Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Giving IIS_IUSR write access to Images folder on my website - is that a good idea?

Posted on 2011-03-11
7
1,160 Views
Last Modified: 2012-05-11
Hi,
I need to have an upload control on my website so admin users can upload images to site. This is done from a SSL secure admin interface. To make it work I need to give the IIS_IUSR write access rights to the Images folder. Is that a good idea? Can't oversee the security implications.
Is there another way to accomplish this? Preferably without messing with the web.config (impersonate settings).

Any thoughts appreciated. Thanks.
Jens
0
Comment
Question by:MYTAIR
  • 3
  • 2
  • 2
7 Comments
 
LVL 5

Expert Comment

by:tiago_aviz
ID: 35107877
If the IIS_IUSR has only write access there on the images folder, the worst that could happen is somebody pasting a malicious .aspx or .asp file and executing it. Some good security measures:

1- control the file extensions that can be uploaded, so the malicious user can't upload .asp or .aspx files for an example.

2- make absolutely sure noone can get to the restricted upload area without authentication

3- Make absolutely sure your server is not prone to Remote file Include and directory traversal attacks

4- On your secure SSL login interface, make sure that after say, three wrong password attempts, the page will be unavailable for the attacker.

These should make your server un-interesting for attacks :)
0
 
LVL 4

Expert Comment

by:bitla
ID: 35108244
I suggest you to install or run a PHP uploader script and give access to the particular web link for that user only.

Just google it
You will find uploader scripts that restricts the file types being uploaded like it will only allow: jpg, png, jpeg etc.,

I am leaving for now if you can find it thats good enough or i will post the link after an hour from now
0
 

Author Comment

by:MYTAIR
ID: 35108286
Hi Tiago,
Thanks for your reply. 1, 2 and 4 are allready in place.
I don' t know how to implement your third suggestion. How do I make my server not prone to directory traversal attacks and remote file include. Directory browsing is not allowed on the ISS.

Cheers
Jens
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 4

Expert Comment

by:bitla
ID: 35109039
0
 
LVL 5

Accepted Solution

by:
tiago_aviz earned 250 total points
ID: 35110673
Item 3 need to be solved on two tiers: first on the server (keep it updated all the time), and on your application.

Directory traversal and remote file include attacks are usually exploited within poorly-coded apps. You can evaluate their security by using tools such as Nessus and Paros Proxy.

If you have security measures 1, 2 and 4 already in place, you're good to go.

Also, a security measure that I adopt to avoid Remote file includes is to block browsing and ftp from the web server.
0
 

Author Closing Comment

by:MYTAIR
ID: 35111774
Thanks for the help!
0
 

Author Comment

by:MYTAIR
ID: 35111803
Bitla, thanks for your input, but a flash uploader script was not what I was looking for.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Hi all,    While many today have fast Internet connection, there are many still who do not, or are connecting through devices with a slower connect, so light web pages and fast load times are still popular.    If your ASP.NET page …
The article shows the basic steps of integrating an HTML theme template into an ASP.NET MVC project
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question