How about calling the FSO from within an MTS component?  I believe
MTS allows you to set security down to a specific interface.  By 
handling all of your File System and/or database calls through MTS,
you can set strict limits on the anonymous user context under which
your IIS and ASP engines run...


******************************
Jack Speranza
Web Application Developer
Gryphon Networks
Automating Privacy Compliance for Business
xxx.xxx.xxxx  x129
jsperanza@g...
www.gryphonnetworks.com

 

-----Original Message-----
From: composer@e... [mailto:composer@e...]
Sent: Wednesday, February 13, 2002 10:00 AM
To: Security_asp
Subject: [security_asp] FSO Security/Permissions


Hello,

Recently a test server was the victim of some "script kiddies" who used
it for their mp3 warehouse, etc. Its not a big deal because its simply
used for testing so permissions were a bit more opened up. I just
tightened up the permissions.

My question is this.

I have web applications where I allow the user to select specific criteria
and based on selections, I use FSO to create a text file with data from the
database in it. The user can download the text file for personal use. The
folder than needs write access which opens it up for the "script kiddies".
If I place this directory with looser permissions below some directories
that have no access, will that stop these punks from being able to find a
"write access" directory?

If the server was behind a firewall, the utilities would likely be cutoff
to allow to find the directories. But on servers that are not, what can I
do?

Any ideas or comments? How do you handle items like this where FSO (the
web user account) needs write access without compromising the application?

(Note: I am not much of a hardware/network guy hence I don't understand the
firewall stuff too well)

Thanks

Zach L. Mattson
Internet Solution Provider




$subst('Email.Unsub').