Okay..thanks Scott..I appreciate the reply and the info!
Steve > From: "Scott Cadillac" <[EMAIL PROTECTED]> > Organization: XML-Extranet > Reply-To: [EMAIL PROTECTED] > Date: Tue, 13 Jan 2004 09:16:28 -0700 > To: <[EMAIL PROTECTED]> > Subject: RE: Witango-Talk: IIS and Security issue > > Hi Steve, > > DO NOT enable the "Write" property in IIS. See the screen-shot at the > following link: > > http://xmlx.ca/images/12/o_iis-write-permission.gif > > If your Webserver is setup for Anonymous access (general public Internet > use), than anybody can use the HTTP PUT command and upload or change files > on your Server. It's not difficult to write an ASP file that erases your > harddrive. > > This setting is for general "user" access to a website and it's files, and > has nothing to do with "write" permissions for an application file - use > Windows Security for that. > > Granted, you might be safe if the Windows Security behind the Webserver has > more restrictive rights to the directories that IIS is pointing at here. But > if you're not sure about what Windows Security you specifically have on the > directory - then turn this setting off. > > There are times when this setting can be used, such as when the Webserver is > closed to the Internet for use on a secure Intranet, or with WebDav. But > research how it works first. > > Hope this helps. Cheers... > > Scott Cadillac, > Witango.org - http://witango.org > 403-281-6090 - [EMAIL PROTECTED] > -- > Information for the Witango Developer Community > --------------------- > > XML-Extranet - http://xmlx.ca > 403-281-6090 - [EMAIL PROTECTED] > -- > Well-formed Development (for hire) > --------------------- > > >> -----Original Message----- >> From: Campbell Steve [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, January 13, 2004 7:29 AM >> To: [EMAIL PROTECTED] >> Subject: Re: Witango-Talk: IIS and Security issue >> >> Scott >> >> I just ran across this and noticed your statement at the >> beginning of your reply. >> >> What I have always done is to create one virtual folder that >> sits outside the directory and then allow that to have >> read/write permissions. >> >> Is that not a good idea? >> >> Thanks >> Steve >> >> >> >> >>> From: "Scott Cadillac" <[EMAIL PROTECTED]> >>> Organization: XML-Extranet >>> Reply-To: [EMAIL PROTECTED] >>> Date: Fri, 2 Jan 2004 14:13:08 -0700 >>> To: <[EMAIL PROTECTED]> >>> Subject: RE: Witango-Talk: IIS and Security issue >>> >>> Hi Dan, >>> >>> I think enabling Write permissions, despite Script only, will still >>> allow hackers to alter your existing files and to deposit >> viruses for >>> people to download. >>> >>> Not good. >>> >>> What are you trying to do exactly? >>> >>> If your just building an upload application in Witango, you >> shouldn't >>> have to change any of your IIS settings to allow this - >> just build in >>> the Security to "allow" uploading as part of your TAF code. >>> >>> If you are trying to find another method for uploading your Witango >>> files to a site, where FTP or other file transfer options are not >>> available - then maybe build a special Upload TAF to do >> this for you, >>> with appropriate Security features of course. >>> >>> Let us know what you are trying to do exactly. Cheers..... >>> >>> Scott Cadillac, >>> Witango.org - http://witango.org >>> 403-281-6090 - [EMAIL PROTECTED] >>> -- >>> Information for the Witango Developer Community >>> --------------------- >>> >>> XML-Extranet - http://xmlx.ca >>> 403-281-6090 - [EMAIL PROTECTED] >>> -- >>> Well-formed Development (for hire) >>> --------------------- >>> >>> >>>> -----Original Message----- >>>> From: Dan Stein [mailto:[EMAIL PROTECTED] >>>> Sent: Friday, January 02, 2004 2:01 PM >>>> To: [EMAIL PROTECTED] >>>> Subject: Re: Witango-Talk: IIS and Security issue >>>> >>>> OK I think I have it after looking on Microsoft site. As long as I >>>> have execute permissions set to scripts only it seems to >> not warn me >>>> if I allow write permissions. >>>> >>>> Is this pretty safe then or should I do something within directory >>>> security? >>>> >>>> on 1/2/04 15:29, Dan Stein at [EMAIL PROTECTED] wrote: >>>> >>>>> I want to set up my IIS so I can write to the directory >>>> that contains >>>>> my taf files for uploading new tafs etc. But I would like to not >>>>> compromise security by letting just anyone write. >>>>> >>>>> I have a special login for the taf file that does the >>>> uploads. How can >>>>> I best accomplish this. >>>>> >>>>> Dan >>>> >>>> -- >>>> Dan Stein >>>> Digital Software Solutions >>>> 799 Evergreen Circle >>>> Telford PA 18969 >>>> Land: 215-799-0192 >>>> Mobile: 610-256-2843 >>>> Fax 413-410-9682 >>>> FMP, WiTango, EDI,SQL 2000 >>>> [EMAIL PROTECTED] >>>> www.dss-db.com >>>> >>>> >>>> "When you are born, you cry and those who love you >> rejoice. And >>>> if you live your life as you should, when you die, you rejoice and >>>> those who love you cry." >>>> >>>> ______________________________________________________________ >>>> __________ >>>> TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf >>>> >>> >>> >> ______________________________________________________________________ >>> __ TO UNSUBSCRIBE: Go to >> http://www.witango.com/developer/maillist.taf >> >> ______________________________________________________________ >> __________ >> TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf >> > > ________________________________________________________________________ > TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
