I am just going to make the assumption that you have "Enable Parent Paths"
disabled, which you should for security reasons.
You need to make a Virtual Directory in that website for your "Includes"
place all your include ref's in there.
Dave Kleiman
dave (at) netmedic (dot) net [email concealed]
www.netmedic.net
-----Original Message-----
From: Holmes, Tyran [mailto:tholmes (at) ascendone (dot) com [email concealed]]
Sent: Friday, January 24, 2003 16:32
To: Ralph Los; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: Securing IIS/5 with ASP
Sensitivity: Confidential
Is the account (IUSR...) active? I know I remember getting some errors
for the IUSR accts in the Event Log on an IIS server and found that my
cohort had disabled the accounts. Just a thought...
-----Original Message-----
From: Ralph Los [mailto:RLos (at) enteredge (dot) com [email concealed]]
Sent: Friday, January 24, 2003 12:56 PM
To: 'focus-ms (at) securityfocus (dot) com [email concealed]'
Subject: Securing IIS/5 with ASP
Sensitivity: Confidential
Hello,
I have a document I've built over the years about securing
IIS/5,
with regards to permissions, etc right down to the file level. This
often
works, except when I get that pesky ASP engine involved. I'm sick of
HTTP/500 errors! I know for a fact the error is with file permissions,
but
I can't pin-point which file(s) are causing it. I've had the
dllhost.exe
keep getting "ACCESS DENIED" (Using NTFileMon from sysinternals.com) on
C:\winnt\system32\<some_file> but...the permissions on that
file/folder/whatever are IUSR/IWAM/SYSTEM (RWX).
Bottom line, does anyone have a definitive "baseline IIS/5
w/ASP"
security document done I could look over? Just curious - dying to know
what
I'm missing.
disabled, which you should for security reasons.
You need to make a Virtual Directory in that website for your "Includes"
place all your include ref's in there.
Dave Kleiman
dave (at) netmedic (dot) net [email concealed]
www.netmedic.net
-----Original Message-----
From: Holmes, Tyran [mailto:tholmes (at) ascendone (dot) com [email concealed]]
Sent: Friday, January 24, 2003 16:32
To: Ralph Los; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: Securing IIS/5 with ASP
Sensitivity: Confidential
Is the account (IUSR...) active? I know I remember getting some errors
for the IUSR accts in the Event Log on an IIS server and found that my
cohort had disabled the accounts. Just a thought...
-----Original Message-----
From: Ralph Los [mailto:RLos (at) enteredge (dot) com [email concealed]]
Sent: Friday, January 24, 2003 12:56 PM
To: 'focus-ms (at) securityfocus (dot) com [email concealed]'
Subject: Securing IIS/5 with ASP
Sensitivity: Confidential
Hello,
I have a document I've built over the years about securing
IIS/5,
with regards to permissions, etc right down to the file level. This
often
works, except when I get that pesky ASP engine involved. I'm sick of
HTTP/500 errors! I know for a fact the error is with file permissions,
but
I can't pin-point which file(s) are causing it. I've had the
dllhost.exe
keep getting "ACCESS DENIED" (Using NTFileMon from sysinternals.com) on
C:\winnt\system32\<some_file> but...the permissions on that
file/folder/whatever are IUSR/IWAM/SYSTEM (RWX).
Bottom line, does anyone have a definitive "baseline IIS/5
w/ASP"
security document done I could look over? Just curious - dying to know
what
I'm missing.
?Ralph
[ reply ]