>I meant to describe the last scenario you were talking about - setting the permissions on the target resource. I haven't really used FoxWeb so I don't know about RevertToSelf() which sounds interesting. Impersonate is of course also an option.

I don't use FoxWeb either, but these issues apply to Web development
with IIS in general regardless of whehter you use ASP, a tool like
FoxWeb or WebConnection, FoxISAPI or Cold Fusion.


>
>That'll learn me not to give a full explanation. I am certainly aware of the security issue you describe. I don't want to be giving bad advice.
>
>Sheepishly,
>

I didn't mean to put you in a bad light <s>...

But I think it's very important not to give out information about possible
scenarios that will cause security holes at least not without also
mentioning the dangers! The problem is that developers new to Web
and NT development may not realize the dangers and seriously compromise
network security. Better safe than sorry <s>...


+++ Rick ---





>>
>>Hold it <s>... that's extremely bad advice! It opens huge security issues.
>>I've seen this a lot on *public* Web sites even where you end up with
>>total access.
>>
>>There are a couple of better ways to handle this if indeed you're using IIS
>>and an InProc component that has the same rights as an IIS request (which
>>would apply to ISAPI and CGI extensions called from IIS).
>>
>>there are several API calls that allow user account impersonation to
>>*temporarily* set permissions to access resources either locally on
>>the network. For local machine access the easiest thing to do is use
>>RevertToSelf() which reverts IUSR_ to the SYSTEM account. This may
>>or may not allow you access to the network depending on how security
>>is set up for the system.
>>
>>You can also use ImpersonateLogon( specific account) or
>>ImpersonateInteractiveUser(whoever is logged on or SYSTEM if noone is).
>>These require some additional calls though to get an access token first.
>>
>>The other route is to set permissions on the target resource to allow
>>IUSR_ of the Web server access on its remote drives. To do this you have
>>to change the randomly assigned password for IUSR_ in user manager and
>>IIS. Once you actually know what hte password is create the IUSR_WebServer
>>account on the target server with the same user name and password,
>>making it possible to allow access. Make sure you don't expose this
>>remote resource in any way through Web or other TCP/IP interfaces - if
>>you do you have a huge security leak - the key is not to let the outside
>>know or not use TCP/IP on that net connection at all.
>>
>>The same security scheme is required in order to make DCOM component calls
>>from IIS's user context.
>>
>>
>>
>>
>>
>>
>>
>>
>>>
>>>>Hi!
>>>>I have a question about Foxweb ( a foxcode based CGI script Engine )
>>>>
>>>>On alpha Server VFP and VFP's runtime cannot run, but I must handle
>>>>some kind of processing on alpha Server.
>>>>So I decided that Foxweb and pragram which associated in Foxweb let be
>>>>install on intel chipset Server and only database file let be install on alpha server.
>>>>
>>>>But the very difficult problem is that FOXWEB CANNOT ACCESS THE DATABASE THAT IS ON DIFFERENT SERVER.........
>>>>
>>>>How can I access the database on different server in using Foxweb?
>>>>
>>>>Please give me a any information about this.......
>>>>
>>>>Best regards.
>>>>thanks
>>>>
>>>>www.vfp.co.kr
>>>>funnyfox@vfp.co.kr