Solved

Giving IIS_IUSR write access to Images folder on my website - is that a good idea?

Posted on 2011-03-11
7
1,156 Views
Last Modified: 2012-05-11
Hi,
I need to have an upload control on my website so admin users can upload images to site. This is done from a SSL secure admin interface. To make it work I need to give the IIS_IUSR write access rights to the Images folder. Is that a good idea? Can't oversee the security implications.
Is there another way to accomplish this? Preferably without messing with the web.config (impersonate settings).

Any thoughts appreciated. Thanks.
Jens
0
Comment
Question by:MYTAIR
  • 3
  • 2
  • 2
7 Comments
 
LVL 5

Expert Comment

by:tiago_aviz
ID: 35107877
If the IIS_IUSR has only write access there on the images folder, the worst that could happen is somebody pasting a malicious .aspx or .asp file and executing it. Some good security measures:

1- control the file extensions that can be uploaded, so the malicious user can't upload .asp or .aspx files for an example.

2- make absolutely sure noone can get to the restricted upload area without authentication

3- Make absolutely sure your server is not prone to Remote file Include and directory traversal attacks

4- On your secure SSL login interface, make sure that after say, three wrong password attempts, the page will be unavailable for the attacker.

These should make your server un-interesting for attacks :)
0
 
LVL 4

Expert Comment

by:bitla
ID: 35108244
I suggest you to install or run a PHP uploader script and give access to the particular web link for that user only.

Just google it
You will find uploader scripts that restricts the file types being uploaded like it will only allow: jpg, png, jpeg etc.,

I am leaving for now if you can find it thats good enough or i will post the link after an hour from now
0
 

Author Comment

by:MYTAIR
ID: 35108286
Hi Tiago,
Thanks for your reply. 1, 2 and 4 are allready in place.
I don' t know how to implement your third suggestion. How do I make my server not prone to directory traversal attacks and remote file include. Directory browsing is not allowed on the ISS.

Cheers
Jens
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 4

Expert Comment

by:bitla
ID: 35109039
0
 
LVL 5

Accepted Solution

by:
tiago_aviz earned 250 total points
ID: 35110673
Item 3 need to be solved on two tiers: first on the server (keep it updated all the time), and on your application.

Directory traversal and remote file include attacks are usually exploited within poorly-coded apps. You can evaluate their security by using tools such as Nessus and Paros Proxy.

If you have security measures 1, 2 and 4 already in place, you're good to go.

Also, a security measure that I adopt to avoid Remote file includes is to block browsing and ftp from the web server.
0
 

Author Closing Comment

by:MYTAIR
ID: 35111774
Thanks for the help!
0
 

Author Comment

by:MYTAIR
ID: 35111803
Bitla, thanks for your input, but a flash uploader script was not what I was looking for.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Debug Tools to analyse IIS process: This article focus on taking memory dumps from IIS to determine which code is taking more time and to analyse which calls hangs/causes more CPU usage. To take dumps,download the following. Install1: To st…
ASP.Net to Oracle Connectivity Recently I had to develop an ASP.NET application connecting to an Oracle database.As I am doing it first time ,I had to solve several problems. This article will help to such developers  to develop an ASP.NET client…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
I designed this idea while studying technology in the classroom.  This is a semester long project.  Students are asked to take photographs on a specific topic which they find meaningful, it can be a place or situation such as travel or homelessness.…

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now