When IIS6 is installed on Windows 2003, it is in a locked-

I cannot assist you with that question.

I will ask you what you actually want to accomplish so that we can do that
securely. That is the proper way to configure a server.

It is risky to first "remove" lockdown, then configure your server, and then
try to re-lockdown. You're going to miss something, you're going to open a
hole wider than you think... and it's just not a good idea -- you get what
happens with IIS5.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
[quoted text, click to view]
When IIS6 is installed on Windows 2003, it is in a locked-
down state. How do I remove this?

It seems pretty simple, so I'm not sure what I'm missing.

On IIS6, I want to run a .cmd which:
-creates a directory
-copyes 4 files
-runs two executables which adds the appropriate serial number to the
files which have been copies based on the information supplied in the
website.

This works fine on IIS5, even after applying Microsoft's lockdown.

How do I flag IIS6 to allow this process to run?


*** Sent via Developersdex http://www.developersdex.com ***

For security reasons, non-Administrators cannot run .cmd using CMD.EXE from
a request served by IIS6. There really isn't any setting from IIS to enable
this -- this change was OS-wide.

Now, if you run the AppPool as LocalSystem (i.e similar setup to IIS5),
it'll work, but that's discouraged from a security perspective.

Or, if you change the ACL on CMD.EXE such that the remote authenticated user
has access, it'll work, but that's generally discouraged since it can lead
to remote accessibility to a shell on your server

Or, you can use Windows Scripting (.js or .vbs script files), which are as
executable as .cmd from the commandline, and they can easily run as ASP
files (with simple file rename and a couple of new tags) to become
web-accessible, and they do not rely on access to CMD.EXE .

Finally, IIS5, even when locked down, is still more open for vulnerabilities
when compared to IIS6. I would not consider everything doable on a locked
down IIS5 to be kosher.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
[quoted text, click to view]
It seems pretty simple, so I'm not sure what I'm missing.

On IIS6, I want to run a .cmd which:
-creates a directory
-copyes 4 files
-runs two executables which adds the appropriate serial number to the
files which have been copies based on the information supplied in the
website.

This works fine on IIS5, even after applying Microsoft's lockdown.

How do I flag IIS6 to allow this process to run?


*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!