Hi Steve, DO NOT enable the "Write" property in IIS. See the screen-shot at the following link:
http://xmlx.ca/images/12/o_iis-write-permission.gif If your Webserver is setup for Anonymous access (general public Internet use), than anybody can use the HTTP PUT command and upload or change files on your Server. It's not difficult to write an ASP file that erases your harddrive. This setting is for general "user" access to a website and it's files, and has nothing to do with "write" permissions for an application file - use Windows Security for that. Granted, you might be safe if the Windows Security behind the Webserver has more restrictive rights to the directories that IIS is pointing at here. But if you're not sure about what Windows Security you specifically have on the directory - then turn this setting off. There are times when this setting can be used, such as when the Webserver is closed to the Internet for use on a secure Intranet, or with WebDav. But research how it works first. Hope this helps. Cheers... Scott Cadillac, Witango.org - http://witango.org 403-281-6090 - [EMAIL PROTECTED] -- Information for the Witango Developer Community --------------------- XML-Extranet - http://xmlx.ca 403-281-6090 - [EMAIL PROTECTED] -- Well-formed Development (for hire) --------------------- > -----Original Message----- > From: Campbell Steve [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 13, 2004 7:29 AM > To: [EMAIL PROTECTED] > Subject: Re: Witango-Talk: IIS and Security issue > > Scott > > I just ran across this and noticed your statement at the > beginning of your reply. > > What I have always done is to create one virtual folder that > sits outside the directory and then allow that to have > read/write permissions. > > Is that not a good idea? > > Thanks > Steve > > > > > > From: "Scott Cadillac" <[EMAIL PROTECTED]> > > Organization: XML-Extranet > > Reply-To: [EMAIL PROTECTED] > > Date: Fri, 2 Jan 2004 14:13:08 -0700 > > To: <[EMAIL PROTECTED]> > > Subject: RE: Witango-Talk: IIS and Security issue > > > > Hi Dan, > > > > I think enabling Write permissions, despite Script only, will still > > allow hackers to alter your existing files and to deposit > viruses for > > people to download. > > > > Not good. > > > > What are you trying to do exactly? > > > > If your just building an upload application in Witango, you > shouldn't > > have to change any of your IIS settings to allow this - > just build in > > the Security to "allow" uploading as part of your TAF code. > > > > If you are trying to find another method for uploading your Witango > > files to a site, where FTP or other file transfer options are not > > available - then maybe build a special Upload TAF to do > this for you, > > with appropriate Security features of course. > > > > Let us know what you are trying to do exactly. Cheers..... > > > > Scott Cadillac, > > Witango.org - http://witango.org > > 403-281-6090 - [EMAIL PROTECTED] > > -- > > Information for the Witango Developer Community > > --------------------- > > > > XML-Extranet - http://xmlx.ca > > 403-281-6090 - [EMAIL PROTECTED] > > -- > > Well-formed Development (for hire) > > --------------------- > > > > > >> -----Original Message----- > >> From: Dan Stein [mailto:[EMAIL PROTECTED] > >> Sent: Friday, January 02, 2004 2:01 PM > >> To: [EMAIL PROTECTED] > >> Subject: Re: Witango-Talk: IIS and Security issue > >> > >> OK I think I have it after looking on Microsoft site. As long as I > >> have execute permissions set to scripts only it seems to > not warn me > >> if I allow write permissions. > >> > >> Is this pretty safe then or should I do something within directory > >> security? > >> > >> on 1/2/04 15:29, Dan Stein at [EMAIL PROTECTED] wrote: > >> > >>> I want to set up my IIS so I can write to the directory > >> that contains > >>> my taf files for uploading new tafs etc. But I would like to not > >>> compromise security by letting just anyone write. > >>> > >>> I have a special login for the taf file that does the > >> uploads. How can > >>> I best accomplish this. > >>> > >>> Dan > >> > >> -- > >> Dan Stein > >> Digital Software Solutions > >> 799 Evergreen Circle > >> Telford PA 18969 > >> Land: 215-799-0192 > >> Mobile: 610-256-2843 > >> Fax 413-410-9682 > >> FMP, WiTango, EDI,SQL 2000 > >> [EMAIL PROTECTED] > >> www.dss-db.com > >> > >> > >> "When you are born, you cry and those who love you > rejoice. And > >> if you live your life as you should, when you die, you rejoice and > >> those who love you cry." > >> > >> ______________________________________________________________ > >> __________ > >> TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf > >> > > > > > ______________________________________________________________________ > > __ TO UNSUBSCRIBE: Go to > http://www.witango.com/developer/maillist.taf > > ______________________________________________________________ > __________ > TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf > ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
