At 20:34 07/17/1997 -0700, you wrote:
>Due to the issues with allowing customers to run programs on your server,
>you might want to know just what a user can do with ASP, right out of the
>box. The first thing is that ASP is not extended NT's security model. So,
>like all server side scripts, and unlike Unix, the script is NOT run in the
>context of the user, but rather as a service..
>
>A user could easily make your life very difficult by using some of the
>server side object to do things that you would rather they did not do. One
>simple example is the ILS server object. I use this example since it is
>relatively harmless (Not a critical service), and does not come with NT. I
>can write a page that will make/delete users from your ILS, and not have to
>pass any security boundary. All I need is to be able to save the file on
>your server, and have the directory executable by IIS. It should be noted
>that you have to purposefully give the directory execute permission. But,
>this is no different that ALL ASP directories. What is worse, I can write
>it to do this without you ever knowing where it is coming from..
>
>The good thing is that it cannot be done from a remote server. It must be
>installed on your machine, and you have to grant execute permissions. Just
>make sure you know who can run stuff on your machine. There are far worse
>things a person can do with ASP if they got creative..
>
>Just my experience. Been there, done that..
>
>Brad Albrecht
>Computer Innovations Online
>http://www.cio.net/
>Skagit Valleys' Premier Internet Service Provider
>
>----------
>> From: Jeremy Schertzinger <jeremy@nutleysystems.com>
>> To: 'ntisp@emerald.iea.com'
>> Subject: RE: ASP Security
>> Date: Thursday, July 17, 1997 9:59 AM
>>
>> The risks associated with ASP are the same as with any other server side
>> script you may run (perl, etc.). Avoid using world-writable files..
>> There are other considerations as well. Read the WWW server security
>> FAQ..
>>
>> There's also an NT Security mailing list. To subscribe, send mail to
>> majordomo@iss.net with the message body "subscribe ntsecurity
>> <youremail@yourdomain.com>"
>>
>> Jeremy
>>
>> --
>> Jeremy Schertzinger
>> Nutley Systems, Inc..
>> jeremy@nutleysystems.com
>> (425) 739-8024 phone
>> (206) 559-3138 pager
>>
>> > -----Original Message-----
>> > From: whiteg@dnc.net [SMTP:whiteg@dnc.net]
>> > Sent: Thursday, July 17, 1997 9:37 AM
>> > To: ntisp@emerald.iea.com
>> > Subject: ASP Security
>> >
>> > Does anybody know of any security concerns with Active Server Pages
>> > that I
>> > should be aware of?
>> >
>> > While we're on the topic, any other links to information about NT
>> > security
>> > would be appreciated..
>> >
>> >
>> > Thank you,
>> >
>> > Greg White
>> > Direct NET Communications
>> >
>> >
>> > ----------------------------------------------------------
>> > NTISP Mailing List listserver@emerald.iea.com
>>
>> ----------------------------------------------------------
>> NTISP Mailing List listserver@emerald.iea.com
>
> ----------------------------------------------------------
> NTISP Mailing List listserver@emerald.iea.com
>
>
>
>
>