Re: Restrict use of AMI, ADSI and WScript.Shell
From: Peter Johansen (peterJohan13384_at_hotmail.com)
Date: Tue, 13 Apr 2004 04:01:05 GMT
Thank you very much. I'm really glad it's as simple as setting NTFS
permissions on the 2 files you mentioned. Just a note - the "adsiis.dll" was
in the "%windir%\system32\inetserv" folder on my server, not the
"%windir%\system32" folder. Not sure if different Windows versions has the
file in different places but thought I should mention it in case someone
else ever has the same Q's. I assume it's the same file though.
If anyone has any suggestions as to what other dangerous objects should be
restricted in this manner I would appreciate it. The one possible security
risk I will have to allow unfortunately is access to the FSO, but I think I
have that locked down fairly well since I'm using different IUSR's and app
pool identities for each web site, with appropriate NTFS permissions set on
the web root and contents.
"David Wang [Msft]" <email@example.com> wrote in message
> You can use Filesystem ACL on %windir%\System32\wshom.ocx to control who
> can create the WScript.Shell object (as well as all the WScript.* objects)
> in one shot. Can't use Filesystem ACL to allow one users to create
> WScript.Network but not WScript.Shell, for example.
> I'm not certain if ADSI has anything comparable to WMI, but you can use
> same Filesystem ACL approach on %windir%\system32\adsiis.dll to prevent
> users to access all of the IIS:// ADSI namespace.
> This posting is provided "AS IS" with no warranties, and confers no
> "Peter Johansen" <peterJohan13384@hotmail.com> wrote in message
> Hi, I would appreciate any tips on restricting WMI, ADSI, and
> from being used in ASP pages by anyone other than the Administrators group
> in a shared hosting environment. WMI seems like it can be restricted
> easily via the "WMI Control" MMC snap-in. But how about ADSI and
> WScript.Shell? This is for IIS 6.0 on W2K3.
> By the way, each web site has it's own IUSR account and application pool.
> The application pool's identity is also a unique user account for each
> This allows me to restrict access to files between different webs.
> I would still like to restrict WMI, ADSI and Wscript.Shell from being used
> at all, except by the Administrators group.
> Thanks for any tips and advice.