Hi,

I have a web server runnig IIS 6.0 and need to block that a user can list
my drives and navigate in folders using an ASP code.

The example is in http://paludo.no-ip.org:9090/teste/drive.asp

I know that it can be done disabling FileSystemObeject by running the
following regsvr32 scrrun.dll /u.

But I can´t do this, some sites uses this component.

I know that it can be done without disabling FileSystemObject, but don´t
know how.

Anyone can help me please?

Thanks,

Lisandro

On Jun 29, 7:42 am, Lisandro Weissheimer
<LisandroWeisshei... [at] discussions.microsoft.com> wrote:
> Hi,
>
> I have a web server runnig IIS 6.0 and need to block that a user can list
> my drives and navigate in folders using an ASP code.
>
> The example is inhttp://paludo.no-ip.org:9090/teste/drive.asp
>
> I know that it can be done disabling FileSystemObeject by running the
> following regsvr32 scrrun.dll /u.
>
> But I can=B4t do this, some sites uses this component.
>
> I know that it can be done without disabling FileSystemObject, but don=B4t
> know how.
>
> Anyone can help me please?
>
> Thanks,
>
> Lisandro



For the web pages where you want to restrict FileSystem access, change
their authenticated user account to a deny-user-account that you
create/maintain, and then ACL the FileSystem denying that deny-user-
account read/list access and allowing read access to places that you
want.

Using unmanaged components like Scripting.FileSystemObject (which is
basically raw native code running on your webserver) and then allowing
users to upload and run code of their design using the unmanaged
components, your ONLY security defense is NTFS ACLs. Partition your
applications into those that run as limited and non-limited user
accounts and ACL the NTFS FileSystem accordingly.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Thanks David!

I´ll apply the ACL.

"David Wang" wrote:

> On Jun 29, 7:42 am, Lisandro Weissheimer
> <LisandroWeisshei... [at] discussions.microsoft.com> wrote:
> > Hi,
> >
> > I have a web server runnig IIS 6.0 and need to block that a user can list
> > my drives and navigate in folders using an ASP code.
> >
> > The example is inhttp://paludo.no-ip.org:9090/teste/drive.asp
> >
> > I know that it can be done disabling FileSystemObeject by running the
> > following regsvr32 scrrun.dll /u.
> >
> > But I can´t do this, some sites uses this component.
> >
> > I know that it can be done without disabling FileSystemObject, but don´t
> > know how.
> >
> > Anyone can help me please?
> >
> > Thanks,
> >
> > Lisandro
>
>
>
> For the web pages where you want to restrict FileSystem access, change
> their authenticated user account to a deny-user-account that you
> create/maintain, and then ACL the FileSystem denying that deny-user-
> account read/list access and allowing read access to places that you
> want.
>
> Using unmanaged components like Scripting.FileSystemObject (which is
> basically raw native code running on your webserver) and then allowing
> users to upload and run code of their design using the unmanaged
> components, your ONLY security defense is NTFS ACLs. Partition your
> applications into those that run as limited and non-limited user
> accounts and ACL the NTFS FileSystem accordingly.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>