I am looking to configure ISA server in reverse proxy configuration.
Any pointers for configuration file? Also any specific lockdown of OS
and IIS on ISA server? Thank you
cb
----------------------------------------------------
This mailbox protected from junk email by Matador
from MailFrontier, Inc. http://info.mailfrontier.com
-----Original Message-----
From: Deus, Attonbitus [mailto:Thor (at) HammerofGod (dot) com [email concealed]]
Sent: Thursday, 18 July 2002 4:40 AM
To: Matej Pfajfar; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Re: write permissions for IIS
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At 05:02 AM 7/17/2002, Matej Pfajfar wrote:
>Hi,
>
>A web application that my company is developing needs to create MS Word
>documents on the fly. It seems that these need to be saved onto disk
>before being shoved down the pipe to the browser, which requires IIS to
be
>given write permissions to a directorz that is readable from the web.
>
>I know this isn't quite right for security but it seems that there
isn't a
>choice - are there any extra precautions we could take? Have other
people
>found this problem as well?
Depending on the web application configuration pooling, you could set up
a
COM+ component in Component Services to run under the context of a
specific
user- this user/process could be given write-only access to the doc
directory but not read or execute. The IUSR account could then be given
read-only access (specifically denying write and execute) to it to
mitigate
possible permission abuse. I think it would take some tweaking, but it
is
doable.
----------------------------------------------------------------------
ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data!
It's as simple as placing additional SQL commands into a Web Form input
box giving hackers complete access to all your backend systems!
http://www.spidynamics.com/mktg/sqlinjection33
I am looking to configure ISA server in reverse proxy configuration.
Any pointers for configuration file? Also any specific lockdown of OS
and IIS on ISA server? Thank you
cb
----------------------------------------------------
This mailbox protected from junk email by Matador
from MailFrontier, Inc. http://info.mailfrontier.com
-----Original Message-----
From: Deus, Attonbitus [mailto:Thor (at) HammerofGod (dot) com [email concealed]]
Sent: Thursday, 18 July 2002 4:40 AM
To: Matej Pfajfar; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Re: write permissions for IIS
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At 05:02 AM 7/17/2002, Matej Pfajfar wrote:
>Hi,
>
>A web application that my company is developing needs to create MS Word
>documents on the fly. It seems that these need to be saved onto disk
>before being shoved down the pipe to the browser, which requires IIS to
be
>given write permissions to a directorz that is readable from the web.
>
>I know this isn't quite right for security but it seems that there
isn't a
>choice - are there any extra precautions we could take? Have other
people
>found this problem as well?
Depending on the web application configuration pooling, you could set up
a
COM+ component in Component Services to run under the context of a
specific
user- this user/process could be given write-only access to the doc
directory but not read or execute. The IUSR account could then be given
read-only access (specifically denying write and execute) to it to
mitigate
possible permission abuse. I think it would take some tweaking, but it
is
doable.
AD
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPTW6GYhsmyD15h5gEQLmYwCgw3LP07GaUi+fdnb6Cspg82JdJ6AAn1X+
seYy9pU5Hmf0RoaWRSPPPv/F
=UJR+
-----END PGP SIGNATURE-----
----------------------------------------------------------------------
ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data!
It's as simple as placing additional SQL commands into a Web Form input
box giving hackers complete access to all your backend systems!
http://www.spidynamics.com/mktg/sqlinjection33
[ reply ]