Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1735
  • Last Modified:

how do you disable FileSystemObject via folders and WScript.Shell completely?

Hi All,
I need to be able to disable the FileSystemObject in IIS, but only for certain websites running on IIS 6 W2K3 Server.  Is this possible? If so, how?
I have the sites in a folder called "d:\websites" as in: "d:\websites\site1" , "d:\websites\site2", and so forth

I can't disable "scripts" in IIS because these are Active Server Pages and obviously can't run with scripts disabled.

I saw some other answers on this topic concerning a separate user account, but I need more details on actually how to go about this (e.g. which ones have to be turned off in order for this to be disbled on a folder by folder basis?).

Also, I would like to completely disable "WScript.Shell".  If this is disabled completely, are there dependent processes that could be affected?

  • 6
  • 2
1 Solution
To disable on entire server you need to unregister a couple of dlls.
See AndresM's suggestion here: http:Q_20563953.html for disabling FSO.
See http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q278/3/19.asp&NoWebContent=1 for disabling wscript.shell on in-process sites.

To restrict only to certain sites, leave them registered but look at changing the ntfs permissions on these dlls so that only specific users are able to trigger them.
simplyamazingAuthor Commented:
"To restrict only to certain sites, leave them registered but look at changing the ntfs permissions on these dlls so that only specific users are able to trigger them."

Since IIS uses only one account (IUSR_machinename), do you mean that I add another IUSR account?  Since every website uses the same account, I don't see how this can be done.

IWAM actually, IUSR is your anonymous user.
I'm trying to find a way for you that doesn't involve editing the metabase (suggestions from other ppl are most welcome). Will get back to you.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

If you take a look at this one you need to have a different IUSR account for each site: http://www.webservertalk.com/message339797.html
There was also a little more info at the first link I posted (see accepted answer:  http:Q_20563953.html)

Basically you would do the following:
-create multiple unique IUSR accounts (eg IUSR1, IUSR2, IUSR3)
-Assign rights to each account on the dll ACL lists as you require (i.e. access, no access, etc)
-go to iis management mmc snap-in
--> right click your website / directory / virtual directory,
-->properties-->security--> change "Account used for anonymous access" to one of the unique users.

This should restrict access to the anonymous accounts as per the dll's ACL list.


yes, alimu's last comment is the way to do it.  you can set a different interactive anonymous user for every web site (or even every sudirectory) to suit.

if you do that, then you may not need to disable the filesystem components at all.

what i do is this:

1. create a new user, give it log on locally rights.
2.  creat a web directory (eg c:\inetpub\userx) and grant read/write/execute rights to the new user and  administrator group only (ie remove ebveryone and iusr etc) - leave system access if you want.
3.  create a new web site, point the web root to the users web directory/
4.  edit the anonymous user, set it to the new user, and enter the password.
5.  alternative step, is you can create an ftp virtual folder from the ftp root called (eg) 'userx' that points to their web root for remote file upload.

now when anyone connects to that web site, IIS will run under the profile of that new user.  so even if that user writes asp code to (for example) create a file somewhere else (assuming you have allowed 'parent paths' to the application profile), if you have not given explicit write access to that user for the location they are trying to do it, the attempt will fail anyhow.

if you want to disable just write access, then just take away write permission to those locations from that user, and iis won;t be able to write there either (because iis will run masqueraded as the user you have set as the 'anonymous user')

thanks for detail meverest - appreciated.
ouch! a point split would've been nice.
simplyamazingAuthor Commented:
how do you do a point split?  as soon as I accept an answer, I only get an option for a grade (I've never seen anywhere to put points, much less split them).  they should make this system a little more intuitive
See: http://www.experts-exchange.com/help.jsp#hi67
I think they're continually working on intuitive, it's a bit of an evolving process :)
Don't worry about the split this time, just have a read and you'll know to do it next time round.

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now