Setting IIS Specific Permissions

enoch has asked for the wisdom of the Perl Monks concerning the following question:

I am in the process of helping my NT compatriots set up a web server that will serve pages for students (I work at a college). This whole process of setting up accounts and web folders and such is done by my Perl account setup script. But, there is one thing that I need to do that I have not found a way to do. That is, set specific IIS permissions on these web folders. Basically, I do not want them to have the ability to be able to execute .asp, .pl, .php, etc. pages. This executable permission bit can be disabled for each folder from a GUI, but there does not seem to be a commandline way of doing it. So, I went searching for a Perl module that will allow me to hook into the IIS specific permissions; but I came up empty on Google, CPAN, Roth, and Super Search.
So, my question is, is there a way to do this from Perl? Is there a module out there that will help me? How much do you hate IIS?

Thanks,
Jeremy

Comment on Setting IIS Specific Permissions

Replies are listed 'Best First'.
Re: Setting IIS Specific Permissions by ckohl1 (Hermit) on Aug 01, 2001 at 15:48 UTC
The IIS settings that you are looking to maintain are stored in the IIS metabase. The metabase file (MetaBase.bin) does not lend itself to easy direct editing. So you might be better off scripting system commands to output from your Perl program to interface with the MS tools (adsutil.vbs, ...). An Introduction to the IIS Metabase Chris 'You can't get there from here.'	[reply]
Re: Setting IIS Specific Permissions by $code or die (Deacon) on Aug 01, 2001 at 18:41 UTC
Win32::OLE is your friend! Check out MSDN: Administering IIS Programatically for more information about the metabase and all the other methods and properties that are accessible using ADSI. Here is some sample code that should get you started (pulled from my collection): `use strict; use Win32::OLE qw(in); my $IISServer = "LocalHost"; my $w3serverID = 3; #Connect to the metabase directly onto the root of the third website my $iis_w3c = Win32::OLE->GetObject("IIS://$IISServer/W3SVC/$w3serverI +D/Root") or die "Can't connect to IIS"; $iis_w3c->{AccessRead} = 1; $iis_w3c->{AccessScript} = 1; $iis_w3c->{AccessWrite} = 0; $iis_w3c->{AccessExecute} = 0; #Save this info to the metabase $iis_w3c->SetInfo();` [download] This will disable write and execute permissions on the website. However, if any subfolders have "explicitly set" (rather than inherited) different settings, then you will need to change those also. You can get a list of paths which have set the permission by using the `object->GetDataPaths(property, AttributeFlag)` method. There is also a WMI provider that you can use instead of ADSI. Error: Keyboard not attached. Press F1 to continue. Update: If you want to disable execution of .cgi, .pl, .php, .asp, etc, you can also remove the "script mapping" from the website. Either do this manually through the MMC or you can do it programmatically using ADSI (described aboved) to disable it on certain folders. A good website is http://www.iisFAQ.com and go to the "ADSI Scripts" section. - loads of useful scripts (mostly vbscript) that you can convert to Perl w\ Win32::OLE.	[reply] [d/l]
Re: Re: Setting IIS Specific Permissions by enoch (Chaplain) on Aug 01, 2001 at 20:48 UTC
Ahhh, ++ $code or die and thank you. I wish I could just find some good docs on Win32::OLE. The OLE browser is okay and the examples in books like Win32 Perl Scripting and Perl for System Administration are good. But, that module seems to do everything including the kitchen sink. I wish I just had a good book on the nuts n' bolts of OLE. Thanks, Jeremy	[reply]
Re: Setting IIS Specific Permissions by Agermain (Scribe) on Aug 01, 2001 at 17:54 UTC
Can you do it backwards? I.e. set the site default, at the head of the webroot, so that it disables executables and scripts for the entire site, and then selectively turn them on for the sections that need them? If the user directories get created more often than the other directories on your webroot, this seems like the way to go. Sure, it's a pain when you're building your 'own' pages, but you have more granular control over the non-user directories anyways since these are usually specific objectives... You might also want to check into Access Control Lists. They give some documentation on Microsoft's site about these, I know there's a command-line command you can use to set someone's access programatically... andre germain "Wherever you go, there you are."	[reply]