simplyamazing
asked on
how do you disable FileSystemObject via folders and WScript.Shell completely?
Hi All,
I need to be able to disable the FileSystemObject in IIS, but only for certain websites running on IIS 6 W2K3 Server. Is this possible? If so, how?
I have the sites in a folder called "d:\websites" as in: "d:\websites\site1" , "d:\websites\site2", and so forth
I can't disable "scripts" in IIS because these are Active Server Pages and obviously can't run with scripts disabled.
I saw some other answers on this topic concerning a separate user account, but I need more details on actually how to go about this (e.g. which ones have to be turned off in order for this to be disbled on a folder by folder basis?).
Also, I would like to completely disable "WScript.Shell". If this is disabled completely, are there dependent processes that could be affected?
Thanks!
I need to be able to disable the FileSystemObject in IIS, but only for certain websites running on IIS 6 W2K3 Server. Is this possible? If so, how?
I have the sites in a folder called "d:\websites" as in: "d:\websites\site1" , "d:\websites\site2", and so forth
I can't disable "scripts" in IIS because these are Active Server Pages and obviously can't run with scripts disabled.
I saw some other answers on this topic concerning a separate user account, but I need more details on actually how to go about this (e.g. which ones have to be turned off in order for this to be disbled on a folder by folder basis?).
Also, I would like to completely disable "WScript.Shell". If this is disabled completely, are there dependent processes that could be affected?
Thanks!
ASKER
"To restrict only to certain sites, leave them registered but look at changing the ntfs permissions on these dlls so that only specific users are able to trigger them."
Since IIS uses only one account (IUSR_machinename), do you mean that I add another IUSR account? Since every website uses the same account, I don't see how this can be done.
Since IIS uses only one account (IUSR_machinename), do you mean that I add another IUSR account? Since every website uses the same account, I don't see how this can be done.
IWAM actually, IUSR is your anonymous user.
I'm trying to find a way for you that doesn't involve editing the metabase (suggestions from other ppl are most welcome). Will get back to you.
I'm trying to find a way for you that doesn't involve editing the metabase (suggestions from other ppl are most welcome). Will get back to you.
If you take a look at this one you need to have a different IUSR account for each site: http://www.webservertalk.com/message339797.html
There was also a little more info at the first link I posted (see accepted answer: http:Q_20563953.html)
Basically you would do the following:
-create multiple unique IUSR accounts (eg IUSR1, IUSR2, IUSR3)
-Assign rights to each account on the dll ACL lists as you require (i.e. access, no access, etc)
-go to iis management mmc snap-in
--> right click your website / directory / virtual directory,
-->properties-->security--
This should restrict access to the anonymous accounts as per the dll's ACL list.
There was also a little more info at the first link I posted (see accepted answer: http:Q_20563953.html)
Basically you would do the following:
-create multiple unique IUSR accounts (eg IUSR1, IUSR2, IUSR3)
-Assign rights to each account on the dll ACL lists as you require (i.e. access, no access, etc)
-go to iis management mmc snap-in
--> right click your website / directory / virtual directory,
-->properties-->security--
This should restrict access to the anonymous accounts as per the dll's ACL list.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
thanks for detail meverest - appreciated.
ouch! a point split would've been nice.
ASKER
how do you do a point split? as soon as I accept an answer, I only get an option for a grade (I've never seen anywhere to put points, much less split them). they should make this system a little more intuitive
See: https://www.experts-exchange.com/help.jsp#hi67
I think they're continually working on intuitive, it's a bit of an evolving process :)
Don't worry about the split this time, just have a read and you'll know to do it next time round.
I think they're continually working on intuitive, it's a bit of an evolving process :)
Don't worry about the split this time, just have a read and you'll know to do it next time round.
See AndresM's suggestion here: http:Q_20563953.html for disabling FSO.
See http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q278/3/19.asp&NoWebContent=1 for disabling wscript.shell on in-process sites.
To restrict only to certain sites, leave them registered but look at changing the ntfs permissions on these dlls so that only specific users are able to trigger them.