Hello,

Is it possible to restrict what type of files users can upload to webfolders
in w2k3 / IIS 6.0 (for example no executables)?

Thanks,

Peter

[ Post a follow-up to this message ]

"peterw" <peterw@discussions.microsoft.com> ha scritto nel messaggio
news:CAAB5488-612D-4517-ADF5-12F593B19F5E@microsoft.com...
> Hello,

Hi

> Is it possible to restrict what type of files users can upload to
> webfolders
> in w2k3 / IIS 6.0 (for example no executables)?

what kind of service do you use for upload?


--
Christian Paparelli
http://www.ithost.ch

[ Post a follow-up to this message ]

No particular service to my knowledge, just by dragging a file from the
windows explorer to the webfolder.

"Christian Paparelli" wrote:

> "peterw" <peterw@discussions.microsoft.com> ha scritto nel messaggio
> news:CAAB5488-612D-4517-ADF5-12F593B19F5E@microsoft.com... 
>
> Hi
> 
>
> what kind of service do you use for upload?
>
>
> --
> Christian Paparelli
> http://www.ithost.ch
>
>
>

[ Post a follow-up to this message ]

"peterw" <peterw@discussions.microsoft.com> ha scritto nel messaggio
news:27451C2A-9AC5-455E-87DB-1D31A4B6D06F@microsoft.com...
> No particular service to my knowledge, just by dragging a file from the
> windows explorer to the webfolder.

no sorry iis doesn't permit file type restictions


--
Christian Paparelli
http://www.ithost.ch

[ Post a follow-up to this message ]

"peterw" <peterw@discussions.microsoft.com> wrote in message
news:CAAB5488-612D-4517-ADF5-12F593B19F5E@microsoft.com...
> Is it possible to restrict what type of files users can upload to
webfolders
> in w2k3 / IIS 6.0 (for example no executables)?

In general, putting a filter on the upload mechanism will not solve your
problem.  The user can just find something that is permitted (ASP for
example) and install their own upload mechanism that bypasses your
protections.

If you're really trying to prevent executables from being run via the web
site, you can turn off executable permission for all users using NT
permissions.  I don't have 2003, but in 2000 if you go to the folder's
security and click Advanced, you can turn off the "Traverse Folder / Execute
File" permission to stop executables from being run.

If you're looking for a solution where you can filter out specific file
types, you could write an ISAPI filter, catch the SF_NOTIFY_URL_MAP
notification determine if the file being requested is illegal via your
policy.  If so, you can change the result to point at a file indicating so
or return an error.

-Jeff

[ Post a follow-up to this message ]

Thanks Jeff & Christian!

"Jeff Fink" wrote:

>
> "peterw" <peterw@discussions.microsoft.com> wrote in message
> news:CAAB5488-612D-4517-ADF5-12F593B19F5E@microsoft.com... 
> webfolders 
>
> In general, putting a filter on the upload mechanism will not solve your
> problem.  The user can just find something that is permitted (ASP for
> example) and install their own upload mechanism that bypasses your
> protections.
>
> If you're really trying to prevent executables from being run via the web
> site, you can turn off executable permission for all users using NT
> permissions.  I don't have 2003, but in 2000 if you go to the folder's
> security and click Advanced, you can turn off the "Traverse Folder / Execu
te
> File" permission to stop executables from being run.
>
> If you're looking for a solution where you can filter out specific file
> types, you could write an ISAPI filter, catch the SF_NOTIFY_URL_MAP
> notification determine if the file being requested is illegal via your
> policy.  If so, you can change the result to point at a file indicating so
> or return an error.
>
> -Jeff
>
>
>
>

[ Post a follow-up to this message ]