|
Home > Archive > IIS Server Security > July 2007 > Disable drive list using ASP Code
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Disable drive list using ASP Code
|
|
| Lisandro Weissheimer 2007-06-29, 1:22 pm |
| Hi,
I have a web server runnig IIS 6.0 and need to block that a user can list
my drives and navigate in folders using an ASP code.
The example is in http://paludo.no-ip.org:9090/teste/drive.asp
I know that it can be done disabling FileSystemObeject by running the
following regsvr32 scrrun.dll /u.
But I can´t do this, some sites uses this component.
I know that it can be done without disabling FileSystemObject, but don´t
know how.
Anyone can help me please?
Thanks,
Lisandro
| |
| David Wang 2007-07-01, 1:24 am |
| On Jun 29, 7:42 am, Lisandro Weissheimer
<LisandroWeisshei...@discussions.microsoft.com> wrote:
> Hi,
>
> I have a web server runnig IIS 6.0 and need to block that a user can list
> my drives and navigate in folders using an ASP code.
>
> The example is inhttp://paludo.no-ip.org:9090/teste/drive.asp
>
> I know that it can be done disabling FileSystemObeject by running the
> following regsvr32 scrrun.dll /u.
>
> But I can=B4t do this, some sites uses this component.
>
> I know that it can be done without disabling FileSystemObject, but don=B4t
> know how.
>
> Anyone can help me please?
>
> Thanks,
>
> Lisandro
For the web pages where you want to restrict FileSystem access, change
their authenticated user account to a deny-user-account that you
create/maintain, and then ACL the FileSystem denying that deny-user-
account read/list access and allowing read access to places that you
want.
Using unmanaged components like Scripting.FileSystemObject (which is
basically raw native code running on your webserver) and then allowing
users to upload and run code of their design using the unmanaged
components, your ONLY security defense is NTFS ACLs. Partition your
applications into those that run as limited and non-limited user
accounts and ACL the NTFS FileSystem accordingly.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
| |
| Lisandro Weissheimer 2007-07-02, 7:19 am |
| Thanks David!
I´ll apply the ACL.
"David Wang" wrote:
> On Jun 29, 7:42 am, Lisandro Weissheimer
> <LisandroWeisshei...@discussions.microsoft.com> wrote:
>
>
>
> For the web pages where you want to restrict FileSystem access, change
> their authenticated user account to a deny-user-account that you
> create/maintain, and then ACL the FileSystem denying that deny-user-
> account read/list access and allowing read access to places that you
> want.
>
> Using unmanaged components like Scripting.FileSystemObject (which is
> basically raw native code running on your webserver) and then allowing
> users to upload and run code of their design using the unmanaged
> components, your ONLY security defense is NTFS ACLs. Partition your
> applications into those that run as limited and non-limited user
> accounts and ACL the NTFS FileSystem accordingly.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
|
|
|
|
|