Re: Prevent security bypass

["Chris Travers" <chris () travelamericas com>]

To do this in IIS:

1)  Set authentication options in IIS nto to allow anonymous.

2)  Assign appropriate NTFS permissions on directories.

Exact steps will vary with IIS version.

I too prefer Apache.  But IIS is capable of doing this.

Best Wishes,
Chris Travers
----- Original Message -----
From: "Ulrich P." <spam () wir-sind org>
To: "Chris Neil" <Chris.Neil () abs-ltd com>
Cc: <webappsec () securityfocus com>
Sent: Tuesday, February 04, 2003 9:33 AM
Subject: Re: Prevent security bypass


> you could convert your webserver into an apache and then use
> .htaccess-files to protect whole directory-trees.
> this may somehow seem to be a drastic solution, but in fact it's not. ;-)
> SCNR...
>
> no, to be seriuos. I'm not used to IIS, but there should also be a
> simple method to do http-authentication and directory protection.
>
> as I can't provide you with details, I would recommend you a quick
> google-search on that topic. that should help.
>
> or someone else wants to describe it to us...? (got nearly curious now,
> I admit...)
>
> best regards,
>
> ulrich
>
>
>
> Chris Neil wrote:
> > I am new to this mailing list and so hope this conforms to the
guidelines as
> > I read them.
> >
> > How do people address the issue of non-authenticated users requesting
html
> > pages directly from a site without logging in?
> >
> > FYI. This is an IIS server. Our asp pages check the user is logged in,
but
> > with html pages we cannot.
> > My only idea so far is to convert all our html pages to asp. Is there
> > anything less drastic?
> >
> >
> > Chris Neil
> >   Security Officer
> >   Chris.Neil () abs-ltd com
> > -------------------------------------------
> > ABS
> >   Tel:     +44 (0) 1993 771221
> >   Fax:    +44 (0) 1993 775081
> > -------------------------------------------
> >
> >
> > .