Jeremy Wadsack wrote:
>Aengus Lawlor wrote:
>
>> I will sometimes set the logging directory into the Virtual Root, so that
>> http://virtualserverA.domain.com/W3SVCx/ points at the logs. I then copy
>> anlgform.html there, as anlgform.asp, and add the following code:
>
>I just want to point out that putting the logfiles in the webspace _may_ be a
>potential security hole. Unless the logs are password protected, it provides
>any anonymous web user with access to the data in you logs. In addition to the
>general access information, which you may or may not want public, if you are
>logging cookie data and allow access to secured parts of your site through
>cookies, this opens that hole a lot wider than it was.
Yes, I should have pointed that out - I'm doing this on an Intranet, where the
logs aren't quite as sensitive, but even still, in most cases I define the
folder as a separate FrontPage Web, and restrict access to the website owners.
On some sites, though, I've just disabled the "read" property for the folder,
which prevents the logs being downloaded, but doesn't prevent the asp script
from running.
>We usually setup servers (NT or Unix) for vitual hosts with separate 'web' and
>'logs' directories for each virtual host client. e.g. (in NT/IIS style)
>
> inetpub\wwwroot\vhostA\logs (where the logs are stored from IIS MMC)
> inetpub\wwwroot\vhostA\web (which is pointed to by www.vhosta.com)
I strongly discourage creating Virtual Hosts in the wwwroot directory -
it's the default root for the Default server, so that
http://12.34.56.78/vhostA/logs/ will give full access to the logs by
default, and http://12.34.56.78/vhostA/web/ may bypass any ISAPI filters
or other IIS configuration restrictions placed on the virtual host,
unless you've taken steps to modify the behaviour of the Default Web
site. Virtual hosts should be rooted in the Inetpub directory
(inetpub\vhostA\) rather than the wwwroot directory.
Aengus
------------------------------------------------------------------------
This is the analog-help mailing list. To unsubscribe from this
mailing list, send mail to [EMAIL PROTECTED]
with "unsubscribe" in the main BODY OF THE MESSAGE.
List archived at http://www.mail-archive.com/analog-help@lists.isite.net/
------------------------------------------------------------------------
