Hello,

Need some advice (please) on how to secure an upload page
on my web?
As I can see it the page asks for a password as it is
which is my admin. account and password.But I want this to
be available to others and I cannot of course give out my
password.
I have however added a user in the FP extensions but I
feel this is a big a hole in my shell of armor here. How
can I enable th extensions to allow the upload without
someone else with FP getting into my web. The browser is ok
Maybe in simpler terms >>How to secure the page and allow
only the upload to say a generic user.
Thanks
Joe

[ Post a follow-up to this message ]

I don't think you can do this with FPSE security per se.

Instead, in the IIS manager, locate your folder or file. Right-click, choose
properties, on the Directory Security or File Security tab, click to Edit
authentication mechanisms. Uncheck "Allow Anonymous Access".

Now create a new Windows account that you will give out to people for the
purposes of accessing the page (you don't say what OS you have, so I can't
give you instructions)

Now, locate the file on your hard disk, and configure appropraite NTFS
permissions (if requires) via Windows Explorer (you will need to give the
user account Read permissions to the file, plus Write permissions to
wherever they are going to save their file).


Cheers
Ken

"Joe" <anonymous@discussions.microsoft.com> wrote in message
news:3c4f01c42a81$a6099490$a601280a@phx.gbl...
: Hello,
:
: Need some advice (please) on how to secure an upload page
: on my web?
: As I can see it the page asks for a password as it is
: which is my admin. account and password.But I want this to
: be available to others and I cannot of course give out my
: password.
: I have however added a user in the FP extensions but I
: feel this is a big a hole in my shell of armor here. How
: can I enable th extensions to allow the upload without
: someone else with FP getting into my web. The browser is ok
: Maybe in simpler terms >>How to secure the page and allow
: only the upload to say a generic user.
: Thanks
: Joe
:
:

[ Post a follow-up to this message ]

Note that any authentication you do can probably be sniffed unless you use
an SSL certificate and check the boxes to require HTTPS for any pages where
you have changed permissions.  This may not be a big issue for you if you
only do uploads on your local network and/or the web server is not all that
critical for you.

The most secure way to do downloads might be to use NTFS file permissions,
local Windows accounts, HTTPS and use WebDAV for the file transfer.  That
might be a little too complex depending on your needs:

www.iisfaq.com/ssl
www.webdav.org

Or, you could use SSH / SCP / PuTTY, which is probably easier, especially if
you know or can contact everyone who will be posting:

www.openssh.org/windows.html
www.networksimplicity.com


"Joe" <anonymous@discussions.microsoft.com> wrote in message
news:3c4f01c42a81$a6099490$a601280a@phx.gbl...
> Hello,
>
> Need some advice (please) on how to secure an upload page
> on my web?
> As I can see it the page asks for a password as it is
> which is my admin. account and password.But I want this to
> be available to others and I cannot of course give out my
> password.
> I have however added a user in the FP extensions but I
> feel this is a big a hole in my shell of armor here. How
> can I enable th extensions to allow the upload without
> someone else with FP getting into my web. The browser is ok
> Maybe in simpler terms >>How to secure the page and allow
> only the upload to say a generic user.
> Thanks
> Joe
>
>

[ Post a follow-up to this message ]

Instead, in the IIS manager, locate your folder or file.
Right-click, choose
>properties, on the Directory Security or File Security
tab, click to Edit
>authentication mechanisms. Uncheck "Allow Anonymous
Access".

I tried this and it only keeps out the page access but
when you go to upload via the page it will ask again when
you submit the file I guess because the folder is located
inside the web. I did however use ssl forced in the
securuty section of the file in IIS manager

https://animocracy.com/mysite/File_Upload.htm

This is the page please go and try to submit a file it
will explain alot. It all works very nicely however It is
scary unless I dont give out the password


Now create a new Windows account that you will give out to
people for the
>purposes of accessing the page (you don't say what OS you
have, so I can't
>give you instructions)

My OS is Server 2003 Enterprise I would like to
create "generic account" per se' just enough to upload.

If there is a better way to upload to a folder on my
server I would like to know please.


>-----Original Message-----
>I don't think you can do this with FPSE security per se.
>
>Instead, in the IIS manager, locate your folder or file.
Right-click, choose
>properties, on the Directory Security or File Security
tab, click to Edit
>authentication mechanisms. Uncheck "Allow Anonymous
Access".
>
>Now create a new Windows account that you will give out
to people for the
>purposes of accessing the page (you don't say what OS you
have, so I can't
>give you instructions)
>
>Now, locate the file on your hard disk, and configure
appropraite NTFS
>permissions (if requires) via Windows Explorer (you will
need to give the
>user account Read permissions to the file, plus Write
permissions to
>wherever they are going to save their file).
>
>
>Cheers
>Ken
>
>"Joe" <anonymous@discussions.microsoft.com> wrote in
message
>news:3c4f01c42a81$a6099490$a601280a@phx.gbl...
>: Hello,
>:
>: Need some advice (please) on how to secure an upload
page
>: on my web?
>: As I can see it the page asks for a password as it is
>: which is my admin. account and password.But I want this
to
>: be available to others and I cannot of course give out
my
>: password.
>: I have however added a user in the FP extensions but I
>: feel this is a big a hole in my shell of armor here. How
>: can I enable th extensions to allow the upload without
>: someone else with FP getting into my web. The browser
is ok
>: Maybe in simpler terms >>How to secure the page and
allow
>: only the upload to say a generic user.
>: Thanks
>: Joe
>:
>:
>
>
>.
>

[ Post a follow-up to this message ]

Karl thanks for your reply,

The most secure way to do downloads might be to use NTFS
file permissions,
local Windows accounts, HTTPS and use WebDAV for the file
transfer.  That
might be a little too complex depending on your needs:

I use VPN for downloads or link to them in a generic
webpage and I only give this out under cartain file
permissions-conditions. However you still cannot get to
anything I dont want you to via VPN. But if you have FP
and know the name of my site and the password to upload
the files you can also open up FP and enter the entire web!
Pretty scary.
So I dont know how to secure this page. If the upload page
is in a web it wont matter where the desination folder is
because the other side of this is the hole.
I am using https
https://animocracy.com/mysite/File_Upload.htm
Thanks
Joe
>-----Original Message-----
>Note that any authentication you do can probably be
sniffed unless you use
>an SSL certificate and check the boxes to require HTTPS
for any pages where
>you have changed permissions.  This may not be a big
issue for you if you
>only do uploads on your local network and/or the web
server is not all that
>critical for you.
>
>The most secure way to do downloads might be to use NTFS
file permissions,
>local Windows accounts, HTTPS and use WebDAV for the file
transfer.  That
>might be a little too complex depending on your needs:
>
>www.iisfaq.com/ssl
>www.webdav.org
>
>Or, you could use SSH / SCP / PuTTY, which is probably
easier, especially if
>you know or can contact everyone who will be posting:
>
>www.openssh.org/windows.html
>www.networksimplicity.com
>
>
>"Joe" <anonymous@discussions.microsoft.com> wrote in
message
>news:3c4f01c42a81$a6099490$a601280a@phx.gbl... 
page[vbcol=seagreen] 
to[vbcol=seagreen] 
my[vbcol=seagreen] 
is ok[vbcol=seagreen] 
allow[vbcol=seagreen] 
>
>
>.
>

[ Post a follow-up to this message ]

You sound to be partly there.  There are two ways
to continue now:
1
Define an account that is not granted permissions
in the FPSE config for the web, but that is granted
premissions at NTFS level for the upload-to folder.
Then, when they get that prompt after starting the
upload this is the account that needs be given.
2.
Grant the account browse on the web in the FPSE,
and either make you upload page a FPSE subweb
that does not allow anonymous access, or tweak the
NTFS permissions on the upload page so that the
IUSR_/IWAM_ accounts used by the web do not
have premissions.  Alter the NTFS permission on
the upload-to folder as in 1.

You would be best off using an upload control or
Asp.Net for the upload so that you can exercise
control over the size and kinds of things uploaded.

If the upload-to folder is within the web, be very
very careful about FPSE "correcting" permissions
for you, and never ask it to repair the web.  It will
have an inclination to let all accounts upload unless
you have isolated the upload capability in a separate
FPSE web that is not allowing anonymous access.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
<anonymous@discussions.microsoft.com> wrote in message
news:3d8301c42acc$983df9f0$a401280a@phx.gbl...[vbcol=seagreen]
> Instead, in the IIS manager, locate your folder or file.
> Right-click, choose 
> tab, click to Edit 
> Access".
>
> I tried this and it only keeps out the page access but
> when you go to upload via the page it will ask again when
> you submit the file I guess because the folder is located
> inside the web. I did however use ssl forced in the
> securuty section of the file in IIS manager
>
> https://animocracy.com/mysite/File_Upload.htm
>
> This is the page please go and try to submit a file it
> will explain alot. It all works very nicely however It is
> scary unless I dont give out the password
>
>
> Now create a new Windows account that you will give out to
> people for the 
> have, so I can't 
>
> My OS is Server 2003 Enterprise I would like to
> create "generic account" per se' just enough to upload.
>
> If there is a better way to upload to a folder on my
> server I would like to know please.
>
> 
> Right-click, choose 
> tab, click to Edit 
> Access". 
> to people for the 
> have, so I can't 
> appropraite NTFS 
> need to give the 
> permissions to 
> message 
> page 
> to 
> my 
> is ok 
> allow 

[ Post a follow-up to this message ]

> But if you have FP
> and know the name of my site and the password to upload
> the files you can also open up FP and enter the entire web!
> Pretty scary.
FPSE believes you have granted that account author, adv author,
or admin of the web.  You only need to grant write for the area
where the upload will be stored.
Perhaps the most simple thing is to just make the upload page(s)
a subweb (per FPSE) of its own, and make it not allow anonymous
access but allow browse access to the custom account you defined
(the one you give out to those that should be able to upload).
In IIS mark the folder within this that will receive files so that it
allows write but nothing else, and most importantly, none for
script/execute.  Tweak the NTFS perms of that folder so the account
used has write within the folder.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Joe" <anonymous@discussions.microsoft.com> wrote in message
news:3d6b01c42ace$5382ff20$a601280a@phx.gbl...[vbcol=seagreen]
> Karl thanks for your reply,
>
> The most secure way to do downloads might be to use NTFS
> file permissions,
> local Windows accounts, HTTPS and use WebDAV for the file
> transfer.  That
> might be a little too complex depending on your needs:
>
> I use VPN for downloads or link to them in a generic
> webpage and I only give this out under cartain file
> permissions-conditions. However you still cannot get to
> anything I dont want you to via VPN. But if you have FP
> and know the name of my site and the password to upload
> the files you can also open up FP and enter the entire web!
> Pretty scary.
> So I dont know how to secure this page. If the upload page
> is in a web it wont matter where the desination folder is
> because the other side of this is the hole.
> I am using https
> https://animocracy.com/mysite/File_Upload.htm
> Thanks
> Joe 
> sniffed unless you use 
> for any pages where 
> issue for you if you 
> server is not all that 
> file permissions, 
> transfer.  That 
> easier, especially if 
> message 
> page 
> to 
> my 
> is ok 
> allow 

[ Post a follow-up to this message ]

Hi Karl,

Boy, given the high rate of probing with WebDAV verbs
of late, that mention of WebDAV makes me nervous.

It was quite good to finally meet earlier this month.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
news:OnOAVMsKEHA.1416@TK2MSFTNGP09.phx.gbl...
> Note that any authentication you do can probably be sniffed unless you use
> an SSL certificate and check the boxes to require HTTPS for any pages
where
> you have changed permissions.  This may not be a big issue for you if you
> only do uploads on your local network and/or the web server is not all
that
> critical for you.
>
> The most secure way to do downloads might be to use NTFS file permissions,
> local Windows accounts, HTTPS and use WebDAV for the file transfer.  That
> might be a little too complex depending on your needs:
>
> www.iisfaq.com/ssl
> www.webdav.org
>
> Or, you could use SSH / SCP / PuTTY, which is probably easier, especially
if
> you know or can contact everyone who will be posting:
>
> www.openssh.org/windows.html
> www.networksimplicity.com
>
>
> "Joe" <anonymous@discussions.microsoft.com> wrote in message
> news:3c4f01c42a81$a6099490$a601280a@phx.gbl... 
>
>

[ Post a follow-up to this message ]

Yeah, but as long as you are patched and have written your WebDAV
application securely, I believe you should be OK.  Other recent attacks
probe for IIS or SSL, but those probes alone aren't necessarily reason to
consider not using IIS or SSL.  Also, unless I'm mistaken, WebDAV verbs are
already running on your IIS server by default, so you might as well make use
of it.

Yes, it was nice to meet you in person as well.


"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23Hjnya5KEHA.3324@TK2MSFTNGP10.phx.gbl...
> Hi Karl,
>
> Boy, given the high rate of probing with WebDAV verbs
> of late, that mention of WebDAV makes me nervous.
>
> It was quite good to finally meet earlier this month.
>
> --
> Roger Abell
> Microsoft MVP (Windows Server System: Security)
> MCSE (W2k3,W2k,Nt4)  MCDBA
> "Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
> news:OnOAVMsKEHA.1416@TK2MSFTNGP09.phx.gbl... 
use[vbcol=seagreen] 
> where 
you[vbcol=seagreen] 
> that 
permissions,[vbcol=seagreen] 
That[vbcol=seagreen] 
especially[vbcol=seagreen]
> if 
>
>

[ Post a follow-up to this message ]

Hello Roger thanks for the reply

Define an account that is not granted permissions
in the FPSE config for the web, but that is granted
premissions at NTFS level for the upload-to folder.
Then, when they get that prompt after starting the
upload this is the account that needs be given.

I created an account in FPSE and with a browse permission
but it will not allow you to upload the file. I went up to
a contributor and this didnt work Either

So presently it is at the Author level and you can upload
the file.
What or how would I create this type of account that you
are speaking of?

I am not sure about your second answer I do know that I
can use IIS to protect the page but then after you will
have to deal with FPSE.This seems like double work.
I have never used Webdav and the extensions are not
enabled at this time.
This page is a subweb but not in the navigational structure
2 ASP.net  so how can I set a control and limit please?
as you can tell I am green at this part.
Thanks
Joe

>-----Original Message-----
>You sound to be partly there.  There are two ways
>to continue now:
>1
>Define an account that is not granted permissions
>in the FPSE config for the web, but that is granted
>premissions at NTFS level for the upload-to folder.
>Then, when they get that prompt after starting the
>upload this is the account that needs be given.
>2.
>Grant the account browse on the web in the FPSE,
>and either make you upload page a FPSE subweb
>that does not allow anonymous access, or tweak the
>NTFS permissions on the upload page so that the
>IUSR_/IWAM_ accounts used by the web do not
>have premissions.  Alter the NTFS permission on
>the upload-to folder as in 1.
>
>You would be best off using an upload control or
>Asp.Net for the upload so that you can exercise
>control over the size and kinds of things uploaded.
>
>If the upload-to folder is within the web, be very
>very careful about FPSE "correcting" permissions
>for you, and never ask it to repair the web.  It will
>have an inclination to let all accounts upload unless
>you have isolated the upload capability in a separate
>FPSE web that is not allowing anonymous access.
>
>--
>Roger Abell
>Microsoft MVP (Windows Server System: Security)
>MCSE (W2k3,W2k,Nt4)  MCDBA
><anonymous@discussions.microsoft.com> wrote in message
>news:3d8301c42acc$983df9f0$a401280a@phx.gbl... 
when[vbcol=seagreen] 
located[vbcol=seagreen] 
is[vbcol=seagreen] 
to[vbcol=seagreen] 
you[vbcol=seagreen] 
se.[vbcol=seagreen] 
file.[vbcol=seagreen] 
you[vbcol=seagreen] 
will[vbcol=seagreen] 
this[vbcol=seagreen] 
out[vbcol=seagreen] 
I[vbcol=seagreen] 
How[vbcol=seagreen] 
without[vbcol=seagreen] 
>
>
>.
>

[ Post a follow-up to this message ]