IIS Server Security - Updating Access DB's by anonymous users

This is Interesting: Free IT Magazines  
Home > Archive > IIS Server Security > April 2004 > Updating Access DB's by anonymous users





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Updating Access DB's by anonymous users
Dan

2004-04-20, 12:36 pm

Is there a way to allow anonymous users to fill out a web-based form on a publicly accessible ASP page which writes to an Access database without enabling "write" access to the IUSR account?
Ken Schaefer

2004-04-21, 12:34 am

Not directly.

You could have ASP invoke a COM object that sits in COM+ that runs another
identity, but that identity needs "Write" permissions to the Access.mdb
file.

Best solution:
a) put Access.mdb file outside the webroot. There's no real requirement that
the .mdb file be inside the webroot.

Alternate Solution:
a) give IUSR (or whatever) appropriate NTFS rights to the folder. Do not
place anything else into the folder except databases. In IIS Manager remove
"Read" and "Script Only" permissions from that folder. This will stop HTTP
requests from being served from that folder. Write should be unchecked by
default, so HTTP write type requests will also be denied.

Cheers
Ken

"Dan" <anonymous@discussions.microsoft.com> wrote in message
news:8CF3A22F-3AF6-4BAA-A377-896D6C471908@microsoft.com...
: Is there a way to allow anonymous users to fill out a web-based form on a
publicly accessible ASP page which writes to an Access database without
enabling "write" access to the IUSR account?


Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com