|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
IIS Security and files upload/createHi Everyone.
I created an ASP page that read info from a DB and create XML / Text files on the web server folder, the files created can be read by the public. How can I block any request to create/delete/modify files on the server unless it is by that page. I am running IIS 5.0 is there a way to limit the "Write" option in IIS manager only to that page. Must I give IIS Guest User access to write to that folder? Can you please direct me to the right place to find information about it. Thank you very much Oren Levy I am not sure what you are seeing as the risk factor Oren.
If the area is not accessible via FTP, then a remote client will not be able to upload and store there unless you have provided some code in Asp/Asp.Net to handle the upload. A browser only posts/puts data to a receiving page. -- Show quoteHide quoteRoger Abell Microsoft MVP (Windows Server : Security) "Oren Levy" <OrenL***@discussions.microsoft.com> wrote in message news:682B27C6-4BB9-47D6-A234-A67BD05BD9C6@microsoft.com... > Hi Everyone. > I created an ASP page that read info from a DB and create XML / Text files > on the web server folder, the files created can be read by the public. > How can I block any request to create/delete/modify files on the server > unless it is by that page. > I am running IIS 5.0 > is there a way to limit the "Write" option in IIS manager only to that > page. > Must I give IIS Guest User access to write to that folder? > Can you please direct me to the right place to find information about it. > Thank you very much > Oren Levy > How to block any request to create/delete/modify files on the server
unless it is by that page: Turn off "Write" option in IIS. You don't need it at all. Simply give the user identity which runs the ASP page "NTFS Write permissions" to the folder. The user identity depends on the Authentication protocol you configured in IIS. FYI: A common misunderstanding - this has nothing to do with the "Write" option in IIS Manager. Using anonymous authentication and allowing anonymous user will allow anyone to be able to write - unless you write code to do custom authorization. Read the following blog entries for info: http://blogs.msdn.com/david.wang/archive/2005/08/20/Why-can-I-upload-a-file-without-IIS-Write-Permission.aspx http://blogs.msdn.com/david.wang/archive/2005/06/29/IIS_User_Identity_to_Run_Code_Part_2.aspx //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // Roger Abell [MVP] wrote: Show quoteHide quote > I am not sure what you are seeing as the risk factor Oren. > If the area is not accessible via FTP, then a remote client will > not be able to upload and store there unless you have provided > some code in Asp/Asp.Net to handle the upload. A browser > only posts/puts data to a receiving page. > > -- > Roger Abell > Microsoft MVP (Windows Server : Security) > > "Oren Levy" <OrenL***@discussions.microsoft.com> wrote in message > news:682B27C6-4BB9-47D6-A234-A67BD05BD9C6@microsoft.com... > > Hi Everyone. > > I created an ASP page that read info from a DB and create XML / Text files > > on the web server folder, the files created can be read by the public. > > How can I block any request to create/delete/modify files on the server > > unless it is by that page. > > I am running IIS 5.0 > > is there a way to limit the "Write" option in IIS manager only to that > > page. > > Must I give IIS Guest User access to write to that folder? > > Can you please direct me to the right place to find information about it. > > Thank you very much > > Oren Levy > > 
Other interesting topics
MS IIS Setting: HTTP Failed To Connect if Using Machine Name
Diff behavior for "Integrated windows authentication" in IIS6 Vs I How to create a web application on SBS2003 server ? RPC over HTTPS for Exchange "Failed to access IIS metabase" after installing Windows XP Pro "Certificate does not have a private key" Multiple SSL - Same Server - Same Port/IP Constrained Delegation Problem: SQL partially delegated Non-default website is asking for username and password: why? IWA connect to fileserver |
|||||||||||||||||||||||
