[thelist] client side asp processor

Ken Schaefer ken at adOpenStatic.com
Thu Jun 17 06:36:03 CDT 2004 

As an addendum however, aren't you a little worried that a malicious user
can easily view and edit the code in the ASP page itself? How would you
prevent User A from modifying the web application in a way that allows User
A to intercept or tamper with information acccessed or entered by User B?
(and numerous other potentially dangerous situations)?

In terms of the IIS 5.0 security issue: it's relatively easy to lockdown IIS
v5 now using the IIS LockDown tool. There also hasn't been any security
patches for IIS 5.0 since May 2003 (and if you had the lockdown tool
installed, you probably wouldn't have been bitten by those vulnerabilities
anyway). If you combine:
a) local firewall -and/or- IPSec policy to restrict access from localhost
only
b) install IIS LockDown tool
c) have an automated patch deployment system (like SUS)
I think you'd mitigate most of the risks of running IIS 5.0

Alternatively, run the whole app on a webserver. The only reason I can think
of for having a client-side processor would be if the machine is not
connected to the network, in which case vulnerabilities in IIS are a bit of
a moot point really...

Windows 2003 Server has a web edition that is fairly cheap. IIS 6.0 has no
known vulnerabilites, plus it ships in a locked down mode.

Cheers
Ken

----- Original Message ----- 
From: "Ken Schaefer" <ken at adOpenStatic.com>
To: <thelist at lists.evolt.org>
Sent: Thursday, June 17, 2004 11:56 AM
Subject: Re: [thelist] client side asp processor


: What do you mean by a client-side ASP emulator? You have ASP pages that
need
: to be run? If so, what about using Windows Script Host (WSH)? Or Visual
: Basic?
:
: Cheers
: Ken
:
: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
: From: "Christopher Mahan" <chris_mahan at yahoo.com>
: Subject: [thelist] client side asp processor
:
:
: : Looking for client-side asp processor for offline work.
: :
: : Can't use iis or pws (security issues) (healtcare field)
: :
: : tried iisemulator from buyonica, but it failed with null errors where
: : IIS does not.
: :
: : needs to run on win2kpro.
: :
: : needs to have ado.
: :
: : anything out there?
:
: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:
: -- 
: * * Please support the community that supports you.  * *
: http://evolt.org/help_support_evolt/
:
: For unsubscribe and other options, including the Tip Harvester
: and archives of thelist go to: http://lists.evolt.org
: Workers of the Web, evolt !
:

More information about the thelist mailing list