(I am assuming a typical IIS install. I realize that account names and site
structures are variable.)
EFS will only benefit you if you are hosting multiple sites and/or allow
multiple developers on a single box. EFS uses the requesting users'
credentials to determine whether to decrypt the file or not. In the case of
a public HTTP/application server, Admin, System, and the IIS anonymous
account will have access to the file(s). Admin and IIS anonymous are the
root of most remote break-ins. If one of these accounts is compromised the
file system will still give access to the files in unencrypted form. If
someone doesn't break into the box then EFS is doing you no good because
when a user accesses your web pages via a browser he/she is actually working
under either System or the IIS anonymous account. Even if you rename the
account or make up a different one for IIS anonymous access, the result is
the same. Proper ACLs are the cornerstone of locking things down. It doesn't
matter how much you encrypt, if the user has read access to the file then
they will still be able to read it. You may get better mileage by giving
only execute permissions on CFM files. With W2k/IIS 5 you can give execute
only rights to a file. This will allow the user to interact with dynamic
pages but, doesn't give them read access to the file. I haven't tested this
but, this may solve the "source viewing" exploits that have been plaguing
HTTP servers.
Regards,
Steve
-----Original Message-----
From: Shane Witbeck [mailto:[EMAIL PROTECTED]]
Sent: Monday, November 06, 2000 9:51 PM
To: CF-Talk
Subject: RE: Encryption...
Im also curious are using the Encrypting File System (EFS) 56-bit encryption
that is included with Win2k which can be invoked with the command
cipher.exe?
Shane Witbeck
www.digitalsanctum.com
-----Original Message-----
From: Kevin Langevin [mailto:[EMAIL PROTECTED]]
Sent: Monday, November 06, 2000 3:57 PM
To: CF-Talk
Subject: Encryption...
>From evrything I've been reading, breaking the encryption included with CF
4.01 and CF 4.51 is pretty easy. I'm wondering what other options (that
don't require a rocket science degree) are out there for encrypting files on
a CF server...I don't particularly want to store, say, password files in
clear text. What else is being used out there to encrypt files on the
server?
<CFUG-SFL Manager>
-Kev
</CFUG-SFL Manager>
----------------------------------------------------------------------------
--------------------
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a
message with 'unsubscribe' in the body to [EMAIL PROTECTED]
----------------------------------------------------------------------------
--------------------
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a
message with 'unsubscribe' in the body to [EMAIL PROTECTED]
------------------------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message
with 'unsubscribe' in the body to [EMAIL PROTECTED]
