Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

CSA Rule - IIS Server and descendatns, write all files

(This rule locks down the application by placing restrictions on file operations. If an application becomes compromised (buffer-overrun attack), this rule limits what types of files can be accessed by the application.)

My question is ...this rule DENIES aspnet_wp.exe, w3wp.exe, inetinfo.exe applications from writing to ALL files.

How can we ALLOW legitimate file operations but still block malicious activity.

This one is tough because there are many different web files that aspnet_wp.exe,w3wp.exe, inetinfo.exe etc... call upon making tuning difficult.

Everyone's thoughts are appreciated as we tune CSA.


Re: CSA Rule - IIS Server and descendatns, write all files

You need to run application and behavior monitoring and understand what the applications do in order to make good exceptions.

You could then create a dynamic app class that is triggered when your applications run and create data.

You could put that app class in the exceptions list for that rule.

This should keep any other activity from being able to write files while allowing your applications to run.

Tom S

CreatePlease to create content