Re: Securing a CGI script

Windows Integrated Authentication causes any script to be executed with the permissions set for the user that authenticated. Basically, the scripts will run as if the user was logged into the server console. Access to files, scripts and network shares are restricted by ACLs on the file system, registry and network shares. You will need to work with the permissions set for non-administrative users in order to get your script working.

The chances are that your application will work just fine when you use it but will break when normal users have a go. This is probably because you are an administrator on the server and have different permissions to normal users. You will need to debug your application as a regular user. You need to look out for permissions related issues.

General points:

Files are secured by the ACL on the directory or file itself. This applies to all files including configuration files etc. I have found that a tool like NTFILEMON is useful for working out which files are really used.
Registry entries are also secured by ACL. You will need to use Regedit32 to view the permissions. Use NTREGMON to look at registry usage.
Network Shares are protected by ACL. This typically limits the people who can read files to a small number of administrators. Super Search for IIS and share.

The utilities mentioned above are available from SysInternals (http://www.sysinternals.com/ntw2k/utilities.shtml)

Comment on Re: Securing a CGI script

Replies are listed 'Best First'.
Re^2: Securing a CGI script by qadwjoh (Scribe) on Sep 30, 2004 at 10:18 UTC
Hi, thanks for the advice, but my problem isn't getting my website to work - I'm just interested to know the benefits of using RunAs instead of settings in IIS, if any. thanks, A	[reply]