COMMAND

    Microsoft Internet Information Server

SYSTEMS AFFECTED

    Win NT

PROBLEM

    The following information came from Chris Borneman.

    When securing  your site  based on  membership (who  you are,  not
    where you are located), IIS turns to NTFS and the security  access
    associated  with  the  file.   For  instance,  in IIS you have the
    ability to say "Allow Anonymous". This is used in conjuction  with
    the "Anonymous Logon".   The reason is  simple, and file  that can
    be accessed by the account  specified in "Anonymous Logon" can  be
    accessed by any Web user hitting your site.

    If  the  "Anonymous  Logon",  usually  IUSR_machine_name,   cannot
    access the  file, IIS  sends back  an "access  denied, please give
    your  credentials"  allowing  either  Basic  Authentication (clear
    text), and/or Windows NT Challenge/Response.

    If the credentials match the  access to the file in  question, the
    file is sent.   Try this for yourself.   Create a directory  under
    your wwwroot  and use  the NT  Explorer to  revoke rights  on that
    directory and any subdirectory and only allow the SYSTEM and  your
    specific account access (make sure it isn't the  IUSR_machine_name
    account.  Place  an htm file  in that directory,  then access from
    Internet Explorer.   You'll be  asked to  give your  user name and
    password (assuming  you allow  Basic Authentication  and turn  off
    Windows NT Challenge/Response).

    However, if you do the same for a script, IIS still _executes_  it
    and sends back  the results.   This isn't an  issue of "Read"  vs.
    "Execute".  The script isn't readable.  The directory I'm  dealing
    with has "Read"  off and "Execute"  on.  However,  the script also
    shouldn't be  accessible or  ran until  I provide  my credentials,
    and  that  is  the  SECURITY  HOLE.   Netscape's  Server does this
    _correctly_, so why not Microsoft?

    Try the following in a command prompt DOS box:

        TYPE C:\AUTOEXEC.BAT..

    Windows  NT  types  out  the  file  C:\AUTOEXEC.BAT,  even  though
    C:\AUTOEXEC.BAT.. was  requested and  it doesn't  exist.   This is
    why IIS  failed, due  to an  OS bug  that Microsoft  gladly skated
    around and blamed IIS.

    IIS is supposed to access  _every_ file within the thread  context
    of either anonymous, or the specific Web user.  IIS does this  for
    all non-script files.  However, it does not for script files.

SOLUTION

    Well, someone mentioned leaving IIS and go to Netscape server.