Page 275 - StudyBook.pdf

P. 275

Communication Security: Web Based Services • Chapter 5 259

■ None, which prevents any programs from running in the directory.When
this is set, only static ﬁles like Hypertext Markup Language (HTML) can
be run from the directory.

■ Scripts only, which only allows scripts (such as those written in Visual
Basic for Scripting Edition (VBScript), JavaScript, and so forth) to run
from the directory.

■ Scripts and executables, which allows any program to run. Not only
can scripts run from a directory with this permission, but executables
placed in the directory can also be run.

Figure 5.1 Directory Properties

As with any permissions that are given to users, you should never apply more
permissions to a directory than are absolutely necessary for a person to use the Web
content stored there. For example, a directory containing scripts would have Read
and Scripts Only access, so that someone accessing an Active Server Page could run
the script and view the page. If you had Microsoft Access databases stored in a
database directory, you would only give Read access if people were only retrieving
data, but would give Read and Write access if people were providing data that was
being stored in these databases.You would never give more access than users
required, because this could create situations where someone could cause signiﬁ-
cant damage to your site. Just imagine a hacker browsing the directory structure,
uploading malicious software and executing it, and you see the point.

www.syngress.com

270 271 272 273 274 275 276 277 278 279 280