Jim McAtee wrote:
> A question was posed on another mailing list that I'm on regarding
> securing web directories from users on a shared IIS hosting machine.
>
> In CF Enterprise you can use sandbox security to keep CF scripts and
> CFFILE and CFDIRECTORY confined to a user's own directory. Are there
> any similar mechanisms in a shared ASP hosting environment to limit ASP
> scripts from doing directory listings or reading another site's source
> code?
Yes and No. You ca have 2 types of Sandboxes, OS level and CF level
Sandboxes. With OS level Sandboxes the CF Server upon receiving a
request from the webserver finds the appropriate Sandbox username and
logs on to the OS as that OS user. Then, while impersonating that OS
user, it tries to execute the request. Naturally in a good setup of ACLs
this means security like the user actually logs in to the server and
tries the request by hand.
ASP works exactly the same as this model.
Additionally in CF you have the model where all the ACLs are checked
inside CF but not against the OS. In theory this can give a more refined
security level, because CF in memory constructs (cached queries,
application level variables etc.) don't have an OS user associated with
them, and therefore you can't protect them with OS Sandboxes. In
practice I have never seen a server that has got everything completely
locked down, since it is simply to much work.
I am not familiar enough with ASP to be able to tell you how the in
memory constructs security is handled, but the rest works the same as OS
Sandboxes in CF.
Actual account information is read from the IIS directory security settings.
Jochem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
------------------------------------------------------------------------------
To unsubscribe, send a message to [EMAIL PROTECTED] with
'unsubscribe' in the body or visit the list page at www.houseoffusion.com
