RE: permission

["Bill Lavalette" <billl () cyberbase7 com>]

Kenzo -

your suspicions on this being a bad idea are correct.  the reason why this
is bad is for many reasons one the root of the system is on C the winnt dir
may not be accessible via the guest account however with the plethora of
exploits out there known and unknown it probably wouldn't take a whole lot
to get by on the guest account. If the webmaster is testing a application
for errors the better way to do this is not on a production box but in a
mirrored environment in a safe area.

as a rule of thumb default installs of anything are bad. another idea would
be to create a specific user to do the error checking against with limited
permissions to do the job. The other thing I noticed in your post is that it
seems the webmaster techno talked you as you are new one of the things more
experienced people will try to do is "get one by you" all you need to do is
build the equation  as follows define the business need  define the impact
and factor in the risk. if it looks like your going to get burned have his
manager build a business case this allows you the time to research the idea
as you are already doing by asking this forum...

Best of luck to you...

Bill



Bill Lavalette
Chief Security Officer
CyberBase7 Security Services METRO-SOC
Email:Operations 'at' cyberbase7.com
WWW:http://www.cyberbase7.com



-----Original Message-----
From: Kenzo [mailto:kenzo_chin () hotmail com]
Sent: Friday, February 07, 2003 1:47 PM
To: security-basics () securityfocus com
Subject: permission


OK, I need some input from you guys on this.
Our webmaster seems to think that giving the guest internet user read access
to the C drive is OK as long as you don't set IIS to list content and other
stuff that I don't understand, since I don't know anything about running a
website.
I told him that by doing so, most subfolders will also take that permission,
so if someone that knows what they're doing could compromise that account,
they would have read access to almost the whole C drive.
the box is a win2k server with IIS5.  I believe he wants to do this for some
error checking for a C or java program.
The program suppose to check to make sure that the drive has enought space
before it starts writing or copying things and for that it needs read access
to the C drive.
To me, even thought I don't know anything about programing and webhosting,
it doesn't look right from the security point of view.

Please give me some input on this if it's OK or not and why, so that I can
tell him yes it's OK or NO it's not OK because of this and that.

Thanks.