Re: Restrict use of WMI, ADSI and WScript.Shell
From: Peter Johansen (peterJohan13384_at_hotmail.com)
Date: 04/13/04
- Next message: Vince: "RE: Help with IIS LOG FILES - ASP.NET APP IS HANGING"
- Previous message: Tracy: "IIS 4 - inetinfo crashing intermittently"
- In reply to: David Wang [Msft]: "Re: Restrict use of AMI, ADSI and WScript.Shell"
- Next in thread: Peter Johansen: "Re: Restrict use of WMI, ADSI and WScript.Shell"
- Reply: Peter Johansen: "Re: Restrict use of WMI, ADSI and WScript.Shell"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 13 Apr 2004 14:14:33 GMT
It looks like the ADSI "WinNT" namespace is implemented with a different
.dll. I checked and found a few dll's in "c:/Windows/system32" that look
like they may be related to ADSI :
adsldp.dll
adsldpc.dll
adsmsext.dll
adsnds.dll
adsnt.dll
adsnw.dll
I'd be happy to restrict access to them via NTFS as I had done with
"adsiis.dll", but I wanted to check first that these dll's are in fact part
of ADSI, and does not require less strict permissions for some other reason.
Thanks - Peter
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:ufc1RcQIEHA.4092@TK2MSFTNGP11.phx.gbl...
> You can use Filesystem ACL on %windir%\System32\wshom.ocx to control who
> can create the WScript.Shell object (as well as all the WScript.* objects)
> in one shot. Can't use Filesystem ACL to allow one users to create
> WScript.Network but not WScript.Shell, for example.
>
> I'm not certain if ADSI has anything comparable to WMI, but you can use
the
> same Filesystem ACL approach on %windir%\system32\adsiis.dll to prevent
> users to access all of the IIS:// ADSI namespace.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "Peter Johansen" <peterJohan13384@hotmail.com> wrote in message
> news:ZFFec.132167$Bk31.35595@twister01.bloor.is.net.cable.rogers.com...
> Hi, I would appreciate any tips on restricting WMI, ADSI, and
WScript.Shell
> from being used in ASP pages by anyone other than the Administrators group
> in a shared hosting environment. WMI seems like it can be restricted
fairly
> easily via the "WMI Control" MMC snap-in. But how about ADSI and
> WScript.Shell? This is for IIS 6.0 on W2K3.
>
> By the way, each web site has it's own IUSR account and application pool.
> The application pool's identity is also a unique user account for each
web.
> This allows me to restrict access to files between different webs.
However,
> I would still like to restrict WMI, ADSI and Wscript.Shell from being used
> at all, except by the Administrators group.
>
> Thanks for any tips and advice.
>
>
>
>
>
- Next message: Vince: "RE: Help with IIS LOG FILES - ASP.NET APP IS HANGING"
- Previous message: Tracy: "IIS 4 - inetinfo crashing intermittently"
- In reply to: David Wang [Msft]: "Re: Restrict use of AMI, ADSI and WScript.Shell"
- Next in thread: Peter Johansen: "Re: Restrict use of WMI, ADSI and WScript.Shell"
- Reply: Peter Johansen: "Re: Restrict use of WMI, ADSI and WScript.Shell"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
