Security Considerations

File Transfer CS does not bypass security in anyway. It can not access any parts of your web server that can not already be accessed through a CGI program. If you are having trouble accessing specific resources using File Transfer CS , it is most likely a security problem that can only be resolved by working with your system administrator or Internet Service Provider (ISP) that manages your web server.

Windows NT, Windows Internet Information Server (IIS) and Windows Internet Explorer (IE)  interact in ways that go beyond basic web security.  While these mechanisms provide more robust security, they can interfere with the execution of your application. And to resolve these problems requires an understanding of how these mechanisms interact.

Security Topics

User Authentication
File Access Permissions
User Privileges

 

  User Authentication

User Authentication involves identifying and validating who the user is. Depending on how a user is authenticated, IIS will process the request under a specific NT account.

IIS Authentication Methods

IIS supports three different methods of User Authentication:

  1. Anonymous

    This method is the default authentication for any type of access to IIS prior to being prompted to provide login information. In this case the anonymous account, typically IUSR_computername, is used. Under IIS 4.0, if automatic password synchronization is turned on, abbreviated security credentials are maintained after the login. If anonymous access is denied either because the IIS resource being accessed is protected or anonymous access is disabled, one of the following authentication methods will occur.

  2. Basic Authentication

    When this method is used, the web browser is sent an Unauthorized HTTP response causing the user to be prompted to provide login information. This information is then included in subsequent HTTP requests to the same server. Login information is sent by the browser in clear text unless SSL is used.  This information is used to perform an normal NT login.

  3. NTLM Challenge/Response

    This method is only supported by Microsoft Internet Explorer browsers used within the context of a trusted NT domain. In this case an abbreviated security credential is sent by Internet Explorer to IIS and the user is not prompted to provide login information.

The important thing to note about these three methods is what determines who the user is and how the user is logged on to NT.

Establishing a Network Login

If you need to access a network resource, such as a shared file system, from an ASP script, a network login must occur on the server. Furthermore, the login must occur under an account that has access permissions to the network resource. To ensure a network login, you have three options:

  1. Allow anonymous access, but make sure automatic password synchronization is disabled under IIS 4.0.

  2. Allow authenticated access using Basic Authentication, but make sure NTLM Challenge/Response authentication is disabled.

  3. Use the File Transfer CS Computer.Impersonate method to log on to the network.

The first two options can be accomplished by using the IIS Console Manager to change the configuration of IIS. This may or may not be possible depending on whether or not you have administrative access to the server.

To disable automatic password synchronization under IIS 4.0 follow these steps:

  1. Start the IIS Console Manager

  2. Display the properties for your web site

  3. Select the Directory Security tab

  4. Select the Edit button for Anonymous Access and Authentication Control

  5. Select the Edit button for the Account used for Anonymous Access

  6. Uncheck the Automatic Password Synchronization box

To disable NTLM Challenge/Response under IIS 4.0 follow these steps:

  1. Start the IIS Console Manager

  2. Display the properties for your web site

  3. Select the Directory Security tab

  4. Select the Edit button for Anonymous Access and Authentication Control

  5. Uncheck the Windows NT Challenge/Response box

If neither of the first two options are possible, you may need to consider using the third option. Below is an example of how to log into the network using File Transfer CS :

 
<% 
    ' Initialize a Computer object
    Set Computer = Server.CreateObject("File Transfer CS .Computer")

    ' Log on to the network
    Computer.Impersonate "myacct","mypasswd"

    ' Access network drives
           :
           :

    ' Log out
    Computer.EndImpersonate
%>

In the above example, anonymous access is provided since the account and password are hardwired into the ASP script. The same account will always be used regardless of the user of your application. This technique is useful if the anonymous account does not have permissions to access the network resource, or it is not possible to disable IIS 4.0 automatic password synchronization.

excl.gif (1021 bytes)
This method can be disabled by setting the following registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Infomentum\File Transfer CS \AllowImpersonation = False

If you want to authenticate each user, you will need to create an HTML form to collect login credentials that can then be passed to Computer.Impersonate. And while this technique suffers from the same security issues as Basic Authentication, it is no less secure, and can be used even if NTLM Challenge/Response is enabled.

 

  File Access Permissions
In order to access directories and files with File Transfer CS , the account being used must have the proper file access permissions. File Transfer CS simply can not override NT security.

Read-only Attribute

wpe6.gif (16199 bytes) If you are having problems accessing a specific file or directory, the best place to start is run the Windows NT Explorer on the server that the file or directory is located. Navigate to the file or directory, and use the right mouse button menu to display the property sheet.

Under the default tab, General, the attributes of the file are listed. If you are trying to write to a file or directory, make sure the Read-only attribute is not checked.

 

NTFS Permissions

wpe8.gif (8570 bytes)If the file or directory you are trying to locate in on an NTFS file system, the property sheet will have a Security tab. Select the Security tab and press the Permissions button to view and modify the permissions for the file or directory.

This permissions dialog will list all of the users and groups that have been granted access to the file or directory. The type of access is also shown.

If you are having trouble accessing this file or directory, first check to see if the account or one of the groups you are using is listed. If not, use the Add button to add the proper permissions. If the account or one of its groups is listed, check the type of access that has been granted. Double click on the account or group to modify the access.

Modifying NTFS Permissions from your scripts

File Transfer CS provides interfaces for modifying NTFS permissions through the ACEs collection of File and Directory objects. To use File Transfer CS to modify an NTFS permission, the user account that your script is running under must own the file or that user account must have permission to Change Permissions. If the file or directory you are trying to access was created by your script, it is most likely that the user account that your script is running under does own the file.

Share Permissions

share.gif (6008 bytes) If the file or directory you are accessing is on a network drive, access to that network drive is also controlled by the share permissions defined on the server that the network drive is on. To view and modify the share permissions, display the property sheet by running the Windows NT Explorer from the server the network drive is on. Select the Sharing tab and press the Permissions button.

 

 

 

 

  User Privileges

Using the User Manager

User privileges are controlled by User Manager for Domains:

ntsec1.gif (12052 bytes)

This shows both groups and users defined on your NT computer or domain.  To change the rights for a user Choose Policies->User Rights.

Rights required to modify the registry

The File.RegisterDLL method cannot be used if the process does not have write access to the system registry.  In order to grant this right, follow the same procedure as above.

! Granting a user write access to the system registry can represent a significant security risk. By granting this access, the user can potentially write to any part of the system registry.