WebApp Sec mailing list archives
RE: IIS Security
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Mon, 21 Nov 2005 11:25:41 -0600
<inline>
From: Schmidt, Albert E [mailto:AES () ola state md us] If the default IIS account only has access to the root document, what is the harm of placing the root document on the same disk partition as the operating system? If the account does not have access to the operating system files.
Do you mean IWAM account? Or IUSR or WWW Pub Service (inetinfo.exe)? 1. IWAM and IUSR both have rx to system files. localsystem has full control of system files. Which one are referring to, and are you sure you restricted access to system files? 2. I haven't locked down IIS fully in a year or so, and memory is fuzzy but I remember system files being impossible to whitelist or deny_all; could only perform limited blacklisting of permissions on specific files (e.g. tftp, cmd, etc.). Some people recommend removing those binaries which isn't a bad idea, but better tripwire & audit as future service packs (or on reboot if using fs_protection cache) may replace all the binaries you deleted, and with default privs. 3. I am a large fan of a read-only drive/partition for IIS, or any wwwserver. This will stop web-server focused worms from propagating and befuddle most script kiddies. But not because the system files are inherently more secure... 4. IWAM is priv limited. Provided your configs are sound and provided IIS is not flawed, threat should be limited... 5. People use IIS priv-config and overflow flaws to upload local exploits to elevate privs from IWAM to local_system. In 2004 there was a .NET traversal flaw that I verified (err, stole someone else's rumor of) that enabled one to snag web.config/global.asax even though security checks should have implicitly denied me. This may have allowed malicious upload if I found a writeable directory. -ro for entire webroot would significantly limit this. Defense in Depth. A better more up-to-date site than my brain would be IISAnswers: http://www.iissecurity.com/ Also visit the MS technet forums for these type of questions. Other thoughts:
From: Saqib Ali [mailto:docbook.xml () gmail com] Sent: Monday, November 21, 2005 10:05 AM 1) The traversal attacks used in the past
Can be flipped to %systemroot% and game over.
2) Some of the attacks is the past assumed that the wwwroot was
c:\inetpub\wwwroot; remapping could provide some obscurity; you could copy the whole system drive & provide 'list' privs and *nothing* else. Would give a hacker fits unless they can flip to path or environment variables, or catch on to the game.
3) It is much easier to control the permissions for the anonymous account (INETUSER) that IIS uses, if the WWWROOT is located on a seperate partition.
Not sure I agree. Whether \inetpub, \partition, or \unique_drive the degree of restriction is the same. -ae
Current thread:
- IIS Security Schmidt, Albert E (Nov 21)
- Re: IIS Security Saqib Ali (Nov 21)
- Re: IIS Security Saqib Ali (Nov 21)
- <Possible follow-ups>
- RE: IIS Security Evans, Arian (Nov 21)