Web Server Permissions (Windows Embedded CE 6.0)

  • Article

1/6/2010

The permissions registry value (P) in each virtual path specifies the permissions that the client browser has to the files under the virtual path, assuming that the client is authorized at the required level for the particular virtual path. P is a DWORD that is set by a bitwise-OR of the HSE_URL_FLAGS flags, which are defined in the file Httpext.h. The Web Server only uses the HSE_URL_FLAGS_READ, HSE_URL_FLAGS_EXECUTE, HSE_URL_FLAGS_SSL, and HSE_URL_FLAGS_SCRIPT flags. By default, read, execute, and script execution permissions are granted.

Within the Httpext.h file, the HSE_URL_FLAGS flags are defined as follows.

#define HSE_URL_FLAGS_READ         0x00000001  // Allow for Read.
#define HSE_URL_FLAGS_WRITE         0x00000002  // Allow for Write.
#define HSE_URL_FLAGS_EXECUTE      0x00000004  // Allow for Execute.
#define HSE_URL_FLAGS_SSL          0x00000008  // Require SSL.
#define HSE_URL_FLAGS_NEGO_CERT    0x00000020  // Allow client SSL certs.
#define HSE_URL_FLAGS_REQUIRE_CERT 0x00000040  // Require client SSL certs.
#define HSE_URL_FLAGS_MAP_CERT     0x00000080  // Map SSL cert to "CE Web server pseudo account".
#define HSE_URL_FLAGS_SSL128       0x00000100  // Require 128 bit SSL.
#define HSE_URL_FLAGS_SCRIPT       0x00000200  // Allow for Script execution.
#define HSE_URL_FLAGS_SCRIPT_SOURCE 0x00000400  // Allow client to access script source.

To create a virtual root that allows only read permission, set P = 1. No ASP or ISAPI DLLs will run from that virtual root.

To set a virtual root that has execute and script permissions, but no read permission, set P = 516 (bitwise-OR 0x00000004 with 0x00000200 = 0x204 = 516).

The virtual path must have the HSE_URL_FLAGS_EXECUTE or HSE_URL_FLAGS_SCRIPT flags set for ASP pages in the directory to be interpreted; otherwise, the Web Server returns the 403 – Forbidden status code to the client browser.

The Web Server supports ISAPI extensions. To be run by the Web Server, the ISAPI extension must be in a directory that has the HSE_URL_FLAGS_EXECUTE flag set. If an ISAPI DLL is in a directory that has HSE_URL_FLAGS_READ permissions, but does not have the HSE_URL_FLAGS_EXECUTE flag set, the DLL itself is downloaded to the client browser and not executed on the server.

If the HSE_URL_FLAGS_SCRIPT_SOURCE flag is set, users will be able to view the source to ISAPI extensions and ASP pages. **For Windows Embedded CE , if this flag is set at the same time that HSE_URL_FLAGS_WRITE is set and if WebDAV is enabled, the user will be able to upload ISAPI extensions and ASP pages to the device.

Ee498897.security(en-US,WinEmbedded.60).gifSecurity Note:
For Windows Embedded CE , setting the HSE_URL_FLAGS_SCRIPT_SOURCE flag when the HSE_URL_FLAG_WRITE flag is set, and WebDAV is enabled, poses a security hazard. This scenario should only be used for internal development and testing documents and should be avoided for any other circumstances. Furthermore, enabling the HSE_URL_FLAGS_SCRIPT_SOURCE flag without HSE_URL_FLAG_WRITE set also poses a danger. A malicious user can download the source code to your ASP pages or ISAPI extensions and analyze it, potentially finding exploitable security vulnerabilities.

**To require files under a virtual path to be accessed through SSL and not through plain text, set the permissions to HSE_URL_FLAGS_SSL. If a virtual path does not have the HSE_URL_FLAGS_SSL flags set, it can be accessed through plain text or through SSL.

See Also

Concepts

Web Server Authentication and Permissions
Virtual Path Registry Settings