Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: IIS Security

from [Evans, Arian] Network Security [Permanent Link]
Subject: RE: IIS Security
Date: Mon, 21 Nov 2005 11:25:41 -0600 
<inline>


From: Schmidt, Albert E [mailto:AES@ola.state.md.us] 

If the default IIS account only has access to the root 
document, what is the harm of placing the root document on 
the same disk partition as the operating system?  If the 
account does not have access to the operating system files.


Do you mean IWAM account? Or IUSR or WWW Pub Service (inetinfo.exe)?

1. IWAM and IUSR both have rx to system files. localsystem
has full control of system files. Which one are referring to,
and are you sure you restricted access to system files?

2. I haven't locked down IIS fully in a year or so, and memory
is fuzzy but I remember system files being impossible to
whitelist or deny_all; could only perform limited blacklisting
of permissions on specific files (e.g. tftp, cmd, etc.). Some
people recommend removing those binaries which isn't a bad idea,
but better tripwire & audit as future service packs (or on reboot
if using fs_protection cache) may replace all the binaries you
deleted, and with default privs.

3. I am a large fan of a read-only drive/partition for IIS,
or any wwwserver. This will stop web-server focused worms
from propagating and befuddle most script kiddies. But not
because the system files are inherently more secure...

4. IWAM is priv limited. Provided your configs are sound and
provided IIS is not flawed, threat should be limited...

5. People use IIS priv-config and overflow flaws to upload local
exploits to elevate privs from IWAM to local_system. In 2004
there was a .NET traversal flaw that I verified (err, stole someone
else's rumor of) that enabled one to snag web.config/global.asax
even though security checks should have implicitly denied me.
This may have allowed malicious upload if I found a writeable
directory. -ro for entire webroot would significantly limit this.

Defense in Depth.

A better more up-to-date site than my brain would be IISAnswers:

http://www.iissecurity.com/

Also visit the MS technet forums for these type of questions.

Other thoughts:


From: Saqib Ali [mailto:docbook.xml@gmail.com] 
Sent: Monday, November 21, 2005 10:05 AM


1) The traversal attacks used in the past


Can be flipped to %systemroot% and game over.


2) Some of the attacks is the past assumed that the wwwroot was


c:\inetpub\wwwroot; remapping could provide some obscurity; you
could copy the whole system drive & provide 'list' privs and *nothing*
else. Would give a hacker fits unless they can flip to path or
environment variables, or catch on to the game.
 

3) It is much easier to control the permissions for the anonymous
account (INETUSER) that IIS uses, if the WWWROOT is located on a
seperate partition.


Not sure I agree. Whether \inetpub, \partition, or \unique_drive
the degree of restriction is the same.

-ae
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Re: HTTP REFERER not set in Internet Explorer, Saqib Ali
Next by Date:  How To Write Unmaintainable Code, Saqib Ali
Previous by Thread:  Re: IIS Security, Saqib Ali
Next by Thread:  How To Write Unmaintainable Code, Saqib Ali
Indexes:  [Date] [Thread] [Top] [All Lists]