| Groups | Blog | Home |
iis security : Secure upload page 2
I have created the subweb account as you have said to be the simplest. But the same problem remains anyone with FP can enter the web the usr has to be an Author to submit the file. I can't get aroung this unles you know a better way I am struggling here. https://animocracy.com/upload Should take you there. When you submit, the prompt is back asking for the user name and password thanks guys
OK. There are a few things to take into account here.
First, the FP browse account generally only has ability to read content files. So, it will not have a grant of write on the area to which the upload is attempting to save (unless it is one of the very few areas where FP places very loose permissions). So, two things to check. Suppose the upload is trying to save to some folder ./here/ In the IIS mgmt interface, locate this ./here and r-click into its properties and there set none for application script/execute, and set write with a radio-check. Then, find the ./here folder in Explorer and set permissions to modify for the IUSR_, the IWAM_, and the accounts that are supposed to be able to upload. This is overkill, but it should cover the bases regardless of the types of authentication you are supporting and the process isolation setting of the web app. Also, if you have used IISlockdown make sure that there are not Deny Write settings on this ./here directory. If things are still not working the most simple thing is to set an audit ACE in the NTFS permissions, for Failure Full, and make sure the the effective local policy will enable auditing of failures. I have seen FP do some strange things, expecting account to have read at spots in the root web, etc. but if you have not hand-tightended the NTFS permissions of the web content this should not come into play. -- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA [quoted text, click to view] "Joe" <anonymous@discussions.microsoft.com> wrote in message news:517501c42c99$4db989c0$a301280a@phx.gbl... > Hello Roger > > I have created the subweb account as you have said to be > the simplest. But the same problem remains anyone with FP > can enter the web the usr has to be an Author to submit > the file. I can't get aroung this unles you know a better > way I am struggling here. > > https://animocracy.com/upload > > Should take you there. When you submit, the prompt is back > asking for the user name and password > thanks guys > Joe
Thanks Roger I will give this a try
i have seen FP do some VERY strange things also I would aggree. I will let you know Most appreciated Joe [quoted text, click to view] >-----Original Message-----
>OK. There are a few things to take into account here. >First, the FP browse account generally only has ability >to read content files. So, it will not have a grant of >write on the area to which the upload is attempting to >save (unless it is one of the very few areas where FP >places very loose permissions). >So, two things to check. Suppose the upload is trying >to save to some folder ./here/ >In the IIS mgmt interface, locate this ./here and r-click >into its properties and there set none for application >script/execute, and set write with a radio-check. >Then, find the ./here folder in Explorer and set permissions >to modify for the IUSR_, the IWAM_, and the accounts >that are supposed to be able to upload. This is overkill, >but it should cover the bases regardless of the types of >authentication you are supporting and the process isolation >setting of the web app. >Also, if you have used IISlockdown make sure that there >are not Deny Write settings on this ./here directory. >If things are still not working the most simple thing is to >set an audit ACE in the NTFS permissions, for Failure >Full, and make sure the the effective local policy will >enable auditing of failures. I have seen FP do some strange >things, expecting account to have read at spots in the root >web, etc. but if you have not hand-tightended the NTFS >permissions of the web content this should not come into >play. >-- >Roger Abell >Microsoft MVP (Windows Server System: Security) >MCSE (W2k3,W2k,Nt4) MCDBA >"Joe" <anonymous@discussions.microsoft.com> wrote in message >news:517501c42c99$4db989c0$a301280a@phx.gbl... >> Hello Roger >> >> I have created the subweb account as you have said to be >> the simplest. But the same problem remains anyone with FP >> can enter the web the usr has to be an Author to submit >> the file. I can't get aroung this unles you know a better >> way I am struggling here. >> >> https://animocracy.com/upload >> >> Should take you there. When you submit, the prompt is back >> asking for the user name and password >> thanks guys >> Joe > > >.
Roger thanks for your help here
I have to say now the page cannot be displayed If you could please walk me through setting up a machine account lets say a Guest for the machine to be able to do the latter with FP. I presently have no accounts other than the administrator.I am familiar with what you are saying to a point but I think my head is getting screwd up. Lets start there. Lets create a "generic" account I can give to anyone on the net to be able upload to my folder. After, we can go to the FP side of this and set the same account the way you specify. I really dont want to bother you guys about this anylonger it cannot be that difficult. Thanks Joe [quoted text, click to view] >-----Original Message-----
>OK. There are a few things to take into account here. >First, the FP browse account generally only has ability >to read content files. So, it will not have a grant of >write on the area to which the upload is attempting to >save (unless it is one of the very few areas where FP >places very loose permissions). >So, two things to check. Suppose the upload is trying >to save to some folder ./here/ >In the IIS mgmt interface, locate this ./here and r-click >into its properties and there set none for application >script/execute, and set write with a radio-check. >Then, find the ./here folder in Explorer and set permissions >to modify for the IUSR_, the IWAM_, and the accounts >that are supposed to be able to upload. This is overkill, >but it should cover the bases regardless of the types of >authentication you are supporting and the process isolation >setting of the web app. >Also, if you have used IISlockdown make sure that there >are not Deny Write settings on this ./here directory. >If things are still not working the most simple thing is to >set an audit ACE in the NTFS permissions, for Failure >Full, and make sure the the effective local policy will >enable auditing of failures. I have seen FP do some strange >things, expecting account to have read at spots in the root >web, etc. but if you have not hand-tightended the NTFS >permissions of the web content this should not come into >play. >-- >Roger Abell >Microsoft MVP (Windows Server System: Security) >MCSE (W2k3,W2k,Nt4) MCDBA >"Joe" <anonymous@discussions.microsoft.com> wrote in message >news:517501c42c99$4db989c0$a301280a@phx.gbl... >> Hello Roger >> >> I have created the subweb account as you have said to be >> the simplest. But the same problem remains anyone with FP >> can enter the web the usr has to be an Author to submit >> the file. I can't get aroung this unles you know a better >> way I am struggling here. >> >> https://animocracy.com/upload >> >> Should take you there. When you submit, the prompt is back >> asking for the user name and password >> thanks guys >> Joe > > >.
I have tried just about everything I know of including
your advise and as long as the account in the FPSE is set to "browse" your screwed. Of course you could have a machine account as an admin. but then what good is that [quoted text, click to view] >-----Original Message-----
>OK. There are a few things to take into account here. >First, the FP browse account generally only has ability >to read content files. So, it will not have a grant of >write on the area to which the upload is attempting to >save (unless it is one of the very few areas where FP >places very loose permissions). >So, two things to check. Suppose the upload is trying >to save to some folder ./here/ >In the IIS mgmt interface, locate this ./here and r-click >into its properties and there set none for application >script/execute, and set write with a radio-check. >Then, find the ./here folder in Explorer and set permissions >to modify for the IUSR_, the IWAM_, and the accounts >that are supposed to be able to upload. This is overkill, >but it should cover the bases regardless of the types of >authentication you are supporting and the process isolation >setting of the web app. >Also, if you have used IISlockdown make sure that there >are not Deny Write settings on this ./here directory. >If things are still not working the most simple thing is to >set an audit ACE in the NTFS permissions, for Failure >Full, and make sure the the effective local policy will >enable auditing of failures. I have seen FP do some strange >things, expecting account to have read at spots in the root >web, etc. but if you have not hand-tightended the NTFS >permissions of the web content this should not come into >play. >-- >Roger Abell >Microsoft MVP (Windows Server System: Security) >MCSE (W2k3,W2k,Nt4) MCDBA >"Joe" <anonymous@discussions.microsoft.com> wrote in message >news:517501c42c99$4db989c0$a301280a@phx.gbl... >> Hello Roger >> >> I have created the subweb account as you have said to be >> the simplest. But the same problem remains anyone with FP >> can enter the web the usr has to be an Author to submit >> the file. I can't get aroung this unles you know a better >> way I am struggling here. >> >> https://animocracy.com/upload >> >> Should take you there. When you submit, the prompt is back >> asking for the user name and password >> thanks guys >> Joe > > >.
The accounts you see and call FP accounts are machine
accounts. This is not that hard. If you have a web with anonymous content, and then you use the FP Sharepoint admin interface to define a subweb of this one, let us call it upld, then you go into the admin page for the new upld subweb, and there you check to use permissions different from the parent, then check to not allow anonymous access, and finally grant browser role to the account you have defined and will be giving out (this cannot be a Guest, well rather, if it is a Guest and it works it is because it is also either directly or indirectly a Users member). Now, in this upld web you should put your upload form, so that people do not even get the form unless they know the account name/pwd. Next, in upld subweb use _private, or fpdb, or define a directory into which the uploaded file will go. This folder you need to mark to allow write and not allow script/exec in IIS mgmt UI, and to allow Change/Modify (on _private, fpdb, FPSE tends to grant the to Network and to Interactive) for the accounts that may be used (see earlier post). If this does not work it is likely due to the account not having logon rights or not having read rights for the root web of the website (auditing helps to find the few files where this is needed, but again, if you have not hand tweaked the NTFS permissions elsewhere, FPSE sets them more than sufficiently loose that this should not be the problem). This is not that hard to do. You need to get auditing going so that you get some guidance from the system as to which part of the whole is missing in how you have it set. -- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA [quoted text, click to view] "Joe" <anonymous@discussions.microsoft.com> wrote in message news:575e01c42d3e$ee08e880$a401280a@phx.gbl... > I have tried just about everything I know of including > your advise and as long as the account in the FPSE is set > to "browse" your screwed. Of course you could have a > machine account as an admin. but then what good is that > >-----Original Message----- > >OK. There are a few things to take into account here. > >First, the FP browse account generally only has ability > >to read content files. So, it will not have a grant of > >write on the area to which the upload is attempting to > >save (unless it is one of the very few areas where FP > >places very loose permissions). > >So, two things to check. Suppose the upload is trying > >to save to some folder ./here/ > >In the IIS mgmt interface, locate this ./here and r-click > >into its properties and there set none for application > >script/execute, and set write with a radio-check. > >Then, find the ./here folder in Explorer and set > permissions > >to modify for the IUSR_, the IWAM_, and the accounts > >that are supposed to be able to upload. This is overkill, > >but it should cover the bases regardless of the types of > >authentication you are supporting and the process > isolation > >setting of the web app. > >Also, if you have used IISlockdown make sure that there > >are not Deny Write settings on this ./here directory. > >If things are still not working the most simple thing is > to > >set an audit ACE in the NTFS permissions, for Failure > >Full, and make sure the the effective local policy will > >enable auditing of failures. I have seen FP do some > strange > >things, expecting account to have read at spots in the > root > >web, etc. but if you have not hand-tightended the NTFS > >permissions of the web content this should not come into > >play. > >-- > >Roger Abell > >Microsoft MVP (Windows Server System: Security) > >MCSE (W2k3,W2k,Nt4) MCDBA > >"Joe" <anonymous@discussions.microsoft.com> wrote in > message > >news:517501c42c99$4db989c0$a301280a@phx.gbl... > >> Hello Roger > >> > >> I have created the subweb account as you have said to be > >> the simplest. But the same problem remains anyone with > FP > >> can enter the web the usr has to be an Author to submit > >> the file. I can't get aroung this unles you know a > better > >> way I am struggling here. > >> > >> https://animocracy.com/upload > >> > >> Should take you there. When you submit, the prompt is > back > >> asking for the user name and password > >> thanks guys > >> Joe > > > > > >. > >
Roger I agree this is not that hard according to theory
but I cannot get past the prompt at the FP level I do not care what you do to this thing it will not let you past the prompt with a browser account Ok at this point I have changed the desination folder in the upload form to _private or fpdb .but I will and then I am going to the IIS manger and change the permissions of the _private folder for the account in FPSE correct? to change/modify ok the account is User name >>>File ok so in FPSE this "file" should have to be set to browse correct? Well it is,and the subweb does not have the same security as the parent web it is only one upload page. Here is the password >>>> upload try to get me a file uploaded to my web see what happens? Thanks Joe [quoted text, click to view] >-----Original Message-----
>The accounts you see and call FP accounts are machine >accounts. >This is not that hard. If you have a web with anonymous >content, and then you use the FP Sharepoint admin interface >to define a subweb of this one, let us call it upld, then you >go into the admin page for the new upld subweb, and there >you check to use permissions different from the parent, then >check to not allow anonymous access, and finally grant >browser role to the account you have defined and will be >giving out (this cannot be a Guest, well rather, if it is a >Guest and it works it is because it is also either directly >or indirectly a Users member). >Now, in this upld web you should put your upload form, >so that people do not even get the form unless they know >the account name/pwd. >Next, in upld subweb use _private, or fpdb, or define a >directory into which the uploaded file will go. This folder >you need to mark to allow write and not allow script/exec >in IIS mgmt UI, and to allow Change/Modify (on _private, >fpdb, FPSE tends to grant the to Network and to Interactive) >for the accounts that may be used (see earlier post). >If this does not work it is likely due to the account not >having logon rights or not having read rights for the root >web of the website (auditing helps to find the few files where >this is needed, but again, if you have not hand tweaked the >NTFS permissions elsewhere, FPSE sets them more than >sufficiently loose that this should not be the problem). > >This is not that hard to do. >You need to get auditing going so that you get some guidance >from the system as to which part of the whole is missing in >how you have it set. > >-- >Roger Abell >Microsoft MVP (Windows Server System: Security) >MCSE (W2k3,W2k,Nt4) MCDBA >"Joe" <anonymous@discussions.microsoft.com> wrote in message >news:575e01c42d3e$ee08e880$a401280a@phx.gbl... >> I have tried just about everything I know of including >> your advise and as long as the account in the FPSE is set >> to "browse" your screwed. Of course you could have a >> machine account as an admin. but then what good is that >> >-----Original Message----- >> >OK. There are a few things to take into account here. >> >First, the FP browse account generally only has ability >> >to read content files. So, it will not have a grant of >> >write on the area to which the upload is attempting to >> >save (unless it is one of the very few areas where FP >> >places very loose permissions). >> >So, two things to check. Suppose the upload is trying >> >to save to some folder ./here/ >> >In the IIS mgmt interface, locate this ./here and r- click >> >into its properties and there set none for application >> >script/execute, and set write with a radio-check. >> >Then, find the ./here folder in Explorer and set >> permissions >> >to modify for the IUSR_, the IWAM_, and the accounts >> >that are supposed to be able to upload. This is overkill, >> >but it should cover the bases regardless of the types of >> >authentication you are supporting and the process >> isolation >> >setting of the web app. >> >Also, if you have used IISlockdown make sure that there >> >are not Deny Write settings on this ./here directory. >> >If things are still not working the most simple thing is >> to >> >set an audit ACE in the NTFS permissions, for Failure >> >Full, and make sure the the effective local policy will >> >enable auditing of failures. I have seen FP do some >> strange >> >things, expecting account to have read at spots in the >> root >> >web, etc. but if you have not hand-tightended the NTFS >> >permissions of the web content this should not come into >> >play. >> >-- >> >Roger Abell >> >Microsoft MVP (Windows Server System: Security) >> >MCSE (W2k3,W2k,Nt4) MCDBA >> >"Joe" <anonymous@discussions.microsoft.com> wrote in >> message >> >news:517501c42c99$4db989c0$a301280a@phx.gbl... >> >> Hello Roger >> >> >> >> I have created the subweb account as you have said to be >> >> the simplest. But the same problem remains anyone with >> FP >> >> can enter the web the usr has to be an Author to submit >> >> the file. I can't get aroung this unles you know a >> better >> >> way I am struggling here. >> >> >> >> https://animocracy.com/upload >> >> >> >> Should take you there. When you submit, the prompt is >> back >> >> asking for the user name and password >> >> thanks guys >> >> Joe >> > >> > >> >. >> > > > >.
[quoted text, click to view] "Joe" <anonymous@discussions.microsoft.com> wrote in message No. In the IIS mgmt UI you just check that Write is allowed tonews:5f4401c42dd2$25335640$a101280a@phx.gbl... > Roger I agree this is not that hard according to theory > but I cannot get past the prompt at the FP level > > I do not care what you do to this thing it will not let > you past the prompt with a browser account > > Ok at this point I have changed the desination folder in > the upload form to _private or fpdb .but I will and then I > am going to the IIS manger and change the permissions of the folder where files will be uploaded, and for safety you set script/execute to none for the application. You then use Explorer to grant to the account at the filesystem level in the NTFS permissions. [quoted text, click to view] > the _private folder for the account in FPSE correct? to The Url seems to have changed. The one you> change/modify ok the account is > > User name >>>File ok so in FPSE this "file" should have > to be set to browse correct? Well it is,and the subweb > does not have the same security as the parent web it is > only one upload page. > > Here is the password >>>> upload > > try to get me a file uploaded to my web > > see what happens? > gave earlier returns 404 not found [quoted text, click to view] > > Thanks Joe > > >-----Original Message----- > >The accounts you see and call FP accounts are machine > >accounts. > >This is not that hard. If you have a web with anonymous > >content, and then you use the FP Sharepoint admin > interface > >to define a subweb of this one, let us call it upld, then > you > >go into the admin page for the new upld subweb, and there > >you check to use permissions different from the parent, > then > >check to not allow anonymous access, and finally grant > >browser role to the account you have defined and will be > >giving out (this cannot be a Guest, well rather, if it is > a > >Guest and it works it is because it is also either > directly > >or indirectly a Users member). > >Now, in this upld web you should put your upload form, > >so that people do not even get the form unless they know > >the account name/pwd. > >Next, in upld subweb use _private, or fpdb, or define a > >directory into which the uploaded file will go. This > folder > >you need to mark to allow write and not allow script/exec > >in IIS mgmt UI, and to allow Change/Modify (on _private, > >fpdb, FPSE tends to grant the to Network and to > Interactive) > >for the accounts that may be used (see earlier post). > >If this does not work it is likely due to the account not > >having logon rights or not having read rights for the root > >web of the website (auditing helps to find the few files > where > >this is needed, but again, if you have not hand tweaked > the > >NTFS permissions elsewhere, FPSE sets them more than > >sufficiently loose that this should not be the problem). > > > >This is not that hard to do. > >You need to get auditing going so that you get some > guidance > >from the system as to which part of the whole is missing > in > >how you have it set. > > > >-- > >Roger Abell > >Microsoft MVP (Windows Server System: Security) > >MCSE (W2k3,W2k,Nt4) MCDBA > >"Joe" <anonymous@discussions.microsoft.com> wrote in > message > >news:575e01c42d3e$ee08e880$a401280a@phx.gbl... > >> I have tried just about everything I know of including > >> your advise and as long as the account in the FPSE is > set > >> to "browse" your screwed. Of course you could have a > >> machine account as an admin. but then what good is that > >> >-----Original Message----- > >> >OK. There are a few things to take into account here. > >> >First, the FP browse account generally only has ability > >> >to read content files. So, it will not have a grant of > >> >write on the area to which the upload is attempting to > >> >save (unless it is one of the very few areas where FP > >> >places very loose permissions). > >> >So, two things to check. Suppose the upload is trying > >> >to save to some folder ./here/ > >> >In the IIS mgmt interface, locate this ./here and r- > click > >> >into its properties and there set none for application > >> >script/execute, and set write with a radio-check. > >> >Then, find the ./here folder in Explorer and set > >> permissions > >> >to modify for the IUSR_, the IWAM_, and the accounts > >> >that are supposed to be able to upload. This is > overkill, > >> >but it should cover the bases regardless of the types > of > >> >authentication you are supporting and the process > >> isolation > >> >setting of the web app. > >> >Also, if you have used IISlockdown make sure that there > >> >are not Deny Write settings on this ./here directory. > >> >If things are still not working the most simple thing > is > >> to > >> >set an audit ACE in the NTFS permissions, for Failure > >> >Full, and make sure the the effective local policy will > >> >enable auditing of failures. I have seen FP do some > >> strange > >> >things, expecting account to have read at spots in the > >> root > >> >web, etc. but if you have not hand-tightended the NTFS > >> >permissions of the web content this should not come > into > >> >play. > >> >-- > >> >Roger Abell > >> >Microsoft MVP (Windows Server System: Security) > >> >MCSE (W2k3,W2k,Nt4) MCDBA > >> >"Joe" <anonymous@discussions.microsoft.com> wrote in > >> message > >> >news:517501c42c99$4db989c0$a301280a@phx.gbl... > >> >> Hello Roger > >> >> > >> >> I have created the subweb account as you have said > to be > >> >> the simplest. But the same problem remains anyone > with > >> FP > >> >> can enter the web the usr has to be an Author to > submit > >> >> the file. I can't get aroung this unles you know a > >> better > >> >> way I am struggling here. > >> >> > >> >> https://animocracy.com/upload > >> >> > >> >> Should take you there. When you submit, the prompt is > >> back > >> >> asking for the user name and password > >> >> thanks guys > >> >> Joe > >> > > >> > > >> >. > >> > > > > > > >. > >
Sorry, http://animocracy.com/upload
this is a browse account set in FPSE User/file password/upload this is your username and password I do not see in the private folder this account name when I go to set the folder permissions in explorer.and there is no IWAM either [quoted text, click to view] >-----Original Message-----
> >"Joe" <anonymous@discussions.microsoft.com> wrote in message >news:5f4401c42dd2$25335640$a101280a@phx.gbl... >> Roger I agree this is not that hard according to theory >> but I cannot get past the prompt at the FP level >> >> I do not care what you do to this thing it will not let >> you past the prompt with a browser account >> >> Ok at this point I have changed the desination folder in >> the upload form to _private or fpdb .but I will and then I >> am going to the IIS manger and change the permissions of >No. In the IIS mgmt UI you just check that Write is allowed to >the folder where files will be uploaded, and for safety you >set script/execute to none for the application. >You then use Explorer to grant to the account at the filesystem >level in the NTFS permissions. > >> the _private folder for the account in FPSE correct? to >> change/modify ok the account is >> >> User name >>>File ok so in FPSE this "file" should have >> to be set to browse correct? Well it is,and the subweb >> does not have the same security as the parent web it is >> only one upload page. >> >> Here is the password >>>> upload >> >> try to get me a file uploaded to my web >> >> see what happens? >> >The Url seems to have changed. The one you >gave earlier returns 404 not found > >> >> Thanks Joe >> >> >-----Original Message----- >> >The accounts you see and call FP accounts are machine >> >accounts. >> >This is not that hard. If you have a web with anonymous >> >content, and then you use the FP Sharepoint admin >> interface >> >to define a subweb of this one, let us call it upld, then >> you >> >go into the admin page for the new upld subweb, and there >> >you check to use permissions different from the parent, >> then >> >check to not allow anonymous access, and finally grant >> >browser role to the account you have defined and will be >> >giving out (this cannot be a Guest, well rather, if it is >> a >> >Guest and it works it is because it is also either >> directly >> >or indirectly a Users member). >> >Now, in this upld web you should put your upload form, >> >so that people do not even get the form unless they know >> >the account name/pwd. >> >Next, in upld subweb use _private, or fpdb, or define a >> >directory into which the uploaded file will go. This >> folder >> >you need to mark to allow write and not allow script/exec >> >in IIS mgmt UI, and to allow Change/Modify (on _private, >> >fpdb, FPSE tends to grant the to Network and to >> Interactive) >> >for the accounts that may be used (see earlier post). >> >If this does not work it is likely due to the account not >> >having logon rights or not having read rights for the root >> >web of the website (auditing helps to find the few files >> where >> >this is needed, but again, if you have not hand tweaked >> the >> >NTFS permissions elsewhere, FPSE sets them more than >> >sufficiently loose that this should not be the problem). >> > >> >This is not that hard to do. >> >You need to get auditing going so that you get some >> guidance >> >from the system as to which part of the whole is missing >> in >> >how you have it set. >> > >> >-- >> >Roger Abell >> >Microsoft MVP (Windows Server System: Security) >> >MCSE (W2k3,W2k,Nt4) MCDBA >> >"Joe" <anonymous@discussions.microsoft.com> wrote in >> message >> >news:575e01c42d3e$ee08e880$a401280a@phx.gbl... >> >> I have tried just about everything I know of including >> >> your advise and as long as the account in the FPSE is >> set >> >> to "browse" your screwed. Of course you could have a >> >> machine account as an admin. but then what good is that >> >> >-----Original Message----- >> >> >OK. There are a few things to take into account here. >> >> >First, the FP browse account generally only has ability >> >> >to read content files. So, it will not have a grant of >> >> >write on the area to which the upload is attempting to >> >> >save (unless it is one of the very few areas where FP >> >> >places very loose permissions). >> >> >So, two things to check. Suppose the upload is trying >> >> >to save to some folder ./here/ >> >> >In the IIS mgmt interface, locate this ./here and r- >> click >> >> >into its properties and there set none for application >> >> >script/execute, and set write with a radio-check. >> >> >Then, find the ./here folder in Explorer and set >> >> permissions >> >> >to modify for the IUSR_, the IWAM_, and the accounts >> >> >that are supposed to be able to upload. This is >> overkill, >> >> >but it should cover the bases regardless of the types >> of >> >> >authentication you are supporting and the process >> >> isolation >> >> >setting of the web app. >> >> >Also, if you have used IISlockdown make sure that there >> >> >are not Deny Write settings on this ./here directory. >> >> >If things are still not working the most simple thing >> is >> >> to >> >> >set an audit ACE in the NTFS permissions, for Failure >> >> >Full, and make sure the the effective local policy will >> >> >enable auditing of failures. I have seen FP do some >> >> strange >> >> >things, expecting account to have read at spots in the >> >> root >> >> >web, etc. but if you have not hand-tightended the NTFS >> >> >permissions of the web content this should not come >> into >> >> >play. >> >> >-- >> >> >Roger Abell >> >> >Microsoft MVP (Windows Server System: Security) >> >> >MCSE (W2k3,W2k,Nt4) MCDBA >> >> >"Joe" <anonymous@discussions.microsoft.com> wrote in >> >> message >> >> >news:517501c42c99$4db989c0$a301280a@phx.gbl... >> >> >> Hello Roger >> >> >> >> >> >> I have created the subweb account as you have said >> to be >> >> >> the simplest. But the same problem remains anyone >> with >> >> FP >> >> >> can enter the web the usr has to be an Author to >> submit >> >> >> the file. I can't get aroung this unles you know a >> >> better >> >> >> way I am struggling here. >> >> >> >> >> >> https://animocracy.com/upload >> >> >> >> >> >> Should take you there. When you submit, the prompt is >> >> back >> >> >> asking for the user name and password >> >> >> thanks guys >> >> >> Joe >> >> > >> >> > >> >> >. >> >> > >> > >> > >> >. >> > > > >.
I have been able to run 9 web sites (same IP) including
http Streaming media, Internet printing with an account name and password, VPN with account and password, operate the forms,build Access databases and a lot of other things seemingly more difficult, and for the life of me I cannot figure this out. I do think this is an issue of knowing the puzzle but not knowing the steps in order to put the puzzle togther. From here I have learned There are a few levels of security and we can grant access to levels. But what I have also noticed nothing wants to work together. Could you please approach it this way It may end this deluge of postings. Give me a user name and password any one I dont care tell me how to add it to this/my server verbatim assume I know nothing, nothing at all about the process then tell me how to let it work with FP.I have the subweb up and running (https://Animocracy.com/upload) the page is plain and visible no entering a password. Then lets set the permissions to the appropriate items Start in one place systematically please. I will follow it and then we will test it. Important info: I am all by myself here there is no network just me and the internet 1 server primarily web Jonathan is really good with this. (no offense) How I am creating my accounts: I am creating an account in the FPSE only for this app this may be a problem or thee problem but I am not sure. I have never created the account from My Computer>> Computer Managment >>>Users I am sorry for creating such havoc but I do not want to be the irresponsible one who just leaves his server wide open so others can be attacked. joe [quoted text, click to view] >-----Original Message-----
> >"Joe" <anonymous@discussions.microsoft.com> wrote in message >news:5f4401c42dd2$25335640$a101280a@phx.gbl... >> Roger I agree this is not that hard according to theory >> but I cannot get past the prompt at the FP level >> >> I do not care what you do to this thing it will not let >> you past the prompt with a browser account >> >> Ok at this point I have changed the desination folder in >> the upload form to _private or fpdb .but I will and then I >> am going to the IIS manger and change the permissions of >No. In the IIS mgmt UI you just check that Write is allowed to >the folder where files will be uploaded, and for safety you >set script/execute to none for the application. >You then use Explorer to grant to the account at the filesystem >level in the NTFS permissions. > >> the _private folder for the account in FPSE correct? to >> change/modify ok the account is >> >> User name >>>File ok so in FPSE this "file" should have >> to be set to browse correct? Well it is,and the subweb >> does not have the same security as the parent web it is >> only one upload page. >> >> Here is the password >>>> upload >> >> try to get me a file uploaded to my web >> >> see what happens? >> >The Url seems to have changed. The one you >gave earlier returns 404 not found > >> >> Thanks Joe >> >> >-----Original Message----- >> >The accounts you see and call FP accounts are machine >> >accounts. >> >This is not that hard. If you have a web with anonymous >> >content, and then you use the FP Sharepoint admin >> interface >> >to define a subweb of this one, let us call it upld, then >> you >> >go into the admin page for the new upld subweb, and there >> >you check to use permissions different from the parent, >> then >> >check to not allow anonymous access, and finally grant >> >browser role to the account you have defined and will be >> >giving out (this cannot be a Guest, well rather, if it is >> a >> >Guest and it works it is because it is also either >> directly >> >or indirectly a Users member). >> >Now, in this upld web you should put your upload form, >> >so that people do not even get the form unless they know >> >the account name/pwd. >> >Next, in upld subweb use _private, or fpdb, or define a >> >directory into which the uploaded file will go. This >> folder >> >you need to mark to allow write and not allow script/exec >> >in IIS mgmt UI, and to allow Change/Modify (on _private, >> >fpdb, FPSE tends to grant the to Network and to >> Interactive) >> >for the accounts that may be used (see earlier post). >> >If this does not work it is likely due to the account not >> >having logon rights or not having read rights for the root >> >web of the website (auditing helps to find the few files >> where >> >this is needed, but again, if you have not hand tweaked >> the >> >NTFS permissions elsewhere, FPSE sets them more than >> >sufficiently loose that this should not be the problem). >> > >> >This is not that hard to do. >> >You need to get auditing going so that you get some >> guidance >> >from the system as to which part of the whole is missing >> in >> >how you have it set. >> > >> >-- >> >Roger Abell >> >Microsoft MVP (Windows Server System: Security) >> >MCSE (W2k3,W2k,Nt4) MCDBA >> >"Joe" <anonymous@discussions.microsoft.com> wrote in >> message >> >news:575e01c42d3e$ee08e880$a401280a@phx.gbl... >> >> I have tried just about everything I know of including >> >> your advise and as long as the account in the FPSE is >> set >> >> to "browse" your screwed. Of course you could have a >> >> machine account as an admin. but then what good is that >> >> >-----Original Message----- >> >> >OK. There are a few things to take into account here. >> >> >First, the FP browse account generally only has ability >> >> >to read content files. So, it will not have a grant of >> >> >write on the area to which the upload is attempting to >> >> >save (unless it is one of the very few areas where FP >> >> >places very loose permissions). >> >> >So, two things to check. Suppose the upload is trying >> >> >to save to some folder ./here/ >> >> >In the IIS mgmt interface, locate this ./here and r- >> click >> >> >into its properties and there set none for application >> >> >script/execute, and set write with a radio-check. >> >> >Then, find the ./here folder in Explorer and set >> >> permissions >> >> >to modify for the IUSR_, the IWAM_, and the accounts >> >> >that are supposed to be able to upload. This is >> overkill, >> >> >but it should cover the bases regardless of the types >> of >> >> >authentication you are supporting and the process >> >> isolation >> >> >setting of the web app. >> >> >Also, if you have used IISlockdown make sure that there >> >> >are not Deny Write settings on this ./here directory. >> >> >If things are still not working the most simple thing >> is >> >> to >> >> >set an audit ACE in the NTFS permissions, for Failure >> >> >Full, and make sure the the effective local policy will >> >> >enable auditing of failures. I have seen FP do some >> >> strange
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |