Share via


Web Server Permissions (Compact 2013)

3/26/2014

The permissions registry value (P) in each virtual path specifies the permissions that the client browser has to the files under the virtual path, assuming that the client is authorized at the required level for the particular virtual path. P is a DWORD that is set by a bitwise-OR of the HSE_URL_FLAGS flags, which are defined in the file Httpext.h. The web server uses only the HSE_URL_FLAGS_READ, HSE_URL_FLAGS_EXECUTE, HSE_URL_FLAGS_SSL, and HSE_URL_FLAGS_SCRIPT flags. By default, read, execute, and script execution permissions are granted.

Within the Httpext.h file, the HSE_URL_FLAGS flags are defined as follows.

#define HSE_URL_FLAGS_READ         0x00000001  // Allow for Read.
#define HSE_URL_FLAGS_WRITE         0x00000002  // Allow for Write.
#define HSE_URL_FLAGS_EXECUTE      0x00000004  // Allow for Execute.
#define HSE_URL_FLAGS_SSL          0x00000008  // Require SSL.
#define HSE_URL_FLAGS_NEGO_CERT    0x00000020  // Allow client SSL certs.
#define HSE_URL_FLAGS_REQUIRE_CERT 0x00000040  // Require client SSL certs.
#define HSE_URL_FLAGS_MAP_CERT     0x00000080  // Map SSL cert to "Compact web server pseudo account".
#define HSE_URL_FLAGS_SSL128       0x00000100  // Require 128 bit SSL.
#define HSE_URL_FLAGS_SCRIPT       0x00000200  // Allow for Script execution.
#define HSE_URL_FLAGS_SCRIPT_SOURCE 0x00000400  // Allow client to access script source.

To create a virtual root that allows only read permission, set P = 1. No ASP or ISAPI DLLs will run from that virtual root.

To set a virtual root that has execute and script permissions, but no read permission, set P = 516 (bitwise-OR 0x00000004 with 0x00000200 = 0x204 = 516).

The virtual path must have the HSE_URL_FLAGS_EXECUTE or HSE_URL_FLAGS_SCRIPT flags set for ASP pages in the directory to be interpreted; otherwise, the web server returns the 403 – Forbidden status code to the client browser.

The web server supports ISAPI extensions. To be run by the web server, the ISAPI extension must be in a directory that has the HSE_URL_FLAGS_EXECUTE flag set. If an ISAPI DLL is in a directory that has HSE_URL_FLAGS_READ permissions, but does not have the HSE_URL_FLAGS_EXECUTE flag set, the DLL itself is downloaded to the client browser and not executed on the server.

If the HSE_URL_FLAGS_SCRIPT_SOURCE flag is set, users will be able to view the source to ISAPI extensions and ASP pages.

Dn269521.security(en-us,WinEmbedded.80).gifSecurity Note:
Enabling the HSE_URL_FLAGS_SCRIPT_SOURCE flag without HSE_URL_FLAG_WRITE set poses a security hazard. A malicious user can download the source code to your ASP pages or ISAPI extensions and analyze it, potentially finding exploitable security vulnerabilities. This scenario should be used only for internal development and should be avoided for any other circumstances.

To require files under a virtual path to be accessed through SSL and not through plain text, set the permissions to HSE_URL_FLAGS_SSL. If a virtual path does not have the HSE_URL_FLAGS_SSL flags set, it can be accessed through plain text or through SSL.

See Also

Concepts

Web Server Authentication and Permissions

Other Resources

Virtual Path Registry Settings