Access to cmd shell thru asp-security question

[Rob]

Hi,

We have need to run server based .vbs files and other OS commands through
active server pages i.e...

Set oShell = Server.CreateObject("WScript.Shell")
oShell.Run("c:\somecmd.bat",,True)

Under Windows 2000 the EVERYONE group had read/execute rights against
cmd.exe. Under 2003 this has been removed and in order to get my .asp file
to execute the cmd shell I must grant the IUSR acct read/execute access to
cmd.exe on the web server.

Is there a better approach or "best practice" to properly secure my web
server and still be able to shell out to cmd.exe from asp?

Thanks for any insights!!!

 

[Jeff Cochran]

We have need to run server based .vbs files and other OS commands through
active server pages i.e...

Set oShell = Server.CreateObject("WScript.Shell")
oShell.Run("c:\somecmd.bat",,True)

Under Windows 2000 the EVERYONE group had read/execute rights against
cmd.exe. Under 2003 this has been removed and in order to get my .asp file
to execute the cmd shell I must grant the IUSR acct read/execute access to
cmd.exe on the web server.

Is there a better approach or "best practice" to properly secure my web
server and still be able to shell out to cmd.exe from asp?

You can use authentication and run the CMD as the authenticated user.
That only helps if you only need specific users running the commands
of course. You could also find alternatives to whatever you need to
shell to.

Otherwise, to get the functionality you may need to decrease the
security appropriately.

Jeff