i know you can (and I do) move and ACL critical system files (eg cmd.exe and other stuff from %systemroot% locations), and allow *only* access to certain directories containing executables, and there are other ways of configuring it, I have done it... I just still have reservations when it comes to allowing .exe through IIS at all.
--- Charles Otstot <[EMAIL PROTECTED]> wrote: > I have seen some messages in the Microsoft IIS and > security news groups > on opeing up specific .exe's via URLScan. > > Although the solutions were rather convoluted, you > may want to check > some of the groups there and post a question or two. > I haven't worked > with URLScan to the depth of knowing this one off > the top of my head, > but if I recall correctly, it *can* be done. > > Charlie > > dumbwabbit wrote: > > > Hmm, I would NOT recommend opening up the .exe > > extension. > > Rather, you may want to consider redirecting them > to > > an FTP site, either your own, or the Citrix > download > > location (if there is one, sorry I don't know, > never > > used this client). > > Baaaaaad security risk to allow .exe > > just my > > .000002 > > > > --- "Bonner, Jon" <[EMAIL PROTECTED]> wrote: > > > Open the following file: > > > > %systemroot%\system32\inetsrv\urlscan\urlscan.ini. > > > Scroll down in the file until you find the > section > > > containing the text "; > > > Deny executables that could run on the server" > and > > > then place a semicolon in > > > front of the EXE that appears below it. This > > > comments out EXE so that > > > URLScan will stop blocking files with that > > > extension. Then restart IIS or > > > reboot your server. > > > > > > Jon Bonner > > > > > > > > > -----Original Message----- > > > From: CHM Security > [mailto:[EMAIL PROTECTED]] > > > Sent: Friday, March 08, 2002 5:56 PM > > > To: [EMAIL PROTECTED] > > > Subject: URLScan > > > > > > > > > > > > > > > I am running Citrix nfuse on a IIS 5 server and > > > attempted to install the > > > urlscan.exe from M$. I have very limited > knowledge > > > on web servers and > > > everytime I install the urlscan it kills the > ability > > > of clients to download > > > the citrix web client (ica32t.exe) file. Like I > said > > > I have very limited > > > knowledge of web servers and I'm not sure how I > can > > > edit the urlscan ruleset > > > > > > to allow this to happen. I would really like to > run > > > the urlscan tool to > > > receive all of the benefits it provides, but as > of > > > right now I can't because > > > > > > it kills necessary functionality. Any help would > be > > > greatly appreciated! > > > > __________________________________________________ > > Do You Yahoo!? > > Yahoo! Sports - live college hoops coverage > > http://sports.yahoo.com/ > __________________________________________________ Do You Yahoo!? Yahoo! Sports - live college hoops coverage http://sports.yahoo.com/
