RE: Global.asa security under IIS 6.0

["Sasha Biskup" <swissc () blueyonder co uk>]

Hi,

While Im new to all of this, isn’t the best thing to control NTFS
permissions to deny full access to IUSR__computername or whatever you
have assigned your anonymous users to (or a group), that is to the
global.asa file as a browser user has no reason to access this file?

Swiss

-----Original Message-----
From: Don Tuer [mailto:don.tuer () cgi com] 
Sent: Wednesday, 9 June 2004 3:21 PM
To: 'Bénoni MARTIN'; webappsec () securityfocus com;
pen-test () securityfocus com
Subject: RE: Global.asa security under IIS 6.0

Basically IIS will not return global.asa (and other configuration files)
for any reason to a request. The only way to access this file is exploit
known or unknown vulnerabilities in IIS. This implies that you must keep
IIS patched. For .NET Microsoft has made many improvements in security
including allowing you to encrypt passwords in the configuration files
(ie web.config).

Thanks
Don 

-----Original Message-----
From: Bénoni MARTIN [mailto:Benoni.MARTIN () libertis ga] 
Sent: Tuesday, June 08, 2004 4:18 AM
To: webappsec () securityfocus com; pen-test () securityfocus com
Subject: Global.asa security under IIS 6.0

Hi list !

I am wondering about how much secure is the "global.asa" file in ASP. It
= seems that we can gather there most of the parameters used with our
ASP = pages, but it can be also a weakness if a malicious guy gets
access to = it !


So anyone one knows how secure is it to use global.asa, how can we get =
it from a website (IIS refuses access to it with an =
http://blahblahblah.com/global.asa)...and how can we avoid people =
stealing if ?


Thanks in advance!