|
Home > Archive > IIS Server Security > April 2004 > Secure an upload page
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Secure an upload page
|
|
|
| Hello,
Need some advice (please) on how to secure an upload page
on my web?
As I can see it the page asks for a password as it is
which is my admin. account and password.But I want this to
be available to others and I cannot of course give out my
password.
I have however added a user in the FP extensions but I
feel this is a big a hole in my shell of armor here. How
can I enable th extensions to allow the upload without
someone else with FP getting into my web. The browser is ok
Maybe in simpler terms >>How to secure the page and allow
only the upload to say a generic user.
Thanks
Joe
| |
| Ken Schaefer 2004-04-25, 1:34 am |
| I don't think you can do this with FPSE security per se.
Instead, in the IIS manager, locate your folder or file. Right-click, choose
properties, on the Directory Security or File Security tab, click to Edit
authentication mechanisms. Uncheck "Allow Anonymous Access".
Now create a new Windows account that you will give out to people for the
purposes of accessing the page (you don't say what OS you have, so I can't
give you instructions)
Now, locate the file on your hard disk, and configure appropraite NTFS
permissions (if requires) via Windows Explorer (you will need to give the
user account Read permissions to the file, plus Write permissions to
wherever they are going to save their file).
Cheers
Ken
"Joe" <anonymous@discussions.microsoft.com> wrote in message
news:3c4f01c42a81$a6099490$a601280a@phx.gbl...
: Hello,
:
: Need some advice (please) on how to secure an upload page
: on my web?
: As I can see it the page asks for a password as it is
: which is my admin. account and password.But I want this to
: be available to others and I cannot of course give out my
: password.
: I have however added a user in the FP extensions but I
: feel this is a big a hole in my shell of armor here. How
: can I enable th extensions to allow the upload without
: someone else with FP getting into my web. The browser is ok
: Maybe in simpler terms >>How to secure the page and allow
: only the upload to say a generic user.
: Thanks
: Joe
:
:
| |
| Karl Levinson [x y] mvp 2004-04-25, 9:33 am |
| Note that any authentication you do can probably be sniffed unless you use
an SSL certificate and check the boxes to require HTTPS for any pages where
you have changed permissions. This may not be a big issue for you if you
only do uploads on your local network and/or the web server is not all that
critical for you.
The most secure way to do downloads might be to use NTFS file permissions,
local Windows accounts, HTTPS and use WebDAV for the file transfer. That
might be a little too complex depending on your needs:
www.iisfaq.com/ssl
www.webdav.org
Or, you could use SSH / SCP / PuTTY, which is probably easier, especially if
you know or can contact everyone who will be posting:
www.openssh.org/windows.html
www.networksimplicity.com
"Joe" <anonymous@discussions.microsoft.com> wrote in message
news:3c4f01c42a81$a6099490$a601280a@phx.gbl...
> Hello,
>
> Need some advice (please) on how to secure an upload page
> on my web?
> As I can see it the page asks for a password as it is
> which is my admin. account and password.But I want this to
> be available to others and I cannot of course give out my
> password.
> I have however added a user in the FP extensions but I
> feel this is a big a hole in my shell of armor here. How
> can I enable th extensions to allow the upload without
> someone else with FP getting into my web. The browser is ok
> Maybe in simpler terms >>How to secure the page and allow
> only the upload to say a generic user.
> Thanks
> Joe
>
>
| |
|
| Instead, in the IIS manager, locate your folder or file.
Right-click, choose
>properties, on the Directory Security or File Security
tab, click to Edit
>authentication mechanisms. Uncheck "Allow Anonymous
Access".
I tried this and it only keeps out the page access but
when you go to upload via the page it will ask again when
you submit the file I guess because the folder is located
inside the web. I did however use ssl forced in the
securuty section of the file in IIS manager
https://animocracy.com/mysite/File_Upload.htm
This is the page please go and try to submit a file it
will explain alot. It all works very nicely however It is
scary unless I dont give out the password
Now create a new Windows account that you will give out to
people for the
>purposes of accessing the page (you don't say what OS you
have, so I can't
>give you instructions)
My OS is Server 2003 Enterprise I would like to
create "generic account" per se' just enough to upload.
If there is a better way to upload to a folder on my
server I would like to know please.
>-----Original Message-----
>I don't think you can do this with FPSE security per se.
>
>Instead, in the IIS manager, locate your folder or file.
Right-click, choose
>properties, on the Directory Security or File Security
tab, click to Edit
>authentication mechanisms. Uncheck "Allow Anonymous
Access".
>
>Now create a new Windows account that you will give out
to people for the
>purposes of accessing the page (you don't say what OS you
have, so I can't
>give you instructions)
>
>Now, locate the file on your hard disk, and configure
appropraite NTFS
>permissions (if requires) via Windows Explorer (you will
need to give the
>user account Read permissions to the file, plus Write
permissions to
>wherever they are going to save their file).
>
>
>Cheers
>Ken
>
>"Joe" <anonymous@discussions.microsoft.com> wrote in
message
>news:3c4f01c42a81$a6099490$a601280a@phx.gbl...
>: Hello,
>:
>: Need some advice (please) on how to secure an upload
page
>: on my web?
>: As I can see it the page asks for a password as it is
>: which is my admin. account and password.But I want this
to
>: be available to others and I cannot of course give out
my
>: password.
>: I have however added a user in the FP extensions but I
>: feel this is a big a hole in my shell of armor here. How
>: can I enable th extensions to allow the upload without
>: someone else with FP getting into my web. The browser
is ok
>: Maybe in simpler terms >>How to secure the page and
allow
>: only the upload to say a generic user.
>: Thanks
>: Joe
>:
>:
>
>
>.
>
| |
|
| Karl thanks for your reply,
The most secure way to do downloads might be to use NTFS
file permissions,
local Windows accounts, HTTPS and use WebDAV for the file
transfer. That
might be a little too complex depending on your needs:
I use VPN for downloads or link to them in a generic
webpage and I only give this out under cartain file
permissions-conditions. However you still cannot get to
anything I dont want you to via VPN. But if you have FP
and know the name of my site and the password to upload
the files you can also open up FP and enter the entire web!
Pretty scary.
So I dont know how to secure this page. If the upload page
is in a web it wont matter where the desination folder is
because the other side of this is the hole.
I am using https
https://animocracy.com/mysite/File_Upload.htm
Thanks
Joe
>-----Original Message-----
>Note that any authentication you do can probably be
sniffed unless you use
>an SSL certificate and check the boxes to require HTTPS
for any pages where
>you have changed permissions. This may not be a big
issue for you if you
>only do uploads on your local network and/or the web
server is not all that
>critical for you.
>
>The most secure way to do downloads might be to use NTFS
file permissions,
>local Windows accounts, HTTPS and use WebDAV for the file
transfer. That
>might be a little too complex depending on your needs:
>
>www.iisfaq.com/ssl
>www.webdav.org
>
>Or, you could use SSH / SCP / PuTTY, which is probably
easier, especially if
>you know or can contact everyone who will be posting:
>
>www.openssh.org/windows.html
>www.networksimplicity.com
>
>
>"Joe" <anonymous@discussions.microsoft.com> wrote in
message
>news:3c4f01c42a81$a6099490$a601280a@phx.gbl...
page[vbcol=seagreen]
to[vbcol=seagreen]
my[vbcol=seagreen]
is ok[vbcol=seagreen]
allow[vbcol=seagreen]
>
>
>.
>
| |
| Roger Abell 2004-04-26, 10:34 am |
| You sound to be partly there. There are two ways
to continue now:
1
Define an account that is not granted permissions
in the FPSE config for the web, but that is granted
premissions at NTFS level for the upload-to folder.
Then, when they get that prompt after starting the
upload this is the account that needs be given.
2.
Grant the account browse on the web in the FPSE,
and either make you upload page a FPSE subweb
that does not allow anonymous access, or tweak the
NTFS permissions on the upload page so that the
IUSR_/IWAM_ accounts used by the web do not
have premissions. Alter the NTFS permission on
the upload-to folder as in 1.
You would be best off using an upload control or
Asp.Net for the upload so that you can exercise
control over the size and kinds of things uploaded.
If the upload-to folder is within the web, be very
very careful about FPSE "correcting" permissions
for you, and never ask it to repair the web. It will
have an inclination to let all accounts upload unless
you have isolated the upload capability in a separate
FPSE web that is not allowing anonymous access.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
<anonymous@discussions.microsoft.com> wrote in message
news:3d8301c42acc$983df9f0$a401280a@phx.gbl...[vbcol=seagreen]
> Instead, in the IIS manager, locate your folder or file.
> Right-click, choose
> tab, click to Edit
> Access".
>
> I tried this and it only keeps out the page access but
> when you go to upload via the page it will ask again when
> you submit the file I guess because the folder is located
> inside the web. I did however use ssl forced in the
> securuty section of the file in IIS manager
>
> https://animocracy.com/mysite/File_Upload.htm
>
> This is the page please go and try to submit a file it
> will explain alot. It all works very nicely however It is
> scary unless I dont give out the password
>
>
> Now create a new Windows account that you will give out to
> people for the
> have, so I can't
>
> My OS is Server 2003 Enterprise I would like to
> create "generic account" per se' just enough to upload.
>
> If there is a better way to upload to a folder on my
> server I would like to know please.
>
>
> Right-click, choose
> tab, click to Edit
> Access".
> to people for the
> have, so I can't
> appropraite NTFS
> need to give the
> permissions to
> message
> page
> to
> my
> is ok
> allow
| |
| Roger Abell 2004-04-26, 10:34 am |
| > But if you have FP
> and know the name of my site and the password to upload
> the files you can also open up FP and enter the entire web!
> Pretty scary.
FPSE believes you have granted that account author, adv author,
or admin of the web. You only need to grant write for the area
where the upload will be stored.
Perhaps the most simple thing is to just make the upload page(s)
a subweb (per FPSE) of its own, and make it not allow anonymous
access but allow browse access to the custom account you defined
(the one you give out to those that should be able to upload).
In IIS mark the folder within this that will receive files so that it
allows write but nothing else, and most importantly, none for
script/execute. Tweak the NTFS perms of that folder so the account
used has write within the folder.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Joe" <anonymous@discussions.microsoft.com> wrote in message
news:3d6b01c42ace$5382ff20$a601280a@phx.gbl...[vbcol=seagreen]
> Karl thanks for your reply,
>
> The most secure way to do downloads might be to use NTFS
> file permissions,
> local Windows accounts, HTTPS and use WebDAV for the file
> transfer. That
> might be a little too complex depending on your needs:
>
> I use VPN for downloads or link to them in a generic
> webpage and I only give this out under cartain file
> permissions-conditions. However you still cannot get to
> anything I dont want you to via VPN. But if you have FP
> and know the name of my site and the password to upload
> the files you can also open up FP and enter the entire web!
> Pretty scary.
> So I dont know how to secure this page. If the upload page
> is in a web it wont matter where the desination folder is
> because the other side of this is the hole.
> I am using https
> https://animocracy.com/mysite/File_Upload.htm
> Thanks
> Joe
> sniffed unless you use
> for any pages where
> issue for you if you
> server is not all that
> file permissions,
> transfer. That
> easier, especially if
> message
> page
> to
> my
> is ok
> allow
| |
| Roger Abell 2004-04-26, 10:34 am |
| Hi Karl,
Boy, given the high rate of probing with WebDAV verbs
of late, that mention of WebDAV makes me nervous.
It was quite good to finally meet earlier this month.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
news:OnOAVMsKEHA.1416@TK2MSFTNGP09.phx.gbl...
> Note that any authentication you do can probably be sniffed unless you use
> an SSL certificate and check the boxes to require HTTPS for any pages
where
> you have changed permissions. This may not be a big issue for you if you
> only do uploads on your local network and/or the web server is not all
that
> critical for you.
>
> The most secure way to do downloads might be to use NTFS file permissions,
> local Windows accounts, HTTPS and use WebDAV for the file transfer. That
> might be a little too complex depending on your needs:
>
> www.iisfaq.com/ssl
> www.webdav.org
>
> Or, you could use SSH / SCP / PuTTY, which is probably easier, especially
if
> you know or can contact everyone who will be posting:
>
> www.openssh.org/windows.html
> www.networksimplicity.com
>
>
> "Joe" <anonymous@discussions.microsoft.com> wrote in message
> news:3c4f01c42a81$a6099490$a601280a@phx.gbl...
>
>
| |
| Karl Levinson [x y] mvp 2004-04-26, 11:35 am |
| Yeah, but as long as you are patched and have written your WebDAV
application securely, I believe you should be OK. Other recent attacks
probe for IIS or SSL, but those probes alone aren't necessarily reason to
consider not using IIS or SSL. Also, unless I'm mistaken, WebDAV verbs are
already running on your IIS server by default, so you might as well make use
of it.
Yes, it was nice to meet you in person as well.
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23Hjnya5KEHA.3324@TK2MSFTNGP10.phx.gbl...
> Hi Karl,
>
> Boy, given the high rate of probing with WebDAV verbs
> of late, that mention of WebDAV makes me nervous.
>
> It was quite good to finally meet earlier this month.
>
> --
> Roger Abell
> Microsoft MVP (Windows Server System: Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
> news:OnOAVMsKEHA.1416@TK2MSFTNGP09.phx.gbl...
use[vbcol=seagreen]
> where
you[vbcol=seagreen]
> that
permissions,[vbcol=seagreen]
That[vbcol=seagreen]
especially[vbcol=seagreen]
> if
>
>
| |
|
| Hello Roger thanks for the reply
Define an account that is not granted permissions
in the FPSE config for the web, but that is granted
premissions at NTFS level for the upload-to folder.
Then, when they get that prompt after starting the
upload this is the account that needs be given.
I created an account in FPSE and with a browse permission
but it will not allow you to upload the file. I went up to
a contributor and this didnt work Either
So presently it is at the Author level and you can upload
the file.
What or how would I create this type of account that you
are speaking of?
I am not sure about your second answer I do know that I
can use IIS to protect the page but then after you will
have to deal with FPSE.This seems like double work.
I have never used Webdav and the extensions are not
enabled at this time.
This page is a subweb but not in the navigational structure
2 ASP.net so how can I set a control and limit please?
as you can tell I am green at this part.
Thanks
Joe
>-----Original Message-----
>You sound to be partly there. There are two ways
>to continue now:
>1
>Define an account that is not granted permissions
>in the FPSE config for the web, but that is granted
>premissions at NTFS level for the upload-to folder.
>Then, when they get that prompt after starting the
>upload this is the account that needs be given.
>2.
>Grant the account browse on the web in the FPSE,
>and either make you upload page a FPSE subweb
>that does not allow anonymous access, or tweak the
>NTFS permissions on the upload page so that the
>IUSR_/IWAM_ accounts used by the web do not
>have premissions. Alter the NTFS permission on
>the upload-to folder as in 1.
>
>You would be best off using an upload control or
>Asp.Net for the upload so that you can exercise
>control over the size and kinds of things uploaded.
>
>If the upload-to folder is within the web, be very
>very careful about FPSE "correcting" permissions
>for you, and never ask it to repair the web. It will
>have an inclination to let all accounts upload unless
>you have isolated the upload capability in a separate
>FPSE web that is not allowing anonymous access.
>
>--
>Roger Abell
>Microsoft MVP (Windows Server System: Security)
>MCSE (W2k3,W2k,Nt4) MCDBA
><anonymous@discussions.microsoft.com> wrote in message
>news:3d8301c42acc$983df9f0$a401280a@phx.gbl...
when[vbcol=seagreen]
located[vbcol=seagreen]
is[vbcol=seagreen]
to[vbcol=seagreen]
you[vbcol=seagreen]
se.[vbcol=seagreen]
file.[vbcol=seagreen]
you[vbcol=seagreen]
will[vbcol=seagreen]
this[vbcol=seagreen]
out[vbcol=seagreen]
I[vbcol=seagreen]
How[vbcol=seagreen]
without[vbcol=seagreen]
>
>
>.
>
| |
| Ken Schaefer 2004-04-26, 11:34 pm |
| Compared to FPSE, WebDAV is extremely primitive... :-)
FPSE can be used on a site-by-site basis, but WebDAV can not. Also, it
requires ensuring that your NTFS permissions are correct everywhere, which
is a pain unless you are handy with command line tools like cacls or xcacls.
FPSE2002 is much easier to admin, and provides a handy little wizard for
handling your NTFS permissions.
Cheers
Ken
"Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
news:uNRBCM6KEHA.1156@TK2MSFTNGP09.phx.gbl...
: Yeah, but as long as you are patched and have written your WebDAV
: application securely, I believe you should be OK. Other recent attacks
: probe for IIS or SSL, but those probes alone aren't necessarily reason to
: consider not using IIS or SSL. Also, unless I'm mistaken, WebDAV verbs
are
: already running on your IIS server by default, so you might as well make
use
: of it.
:
: Yes, it was nice to meet you in person as well.
:
:
: "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
: news:%23Hjnya5KEHA.3324@TK2MSFTNGP10.phx.gbl...
: > Hi Karl,
: >
: > Boy, given the high rate of probing with WebDAV verbs
: > of late, that mention of WebDAV makes me nervous.
: >
: > It was quite good to finally meet earlier this month.
: >
: > --
: > Roger Abell
: > Microsoft MVP (Windows Server System: Security)
: > MCSE (W2k3,W2k,Nt4) MCDBA
: > "Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
: > news:OnOAVMsKEHA.1416@TK2MSFTNGP09.phx.gbl...
: > > Note that any authentication you do can probably be sniffed unless you
: use
: > > an SSL certificate and check the boxes to require HTTPS for any pages
: > where
: > > you have changed permissions. This may not be a big issue for you if
: you
: > > only do uploads on your local network and/or the web server is not all
: > that
: > > critical for you.
: > >
: > > The most secure way to do downloads might be to use NTFS file
: permissions,
: > > local Windows accounts, HTTPS and use WebDAV for the file transfer.
: That
: > > might be a little too complex depending on your needs:
: > >
: > > www.iisfaq.com/ssl
: > > www.webdav.org
: > >
: > > Or, you could use SSH / SCP / PuTTY, which is probably easier,
: especially
: > if
: > > you know or can contact everyone who will be posting:
: > >
: > > www.openssh.org/windows.html
: > > www.networksimplicity.com
: > >
: > >
: > > "Joe" <anonymous@discussions.microsoft.com> wrote in message
: > > news:3c4f01c42a81$a6099490$a601280a@phx.gbl...
: > > > Hello,
: > > >
: > > > Need some advice (please) on how to secure an upload page
: > > > on my web?
: > > > As I can see it the page asks for a password as it is
: > > > which is my admin. account and password.But I want this to
: > > > be available to others and I cannot of course give out my
: > > > password.
: > > > I have however added a user in the FP extensions but I
: > > > feel this is a big a hole in my shell of armor here. How
: > > > can I enable th extensions to allow the upload without
: > > > someone else with FP getting into my web. The browser is ok
: > > > Maybe in simpler terms >>How to secure the page and allow
: > > > only the upload to say a generic user.
: > > > Thanks
: > > > Joe
: > > >
: > > >
: > >
: > >
: >
: >
:
:
| |
| Ken Schaefer 2004-04-26, 11:34 pm |
|
"Joe" <anonymous@discussions.microsoft.com> wrote in message
news:47a501c42be9$592a8670$a601280a@phx.gbl...
: Hello Roger thanks for the reply
:
: Define an account that is not granted permissions
: in the FPSE config for the web, but that is granted
: premissions at NTFS level for the upload-to folder.
: Then, when they get that prompt after starting the
: upload this is the account that needs be given.
:
: I created an account in FPSE and with a browse permission
: but it will not allow you to upload the file. I went up to
: a contributor and this didnt work Either
:
: So presently it is at the Author level and you can upload
: the file. What or how would I create this type of account that you
: are speaking of?
Right-click on My Computer and choose Manage. There is a node called "Local
users and groups". This is where you create new user accounts.
You need to give this user appropriate *NTFS* permissions to write files to
the hard disk. If you do not know what NTFS permissions are then I seriously
suggest you hire a consultant to do this work for you, since understanding
file system permissions are a fundamental server administration task.
Alternatively, take a few days off, buy a decent Windows 2003 Admin book and
read it.
I don't know what type of upload control you are using. Any generic upload
control should work just fine with the user in the Browse role. You should
not need to put the user into the Authors role. The Authors role allows that
user to *author* content on your server, which means publishing stuff.
Cheers
Ken
:
: I am not sure about your second answer I do know that I
: can use IIS to protect the page but then after you will
: have to deal with FPSE.This seems like double work.
: I have never used Webdav and the extensions are not
: enabled at this time.
: This page is a subweb but not in the navigational structure
: 2 ASP.net so how can I set a control and limit please?
: as you can tell I am green at this part.
: Thanks
: Joe
:
: >-----Original Message-----
: >You sound to be partly there. There are two ways
: >to continue now:
: >1
: >Define an account that is not granted permissions
: >in the FPSE config for the web, but that is granted
: >premissions at NTFS level for the upload-to folder.
: >Then, when they get that prompt after starting the
: >upload this is the account that needs be given.
: >2.
: >Grant the account browse on the web in the FPSE,
: >and either make you upload page a FPSE subweb
: >that does not allow anonymous access, or tweak the
: >NTFS permissions on the upload page so that the
: >IUSR_/IWAM_ accounts used by the web do not
: >have premissions. Alter the NTFS permission on
: >the upload-to folder as in 1.
: >
: >You would be best off using an upload control or
: >Asp.Net for the upload so that you can exercise
: >control over the size and kinds of things uploaded.
: >
: >If the upload-to folder is within the web, be very
: >very careful about FPSE "correcting" permissions
: >for you, and never ask it to repair the web. It will
: >have an inclination to let all accounts upload unless
: >you have isolated the upload capability in a separate
: >FPSE web that is not allowing anonymous access.
: >
: >--
: >Roger Abell
: >Microsoft MVP (Windows Server System: Security)
: >MCSE (W2k3,W2k,Nt4) MCDBA
: ><anonymous@discussions.microsoft.com> wrote in message
: >news:3d8301c42acc$983df9f0$a401280a@phx.gbl...
: >> Instead, in the IIS manager, locate your folder or file.
: >> Right-click, choose
: >> >properties, on the Directory Security or File Security
: >> tab, click to Edit
: >> >authentication mechanisms. Uncheck "Allow Anonymous
: >> Access".
: >>
: >> I tried this and it only keeps out the page access but
: >> when you go to upload via the page it will ask again
: when
: >> you submit the file I guess because the folder is
: located
: >> inside the web. I did however use ssl forced in the
: >> securuty section of the file in IIS manager
: >>
: >> https://animocracy.com/mysite/File_Upload.htm
: >>
: >> This is the page please go and try to submit a file it
: >> will explain alot. It all works very nicely however It
: is
: >> scary unless I dont give out the password
: >>
: >>
: >> Now create a new Windows account that you will give out
: to
: >> people for the
: >> >purposes of accessing the page (you don't say what OS
: you
: >> have, so I can't
: >> >give you instructions)
: >>
: >> My OS is Server 2003 Enterprise I would like to
: >> create "generic account" per se' just enough to upload.
: >>
: >> If there is a better way to upload to a folder on my
: >> server I would like to know please.
: >>
: >>
: >> >-----Original Message-----
: >> >I don't think you can do this with FPSE security per
: se.
: >> >
: >> >Instead, in the IIS manager, locate your folder or
: file.
: >> Right-click, choose
: >> >properties, on the Directory Security or File Security
: >> tab, click to Edit
: >> >authentication mechanisms. Uncheck "Allow Anonymous
: >> Access".
: >> >
: >> >Now create a new Windows account that you will give out
: >> to people for the
: >> >purposes of accessing the page (you don't say what OS
: you
: >> have, so I can't
: >> >give you instructions)
: >> >
: >> >Now, locate the file on your hard disk, and configure
: >> appropraite NTFS
: >> >permissions (if requires) via Windows Explorer (you
: will
: >> need to give the
: >> >user account Read permissions to the file, plus Write
: >> permissions to
: >> >wherever they are going to save their file).
: >> >
: >> >
: >> >Cheers
: >> >Ken
: >> >
: >> >"Joe" <anonymous@discussions.microsoft.com> wrote in
: >> message
: >> >news:3c4f01c42a81$a6099490$a601280a@phx.gbl...
: >> >: Hello,
: >> >:
: >> >: Need some advice (please) on how to secure an upload
: >> page
: >> >: on my web?
: >> >: As I can see it the page asks for a password as it is
: >> >: which is my admin. account and password.But I want
: this
: >> to
: >> >: be available to others and I cannot of course give
: out
: >> my
: >> >: password.
: >> >: I have however added a user in the FP extensions but
: I
: >> >: feel this is a big a hole in my shell of armor here.
: How
: >> >: can I enable th extensions to allow the upload
: without
: >> >: someone else with FP getting into my web. The browser
: >> is ok
: >> >: Maybe in simpler terms >>How to secure the page and
: >> allow
: >> >: only the upload to say a generic user.
: >> >: Thanks
: >> >: Joe
: >> >:
: >> >:
: >> >
: >> >
: >> >.
: >> >
: >
: >
: >.
: >
| |
| Roger Abell 2004-04-27, 3:34 am |
| "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:%23qVvzRALEHA.3712@TK2MSFTNGP11.phx.gbl...
> Compared to FPSE, WebDAV is extremely primitive... :-)
>
> FPSE can be used on a site-by-site basis, but WebDAV can not. Also, it
> requires ensuring that your NTFS permissions are correct everywhere, which
> is a pain unless you are handy with command line tools like cacls or
xcacls.
> FPSE2002 is much easier to admin, and provides a handy little wizard for
> handling your NTFS permissions.
>
> Cheers
> Ken
Handling or mishandling ?
My opinion is not high on that score, unless it is
a corporate web where there is common ownership
over all content.
--
Roger
>
> "Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
> news:uNRBCM6KEHA.1156@TK2MSFTNGP09.phx.gbl...
> : Yeah, but as long as you are patched and have written your WebDAV
> : application securely, I believe you should be OK. Other recent attacks
> : probe for IIS or SSL, but those probes alone aren't necessarily reason
to
> : consider not using IIS or SSL. Also, unless I'm mistaken, WebDAV verbs
> are
> : already running on your IIS server by default, so you might as well make
> use
> : of it.
> :
> : Yes, it was nice to meet you in person as well.
> :
> :
> : "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> : news:%23Hjnya5KEHA.3324@TK2MSFTNGP10.phx.gbl...
> : > Hi Karl,
> : >
> : > Boy, given the high rate of probing with WebDAV verbs
> : > of late, that mention of WebDAV makes me nervous.
> : >
> : > It was quite good to finally meet earlier this month.
> : >
> : > --
> : > Roger Abell
> : > Microsoft MVP (Windows Server System: Security)
> : > MCSE (W2k3,W2k,Nt4) MCDBA
> : > "Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
> : > news:OnOAVMsKEHA.1416@TK2MSFTNGP09.phx.gbl...
> : > > Note that any authentication you do can probably be sniffed unless
you
> : use
> : > > an SSL certificate and check the boxes to require HTTPS for any
pages
> : > where
> : > > you have changed permissions. This may not be a big issue for you
if
> : you
> : > > only do uploads on your local network and/or the web server is not
all
> : > that
> : > > critical for you.
> : > >
> : > > The most secure way to do downloads might be to use NTFS file
> : permissions,
> : > > local Windows accounts, HTTPS and use WebDAV for the file transfer.
> : That
> : > > might be a little too complex depending on your needs:
> : > >
> : > > www.iisfaq.com/ssl
> : > > www.webdav.org
> : > >
> : > > Or, you could use SSH / SCP / PuTTY, which is probably easier,
> : especially
> : > if
> : > > you know or can contact everyone who will be posting:
> : > >
> : > > www.openssh.org/windows.html
> : > > www.networksimplicity.com
> : > >
> : > >
> : > > "Joe" <anonymous@discussions.microsoft.com> wrote in message
> : > > news:3c4f01c42a81$a6099490$a601280a@phx.gbl...
> : > > > Hello,
> : > > >
> : > > > Need some advice (please) on how to secure an upload page
> : > > > on my web?
> : > > > As I can see it the page asks for a password as it is
> : > > > which is my admin. account and password.But I want this to
> : > > > be available to others and I cannot of course give out my
> : > > > password.
> : > > > I have however added a user in the FP extensions but I
> : > > > feel this is a big a hole in my shell of armor here. How
> : > > > can I enable th extensions to allow the upload without
> : > > > someone else with FP getting into my web. The browser is ok
> : > > > Maybe in simpler terms >>How to secure the page and allow
> : > > > only the upload to say a generic user.
> : > > > Thanks
> : > > > Joe
> : > > >
> : > > >
> : > >
> : > >
> : >
> : >
> :
> :
>
>
| |
| Roger Abell 2004-04-27, 3:34 am |
| If you upload page you only mean saving form data,
write it into the _private directory, or if you have one
try writing into the fpdb directory.
We have been assuming you meant file uploads, when
the browsing user finds a file on their system that is then
transferred up to the webserver.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Joe" <anonymous@discussions.microsoft.com> wrote in message
news:489b01c42c0b$c09773f0$a601280a@phx.gbl...[vbcol=seagreen]
> Thanks Ken
> I am much closer now I think I got it.
>
> I don't know what type of upload control you are using.
>
> Ok the upload is the one in FP form which as I know it
> does not specify any control?
>
> Ok as for permissions
> If I have a user account already defined on the server but
> not a mathing one in the FPSE with browse it will not work
> correct?
>
> So if I create a computer account this will be assigned to
> what group to enable the write to disk for upload> Users
> or Guest?
>
> Now this same account will have to be created in FPSE and
> given a Browse permission correct? Ok so it has two layers
> which I can pass by so-to-speak with the NTFS settings and
> then protect the page and the upload prompt with the same
> account.
> e.g. say >>> user name Jon will be the account on the
> machine and the one in FPSE (matching)
> Jon on the machine is a user and in FPSE a browser
>
> and his password will be the same and will be assigned to
> say a user account.
>
> Now he is trying to access my upload page and the first
> line of defense will be the NTFS protection I set in the
> IIS manager? (right,properties, click security etc..)
> Boom! he is at the page now.
> Jon now browses for the doc he is looking for and submits
> it. Boom! here comes the next prompt for username and
> password this should be the same as the user on the
> machine. Bam by by file! Correct?
> Thanks please let me know.
> Joe
>
>
> message
> permission
> to
> upload
> account that you
> node called "Local
> accounts.
> to write files to
> are then I seriously
> since understanding
> administration task.
> 2003 Admin book and
> Any generic upload
> role. You should
> Authors role allows that
> publishing stuff.
> structure
> file.
> Security
> but
> it
> It
> out
> OS
> upload.
> Security
> out
> OS
> configure
> Write
> upload
> it is
> but
> here.
> browser
> and
| |
|
| Hi Roger
I am able to upload any type of file at this location.
I uploaded a 188MB visio.exe for a test and it is uploaded
to my web. I created a folder called "File Uploads" in the
web. I do have a fbdb file and of course _private folder
are these better choices?
My main concern is this
1 protection not to edit my we with FP with this upload
account
2. not allow exe files to be uploaded.
If I can answer these I am finished
I still do not have an answer on cerating an account on
this last post could someone verify my last post
with "this ia correct or not" about account creation for
this application.
Thanks for all you help it is very good
Joe
>-----Original Message-----
>If you upload page you only mean saving form data,
>write it into the _private directory, or if you have one
>try writing into the fpdb directory.
>We have been assuming you meant file uploads, when
>the browsing user finds a file on their system that is
then
>transferred up to the webserver.
>
>--
>Roger Abell
>Microsoft MVP (Windows Server System: Security)
>MCSE (W2k3,W2k,Nt4) MCDBA
>"Joe" <anonymous@discussions.microsoft.com> wrote in
message
>news:489b01c42c0b$c09773f0$a601280a@phx.gbl...
but[vbcol=seagreen]
work[vbcol=seagreen]
to[vbcol=seagreen]
and[vbcol=seagreen]
layers[vbcol=seagreen]
and[vbcol=seagreen]
same[vbcol=seagreen]
to[vbcol=seagreen]
submits[vbcol=seagreen]
up[vbcol=seagreen]
a[vbcol=seagreen]
permissions[vbcol=seagreen]
Windows[vbcol=seagreen]
Browse[vbcol=seagreen]
that I[vbcol=seagreen]
will[vbcol=seagreen]
please?[vbcol=seagreen]
will[vbcol=seagreen]
unless[vbcol=seagreen]
separate[vbcol=seagreen]
message[vbcol=seagreen]
Anonymous[vbcol=seagreen]
again[vbcol=seagreen]
the[vbcol=seagreen]
file[vbcol=seagreen]
however[vbcol=seagreen]
give[vbcol=seagreen]
what[vbcol=seagreen]
my[vbcol=seagreen]
per[vbcol=seagreen]
or[vbcol=seagreen]
Anonymous[vbcol=seagreen]
give[vbcol=seagreen]
what[vbcol=seagreen]
(you[vbcol=seagreen]
wrote in[vbcol=seagreen]
want[vbcol=seagreen]
give[vbcol=seagreen]
extensions[vbcol=seagreen]
>
>
>.
>
| |
| Roger Abell 2004-04-28, 2:34 am |
| inlined . . .
--
Roger
"Joe" <anonymous@discussions.microsoft.com> wrote in message
news:4c6401c42c5d$1dde38e0$a401280a@phx.gbl...
> Hi Roger
> I am able to upload any type of file at this location.
> I uploaded a 188MB visio.exe for a test and it is uploaded
> to my web. I created a folder called "File Uploads" in the
> web. I do have a fbdb file and of course _private folder
> are these better choices?
those predefined folders have permissions set by the FPSE
that will allow write by the browsing account, so they are
usually ready-to-go for purposes like this
> My main concern is this
>
> 1 protection not to edit my we with FP with this upload
> account
If the account is only granted browse, not author, in the
Sharepoint Admins interface, then you should not have to
be concerned about them editing elsewhere.
> 2. not allow exe files to be uploaded.
Not sure if the upload method you are using can be selective
based on file extension. However, if you follow what was
suggested in other post, and in the properties of the folder
to which you store the uploaded, using the IIS mgmt interface
the properties of that folder should have None instead of
script or script/execute in the application settings.
That will prevent an uploaded exe from being runnable.
You can also set a Deny of execute for files on the folder
at the NTFS permissions level (make sure you do not do
this for This folder, subfolders, and file - just for files).[vbcol=seagreen]
> If I can answer these I am finished
>
> I still do not have an answer on cerating an account on
> this last post could someone verify my last post
> with "this ia correct or not" about account creation for
> this application.
> Thanks for all you help it is very good
> Joe
>
>
> then
> message
> but
> work
> to
> and
> layers
> and
> same
> to
> submits
> up
> a
> permissions
> Windows
> Browse
> that I
> will
> please?
> will
> unless
> separate
> message
> Anonymous
> again
> the
> file
> however
> give
> what
> my
> per
> or
> Anonymous
> give
> what
> (you
> wrote in
> want
> give
> extensions
| |
| Roger Abell 2004-04-28, 2:34 am |
| As Ken indicated, you can just start / run lusrmgr.msc
the Users and Groups part of Computer Management tool,
and define a local account (this is what happens if you
use the FPSE/Sharepoint web interface to make a new
account). This will be a member of Users group.
In the FPSE/Sharepoint interface, when managing this
web, you need to grant that account Browser role.
Whether you do or do not need to further alter NTFS
permissions on the folder to receive the upload depends
on a number of factors - this I have tried to address in
the new thread you have started.
--
Roger
"Joe" <anonymous@discussions.microsoft.com> wrote in message
news:489b01c42c0b$c09773f0$a601280a@phx.gbl...[vbcol=seagreen]
> Thanks Ken
> I am much closer now I think I got it.
>
> I don't know what type of upload control you are using.
>
> Ok the upload is the one in FP form which as I know it
> does not specify any control?
>
> Ok as for permissions
> If I have a user account already defined on the server but
> not a mathing one in the FPSE with browse it will not work
> correct?
>
> So if I create a computer account this will be assigned to
> what group to enable the write to disk for upload> Users
> or Guest?
>
> Now this same account will have to be created in FPSE and
> given a Browse permission correct? Ok so it has two layers
> which I can pass by so-to-speak with the NTFS settings and
> then protect the page and the upload prompt with the same
> account.
> e.g. say >>> user name Jon will be the account on the
> machine and the one in FPSE (matching)
> Jon on the machine is a user and in FPSE a browser
>
> and his password will be the same and will be assigned to
> say a user account.
>
> Now he is trying to access my upload page and the first
> line of defense will be the NTFS protection I set in the
> IIS manager? (right,properties, click security etc..)
> Boom! he is at the page now.
> Jon now browses for the doc he is looking for and submits
> it. Boom! here comes the next prompt for username and
> password this should be the same as the user on the
> machine. Bam by by file! Correct?
> Thanks please let me know.
> Joe
>
>
> message
> permission
> to
> upload
> account that you
> node called "Local
> accounts.
> to write files to
> are then I seriously
> since understanding
> administration task.
> 2003 Admin book and
> Any generic upload
> role. You should
> Authors role allows that
> publishing stuff.
> structure
> file.
> Security
> but
> it
> It
> out
> OS
> upload.
> Security
> out
> OS
> configure
> Write
> upload
> it is
> but
> here.
> browser
> and
|
|
|
|
|