<LisandroWeisshei...@discussions.microsoft.com> wrote:
> Hi,
>
> I have a web server runnig IIS 6.0 and need to block that a user can list
> my drives and navigate in folders using an ASP code.
>
> The example is inhttp://paludo.no-ip.org:9090/teste/drive.asp
>
> I know that it can be done disabling FileSystemObeject by running the
> following regsvr32 scrrun.dll /u.
>
> But I can=B4t do this, some sites uses this component.
>
> I know that it can be done without disabling FileSystemObject, but don=B4t
> know how.
>
> Anyone can help me please?
>
> Thanks,
>
> Lisandro

"David Wang" wrote:

> On Jun 29, 7:42 am, Lisandro Weissheimer
> <LisandroWeisshei...@discussions.microsoft.com> wrote:
> > Hi,
> >
> > I have a web server runnig IIS 6.0 and need to block that a user can list
> > my drives and navigate in folders using an ASP code.
> >
> > The example is inhttp://paludo.no-ip.org:9090/teste/drive.asp
> >
> > I know that it can be done disabling FileSystemObeject by running the
> > following regsvr32 scrrun.dll /u.
> >
> > But I can´t do this, some sites uses this component.
> >
> > I know that it can be done without disabling FileSystemObject, but don´t
> > know how.
> >
> > Anyone can help me please?
> >
> > Thanks,
> >
> > Lisandro
>
>
>
> For the web pages where you want to restrict FileSystem access, change
> their authenticated user account to a deny-user-account that you
> create/maintain, and then ACL the FileSystem denying that deny-user-
> account read/list access and allowing read access to places that you
> want.
>
> Using unmanaged components like Scripting.FileSystemObject (which is
> basically raw native code running on your webserver) and then allowing
> users to upload and run code of their design using the unmanaged
> components, your ONLY security defense is NTFS ACLs. Partition your
> applications into those that run as limited and non-limited user
> accounts and ACL the NTFS FileSystem accordingly.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>