Thanks for your reply, Sean. I'll disperse my answers between your comments...
>Ermm.. Having read the rest of the string... > >Are you already authenticated as an NT user? IE If you're established as an >NT user with permissions over the wwwroot and IIS is allowing NTFS auth then >this will avoid tricks like denying iusr read. I'm running MIE as ICGDEV, an authenticated user with no privileges to any template files on the server. > >Under IIS, the first trick to keep in mind is what users have access to >browse the directory at all. Who can pull up a directory listing, who can >actually read the files. Removing the IUSR should stop browsers from >accessing those pages. If it hasn't, try restarting the CF services. >Occasionally I have found those details caching and not re checking auth. > ICGDEV has no privileges to browse the directory and no privileges to read the files. I restarted the entire computer and it still behaves the same way. Access is given to ICGDEV to run the ColdFusion pages, even though it has no NTFS permissions. >The next trick to keep in mind is which process is actually calling the >script, and which user is that process authenticated under. > >IE Are you just browsing anonymously? Have you previously authenticated as >an Admin, is the script being called direct from your browser, or is it >being called as an include/component/etc from within your scripts. It's being called directly, its just hello.cfm with just the word 'hello' in it. > >Actual calls to the script from your browser will execute as you. The IUSR >if you haven't provided authentication and NT Auth is disabled, Your NT user >if NT Auth is enabled and you've authenticated in the NT domain, or the >authentication details you've provided through challenge/response. That's what I'm saying isn't working. I'm using integrated windows authentication, connecting as ICGDEV, and I'm still able to access the coldfusion pages from the browser. According to the technote, I shouldn't be able to, since ICGDEV doesn't have the neccessary read privileges. > >Internal script calls to other templates or components will execute as the >system user, or as cold fusion itself when executing. Sandboxing is the best >way to secure these type of calls imho. I'm not really considering using this for securing the pages (at this time), I'm just trying to understand how it works. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4