|
Home > Archive > IIS Server Security > April 2004 > Secure upload page 2
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Secure upload page 2
|
|
|
| Hello Roger
I have created the subweb account as you have said to be
the simplest. But the same problem remains anyone with FP
can enter the web the usr has to be an Author to submit
the file. I can't get aroung this unles you know a better
way I am struggling here.
https://animocracy.com/upload
Should take you there. When you submit, the prompt is back
asking for the user name and password
thanks guys
Joe
| |
| Roger Abell 2004-04-28, 2:34 am |
| OK. There are a few things to take into account here.
First, the FP browse account generally only has ability
to read content files. So, it will not have a grant of
write on the area to which the upload is attempting to
save (unless it is one of the very few areas where FP
places very loose permissions).
So, two things to check. Suppose the upload is trying
to save to some folder ./here/
In the IIS mgmt interface, locate this ./here and r-click
into its properties and there set none for application
script/execute, and set write with a radio-check.
Then, find the ./here folder in Explorer and set permissions
to modify for the IUSR_, the IWAM_, and the accounts
that are supposed to be able to upload. This is overkill,
but it should cover the bases regardless of the types of
authentication you are supporting and the process isolation
setting of the web app.
Also, if you have used IISlockdown make sure that there
are not Deny Write settings on this ./here directory.
If things are still not working the most simple thing is to
set an audit ACE in the NTFS permissions, for Failure
Full, and make sure the the effective local policy will
enable auditing of failures. I have seen FP do some strange
things, expecting account to have read at spots in the root
web, etc. but if you have not hand-tightended the NTFS
permissions of the web content this should not come into
play.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Joe" <anonymous@discussions.microsoft.com> wrote in message
news:517501c42c99$4db989c0$a301280a@phx.gbl...
> Hello Roger
>
> I have created the subweb account as you have said to be
> the simplest. But the same problem remains anyone with FP
> can enter the web the usr has to be an Author to submit
> the file. I can't get aroung this unles you know a better
> way I am struggling here.
>
> https://animocracy.com/upload
>
> Should take you there. When you submit, the prompt is back
> asking for the user name and password
> thanks guys
> Joe
| |
|
| Thanks Roger I will give this a try
i have seen FP do some VERY strange things also
I would aggree. I will let you know
Most appreciated
Joe
>-----Original Message-----
>OK. There are a few things to take into account here.
>First, the FP browse account generally only has ability
>to read content files. So, it will not have a grant of
>write on the area to which the upload is attempting to
>save (unless it is one of the very few areas where FP
>places very loose permissions).
>So, two things to check. Suppose the upload is trying
>to save to some folder ./here/
>In the IIS mgmt interface, locate this ./here and r-click
>into its properties and there set none for application
>script/execute, and set write with a radio-check.
>Then, find the ./here folder in Explorer and set
permissions
>to modify for the IUSR_, the IWAM_, and the accounts
>that are supposed to be able to upload. This is overkill,
>but it should cover the bases regardless of the types of
>authentication you are supporting and the process
isolation
>setting of the web app.
>Also, if you have used IISlockdown make sure that there
>are not Deny Write settings on this ./here directory.
>If things are still not working the most simple thing is
to
>set an audit ACE in the NTFS permissions, for Failure
>Full, and make sure the the effective local policy will
>enable auditing of failures. I have seen FP do some
strange
>things, expecting account to have read at spots in the
root
>web, etc. but if you have not hand-tightended the NTFS
>permissions of the web content this should not come into
>play.
>--
>Roger Abell
>Microsoft MVP (Windows Server System: Security)
>MCSE (W2k3,W2k,Nt4) MCDBA
>"Joe" <anonymous@discussions.microsoft.com> wrote in
message
>news:517501c42c99$4db989c0$a301280a@phx.gbl...
FP[vbcol=seagreen]
better[vbcol=seagreen]
back[vbcol=seagreen]
>
>
>.
>
| |
|
| Roger thanks for your help here
I have to say now the page cannot be displayed
If you could please walk me through setting up a machine
account lets say a Guest for the machine to be able to do
the latter with FP. I presently have no accounts other
than the administrator.I am familiar with what you are
saying to a point but I think my head is getting screwd up.
Lets start there.
Lets create a "generic" account I can give to anyone on
the net to be able upload to my folder. After, we can go
to the FP side of this and set the same account the way
you specify. I really dont want to bother you guys about
this anylonger it cannot be that difficult.
Thanks
Joe
>-----Original Message-----
>OK. There are a few things to take into account here.
>First, the FP browse account generally only has ability
>to read content files. So, it will not have a grant of
>write on the area to which the upload is attempting to
>save (unless it is one of the very few areas where FP
>places very loose permissions).
>So, two things to check. Suppose the upload is trying
>to save to some folder ./here/
>In the IIS mgmt interface, locate this ./here and r-click
>into its properties and there set none for application
>script/execute, and set write with a radio-check.
>Then, find the ./here folder in Explorer and set
permissions
>to modify for the IUSR_, the IWAM_, and the accounts
>that are supposed to be able to upload. This is overkill,
>but it should cover the bases regardless of the types of
>authentication you are supporting and the process
isolation
>setting of the web app.
>Also, if you have used IISlockdown make sure that there
>are not Deny Write settings on this ./here directory.
>If things are still not working the most simple thing is
to
>set an audit ACE in the NTFS permissions, for Failure
>Full, and make sure the the effective local policy will
>enable auditing of failures. I have seen FP do some
strange
>things, expecting account to have read at spots in the
root
>web, etc. but if you have not hand-tightended the NTFS
>permissions of the web content this should not come into
>play.
>--
>Roger Abell
>Microsoft MVP (Windows Server System: Security)
>MCSE (W2k3,W2k,Nt4) MCDBA
>"Joe" <anonymous@discussions.microsoft.com> wrote in
message
>news:517501c42c99$4db989c0$a301280a@phx.gbl...
FP[vbcol=seagreen]
better[vbcol=seagreen]
back[vbcol=seagreen]
>
>
>.
>
| |
|
| I have tried just about everything I know of including
your advise and as long as the account in the FPSE is set
to "browse" your screwed. Of course you could have a
machine account as an admin. but then what good is that
>-----Original Message-----
>OK. There are a few things to take into account here.
>First, the FP browse account generally only has ability
>to read content files. So, it will not have a grant of
>write on the area to which the upload is attempting to
>save (unless it is one of the very few areas where FP
>places very loose permissions).
>So, two things to check. Suppose the upload is trying
>to save to some folder ./here/
>In the IIS mgmt interface, locate this ./here and r-click
>into its properties and there set none for application
>script/execute, and set write with a radio-check.
>Then, find the ./here folder in Explorer and set
permissions
>to modify for the IUSR_, the IWAM_, and the accounts
>that are supposed to be able to upload. This is overkill,
>but it should cover the bases regardless of the types of
>authentication you are supporting and the process
isolation
>setting of the web app.
>Also, if you have used IISlockdown make sure that there
>are not Deny Write settings on this ./here directory.
>If things are still not working the most simple thing is
to
>set an audit ACE in the NTFS permissions, for Failure
>Full, and make sure the the effective local policy will
>enable auditing of failures. I have seen FP do some
strange
>things, expecting account to have read at spots in the
root
>web, etc. but if you have not hand-tightended the NTFS
>permissions of the web content this should not come into
>play.
>--
>Roger Abell
>Microsoft MVP (Windows Server System: Security)
>MCSE (W2k3,W2k,Nt4) MCDBA
>"Joe" <anonymous@discussions.microsoft.com> wrote in
message
>news:517501c42c99$4db989c0$a301280a@phx.gbl...
FP[vbcol=seagreen]
better[vbcol=seagreen]
back[vbcol=seagreen]
>
>
>.
>
| |
| Roger Abell 2004-04-29, 4:34 am |
| The accounts you see and call FP accounts are machine
accounts.
This is not that hard. If you have a web with anonymous
content, and then you use the FP Sharepoint admin interface
to define a subweb of this one, let us call it upld, then you
go into the admin page for the new upld subweb, and there
you check to use permissions different from the parent, then
check to not allow anonymous access, and finally grant
browser role to the account you have defined and will be
giving out (this cannot be a Guest, well rather, if it is a
Guest and it works it is because it is also either directly
or indirectly a Users member).
Now, in this upld web you should put your upload form,
so that people do not even get the form unless they know
the account name/pwd.
Next, in upld subweb use _private, or fpdb, or define a
directory into which the uploaded file will go. This folder
you need to mark to allow write and not allow script/exec
in IIS mgmt UI, and to allow Change/Modify (on _private,
fpdb, FPSE tends to grant the to Network and to Interactive)
for the accounts that may be used (see earlier post).
If this does not work it is likely due to the account not
having logon rights or not having read rights for the root
web of the website (auditing helps to find the few files where
this is needed, but again, if you have not hand tweaked the
NTFS permissions elsewhere, FPSE sets them more than
sufficiently loose that this should not be the problem).
This is not that hard to do.
You need to get auditing going so that you get some guidance
from the system as to which part of the whole is missing in
how you have it set.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Joe" <anonymous@discussions.microsoft.com> wrote in message
news:575e01c42d3e$ee08e880$a401280a@phx.gbl...[vbcol=seagreen]
> I have tried just about everything I know of including
> your advise and as long as the account in the FPSE is set
> to "browse" your screwed. Of course you could have a
> machine account as an admin. but then what good is that
> permissions
> isolation
> to
> strange
> root
> message
> FP
> better
> back
| |
|
| Roger I agree this is not that hard according to theory
but I cannot get past the prompt at the FP level
I do not care what you do to this thing it will not let
you past the prompt with a browser account
Ok at this point I have changed the desination folder in
the upload form to _private or fpdb .but I will and then I
am going to the IIS manger and change the permissions of
the _private folder for the account in FPSE correct? to
change/modify ok the account is
User name >>>File ok so in FPSE this "file" should have
to be set to browse correct? Well it is,and the subweb
does not have the same security as the parent web it is
only one upload page.
Here is the password >>>> upload
try to get me a file uploaded to my web
see what happens?
Thanks Joe
>-----Original Message-----
>The accounts you see and call FP accounts are machine
>accounts.
>This is not that hard. If you have a web with anonymous
>content, and then you use the FP Sharepoint admin
interface
>to define a subweb of this one, let us call it upld, then
you
>go into the admin page for the new upld subweb, and there
>you check to use permissions different from the parent,
then
>check to not allow anonymous access, and finally grant
>browser role to the account you have defined and will be
>giving out (this cannot be a Guest, well rather, if it is
a
>Guest and it works it is because it is also either
directly
>or indirectly a Users member).
>Now, in this upld web you should put your upload form,
>so that people do not even get the form unless they know
>the account name/pwd.
>Next, in upld subweb use _private, or fpdb, or define a
>directory into which the uploaded file will go. This
folder
>you need to mark to allow write and not allow script/exec
>in IIS mgmt UI, and to allow Change/Modify (on _private,
>fpdb, FPSE tends to grant the to Network and to
Interactive)
>for the accounts that may be used (see earlier post).
>If this does not work it is likely due to the account not
>having logon rights or not having read rights for the root
>web of the website (auditing helps to find the few files
where
>this is needed, but again, if you have not hand tweaked
the
>NTFS permissions elsewhere, FPSE sets them more than
>sufficiently loose that this should not be the problem).
>
>This is not that hard to do.
>You need to get auditing going so that you get some
guidance
>from the system as to which part of the whole is missing
in
>how you have it set.
>
>--
>Roger Abell
>Microsoft MVP (Windows Server System: Security)
>MCSE (W2k3,W2k,Nt4) MCDBA
>"Joe" <anonymous@discussions.microsoft.com> wrote in
message
>news:575e01c42d3e$ee08e880$a401280a@phx.gbl...
set[vbcol=seagreen]
click[vbcol=seagreen]
overkill,[vbcol=seagreen]
of[vbcol=seagreen]
is[vbcol=seagreen]
into[vbcol=seagreen]
to be[vbcol=seagreen]
with[vbcol=seagreen]
submit[vbcol=seagreen]
>
>
>.
>
| |
| Roger Abell 2004-04-29, 9:35 am |
|
"Joe" <anonymous@discussions.microsoft.com> wrote in message
news:5f4401c42dd2$25335640$a101280a@phx.gbl...
> Roger I agree this is not that hard according to theory
> but I cannot get past the prompt at the FP level
>
> I do not care what you do to this thing it will not let
> you past the prompt with a browser account
>
> Ok at this point I have changed the desination folder in
> the upload form to _private or fpdb .but I will and then I
> am going to the IIS manger and change the permissions of
No. In the IIS mgmt UI you just check that Write is allowed to
the folder where files will be uploaded, and for safety you
set script/execute to none for the application.
You then use Explorer to grant to the account at the filesystem
level in the NTFS permissions.
> the _private folder for the account in FPSE correct? to
> change/modify ok the account is
>
> User name >>>File ok so in FPSE this "file" should have
> to be set to browse correct? Well it is,and the subweb
> does not have the same security as the parent web it is
> only one upload page.
>
> Here is the password >>>> upload
>
> try to get me a file uploaded to my web
>
> see what happens?
>
The Url seems to have changed. The one you
gave earlier returns 404 not found
[vbcol=seagreen]
>
> Thanks Joe
>
> interface
> you
> then
> a
> directly
> folder
> Interactive)
> where
> the
> guidance
> in
> message
> set
> click
> overkill,
> of
> is
> into
> to be
> with
> submit
| |
|
| Sorry, http://animocracy.com/upload
this is a browse account set in FPSE
User/file
password/upload
this is your username and password
I do not see in the private folder this account name when
I go to set the folder permissions in explorer.and there
is no IWAM either
>-----Original Message-----
>
>"Joe" <anonymous@discussions.microsoft.com> wrote in
message
>news:5f4401c42dd2$25335640$a101280a@phx.gbl...
in[vbcol=seagreen]
then I[vbcol=seagreen]
of[vbcol=seagreen]
>No. In the IIS mgmt UI you just check that Write is
allowed to
>the folder where files will be uploaded, and for safety
you
>set script/execute to none for the application.
>You then use Explorer to grant to the account at the
filesystem
>level in the NTFS permissions.
>
have[vbcol=seagreen]
>The Url seems to have changed. The one you
>gave earlier returns 404 not found
>
anonymous[vbcol=seagreen]
then[vbcol=seagreen]
there[vbcol=seagreen]
parent,[vbcol=seagreen]
be[vbcol=seagreen]
it is[vbcol=seagreen]
know[vbcol=seagreen]
a[vbcol=seagreen]
script/exec[vbcol=seagreen]
_private,[vbcol=seagreen]
not[vbcol=seagreen]
root[vbcol=seagreen]
files[vbcol=seagreen]
tweaked[vbcol=seagreen]
problem).[vbcol=seagreen]
missing[vbcol=seagreen]
including[vbcol=seagreen]
is[vbcol=seagreen]
that[vbcol=seagreen]
here.[vbcol=seagreen]
ability[vbcol=seagreen]
grant of[vbcol=seagreen]
attempting to[vbcol=seagreen]
FP[vbcol=seagreen]
trying[vbcol=seagreen]
r-[vbcol=seagreen]
application[vbcol=seagreen]
accounts[vbcol=seagreen]
types[vbcol=seagreen]
there[vbcol=seagreen]
directory.[vbcol=seagreen]
thing[vbcol=seagreen]
Failure[vbcol=seagreen]
will[vbcol=seagreen]
some[vbcol=seagreen]
the[vbcol=seagreen]
NTFS[vbcol=seagreen]
in[vbcol=seagreen]
said[vbcol=seagreen]
a[vbcol=seagreen]
prompt is[vbcol=seagreen]
>
>
>.
>
| |
|
| I have been able to run 9 web sites (same IP) including
http Streaming media, Internet printing with an account
name and password, VPN with account and password, operate
the forms,build Access databases and a lot of other things
seemingly more difficult, and for the life of me I cannot
figure this out.
I do think this is an issue of knowing the puzzle but not
knowing the steps in order to put the puzzle togther.
From here I have learned
There are a few levels of security
and we can grant access to levels. But what I have also
noticed nothing wants to work together.
Could you please approach it this way It may end this
deluge of postings.
Give me a user name and password any one I dont care
tell me how to add it to this/my server verbatim assume I
know nothing, nothing at all about the process
then tell me how to let it work with FP.I have the subweb
up and running (https://Animocracy.com/upload) the page is
plain and visible no entering a password.
Then lets set the permissions to the appropriate items
Start in one place systematically please.
I will follow it and then we will test it.
Important info: I am all by myself here there is no network
just me and the internet 1 server primarily web
Jonathan is really good with this. (no offense)
How I am creating my accounts: I am creating an account in
the FPSE only for this app this may be a problem or thee
problem but I am not sure. I have never created the
account from My Computer>> Computer Managment >>>Users
I am sorry for creating such havoc but I do not want to be
the irresponsible one who just leaves his server wide open
so others can be attacked.
joe
>-----Original Message-----
>
>"Joe" <anonymous@discussions.microsoft.com> wrote in
message
>news:5f4401c42dd2$25335640$a101280a@phx.gbl...
then I[vbcol=seagreen]
>No. In the IIS mgmt UI you just check that Write is
allowed to
>the folder where files will be uploaded, and for safety
you
>set script/execute to none for the application.
>You then use Explorer to grant to the account at the
filesystem
>level in the NTFS permissions.
>
have[vbcol=seagreen]
>The Url seems to have changed. The one you
>gave earlier returns 404 not found
>
anonymous[vbcol=seagreen]
then[vbcol=seagreen]
there[vbcol=seagreen]
be[vbcol=seagreen]
is[vbcol=seagreen]
know[vbcol=seagreen]
script/exec[vbcol=seagreen]
_private,[vbcol=seagreen]
not[vbcol=seagreen]
root[vbcol=seagreen]
files[vbcol=seagreen]
problem).[vbcol=seagreen]
missing[vbcol=seagreen]
including[vbcol=seagreen]
that[vbcol=seagreen]
here.[vbcol=seagreen]
ability[vbcol=seagreen]
grant of[vbcol=seagreen]
to[vbcol=seagreen]
FP[vbcol=seagreen]
trying[vbcol=seagreen]
application[vbcol=seagreen]
types[vbcol=seagreen]
there[vbcol=seagreen]
directory.[vbcol=seagreen]
thing[vbcol=seagreen]
Failure[vbcol=seagreen]
will[vbcol=seagreen]
the[vbcol=seagreen]
NTFS[vbcol=seagreen]
prompt is[vbcol=seagreen]
>
>
>.
>
|
|
|
|
|