write and Execute" Permission to a folder

Hi Ken,

> Are you talking about setting NTFS permissions? Or setting the permissions
> in IIS Manager?
>
> Confusingly, both these permissions Write and Execute, refer to permissions
> that can be set in both NTFS ACLs, and also in IIS Manager.

I'm talking about both permissions.
- IIS permissions set to 'Scripts and Executables' and 'Write'
- NTFS permissions for IUSR_xxxx (Internet Guest Account) set to 'Write'

This configuration allow an executable in a specific directory to run as
well as write to data files (such as txt files) in that directory.

Taking away the NTFS write permission fir IUSR_xxxx will allow the
executable to run but it will no longer be able to write to data files in
that directory.

David provided me with alot of good advise, and in fact, I have discovered
that in IIS, I do not have to have 'Write' access enabled after all!

I can simply enable IIS 'Scripts and Executables' (with no IIS read / IIS
write access), then in NTFS enable the IUSR_xxx to have write access. This
configuration allows an anonymous user to run my executable which can read
and write to data files as well as report data contained in those data files.
I originally thought that I had to have IIS 'Write' and 'Scripts and
Executables' but now I see that IIS 'Write' was not required at all!

Please let me know if it is safe to run in this latest configuration now
that IIS 'Write' is no longer enabled.

Best Regards,

Jeff

Re: Setting Anonymous "Write and Execute" Permission to a folder

On Jan 17, 9:40=A0am, Jeff Dunlap
wrote:
> Hi Ken,
>
> > Are you talking about setting NTFS permissions? Or setting the permissio=
ns
> > in IIS Manager?
>
> > Confusingly, both these permissions Write and Execute, refer to permissi=
ons
> > that can be set in both NTFS ACLs, and also in IIS Manager.
>
> I'm talking about both permissions.
> =A0 - IIS permissions set to 'Scripts and Executables' and 'Write'
> =A0 - NTFS permissions for IUSR_xxxx (Internet Guest Account) set to 'Writ=
e'
>
> This configuration allow an executable in a specific directory to run as
> well as write to data files (such as txt files) in that directory.
>
> Taking away the NTFS write permission fir IUSR_xxxx will allow the
> executable to run but it will no longer be able to write to data files in
> that directory.
>
> David provided me with alot of good advise, and in fact, I have discovered=

> that in IIS, I do not have to have 'Write' access enabled after all! =A0
>
> I can simply enable IIS 'Scripts and Executables' (with no IIS read / IIS
> write access), then in NTFS enable the IUSR_xxx to have write access. =A0T=
his
> configuration allows an anonymous user to run my executable which can read=

> and write to data files as well as report data contained in those data fil=
es.
> =A0I originally thought that I had to have IIS 'Write' and 'Scripts and
> Executables' but now I see that IIS 'Write' was not required at all!
>
> Please let me know if it is safe to run in this latest configuration now
> that IIS 'Write' is no longer enabled.
>
> Best Regards,
>
> Jeff


Yes, I was going to point you in the same direction that you just
took. It is more secure.

Here is explanation for your confusion:
http://blogs.msdn.com/david.wang/archive/2005/08/20/Why-can- I-upload-a-file-=
without-IIS-Write-Permission.aspx


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//