Hi,

i'm writing an isapi application which needs to move files on the local harddisks. Because isapi apps are lauched by the INET_USER there are no rights to move files across the disks. Enabling the INET_USER to do so is a kind of tricky regarding possible attacks of a web-server.

How can be login as another local NT-user to have more rights to do these file movements.

Hope someone can help.

-- Ron

Hi,
There could be a solution to your situation.

Bring up the Properties Box of you IIS. The click on Edit Master Properties and you should be able to see the Dialog WWW Service Properties for WebServer.
Now Choose Directory Security Tab

Now you see the following categories :

1) Anonymous access and Authentication control.

2) Secure Communications.

3) IP address and Domain name restrictions.

Now if you choose option 1, you will be shown the Authentication methods dialog where in you have the following options :

1) Allow Anonymous Access
2) Basic Authentication( Password sent in clear text )
3) Windows/NT Challenge/Response

You should be able to decide as to what type of authorisation you need to impose after reading the features of these security measures.

What this all points to is that for a resource on your server you can impose a Login Password security whenever somebody over the net tries to access it. Lets say we have the following HTML files on our server :

For Public :
default.html
pulic.html

For personal / Administrator use :

personal.html
administrator.html

Now you can assign the users for each resource, and if you give the GUEST Login to the first two html pages and a valid Login/Password on the next two, whenever somebody access the personal.html page will be asked to log on and only if successful will it be downloaded.

Regards










mahanthi@rocketmail.com

Hi,

Thanks For Reply..
This sollution is working if web-users login to the webserver, this way i can associated them with a known local NT user and give them special rights by acl or www settings.

This is a sollution but there need to be set a lot of security items. A example of a problem i'm dealing with : I would like to enable users to upload images or info-files to the server which can be viewed directly from the web. So the file is uploaded, scanned and placed in a directory which can be accessed by a http addres from the web. If the Inet_user needs to have write permissions in a "web-accessable"-directory there is a security hole and everybocy is able to upload to this directory and in some soecial situation they can directly upload to this directory. If i give write-premission for another special-user and are able to login as that user from the isapi application i can be sure there is no security hole.

Hope you can help again ;-)

-- Ron