Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: IIS Security

from [Devin Ganger] Network Security [Permanent Link]
Subject: RE: IIS Security
Date: Fri, 27 Oct 2006 16:14:18 -0700 
The IUSR_ account is used by IIS for anonymous requests to the
filesystem (unless you've configured it otherwise) -- anonymous, in this
case, meaning a Windows domain or local machine account, *not* an
account inside of a web application.

Say, for example, that you're running a PHP-based product that performs
its own authentication to a database of some flavor. This code will,
under a default IIS configuration, all run under the IUSR_ account's
privileges. Now you add the IUSR_ account to the local Administrator's
group. Any writes to the filesystem that the PHP application does will
be done as that user, with local machine admin privileges -- so any bugs
in the app may allow attackers to put arbitrary content to the hard
drive as an admin user. You've got rootkit!

ASP.NET runs under the context of a separate, non-privileged account
precisely for this reason.

Requiring IUSR_ to be a local admin is a serious sign of lack of clue on
the part of these vendors. They need to explain to you exactly why the
entire portal must run with local administrative privileges. You should
also ask them for a written guarantee that there are no bugs in their
code (or dependent code, including IIS and Windows) that attackers might
be able to use to leverage this access into a free walk onto your
machine.

--
Devin L. Ganger                    Email: deving@3sharp.com
3Sharp LLC                         Phone: 425.882.1032
15311 NE 90th Street                Cell: 425.239.2575
Redmond, WA  98052                   Fax: 425.702.8455
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of alex2@alexackley.com
Sent: Friday, October 27, 2006 7:54 AM
To: focus-ms@securityfocus.com
Subject: IIS Security

We've a vertical package that includes a web based portal.  (quite
common for many Enterprise packages)

The problem lies in some of the requirements that the company puts on
running this portal.

The major one is that of adding the IUSR_machinename account to the
local admin group.
I know this is horrible, but need specific reasons why this shouldn't be
done so that I can bring it to my boss and get it fixed.

Thanks

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IIS Security, k levinson
Next by Date:  RE: IIS Security, Wayne S Anderson
Previous by Thread:  IIS Security, alex2
Next by Thread:  Re: IIS Security, k levinson
Indexes:  [Date] [Thread] [Top] [All Lists]