Security Incidents mailing list archives
RE: Rash of navy web site defacements
From: Andrew Thomas <andrew () unysen com>
Date: Fri, 1 Jun 2001 10:51:40 +0200
Bad taste to reply to my own message, I know, but I missed off another check as part of ACL setting - remove IUSR/IWAM account write access from all directories that don't explicitly need it. This is a rare occurance - document uploads and the like on website, or file attachments to web-based mail systems.
-----Original Message----- From: Andrew Thomas Sent: Friday, June 01, 2001 10:49 AM Subject: RE: Rash of navy web site defacements-----Original Message----- From: Jay D. Dyson [mailto:jdyson () treachery net] Sent: Thursday, May 31, 2001 7:36 PM Subject: Re: Rash of navy web site defacements--snip--Exploiting IIS isn't simply trivial. You have to tie a board across your butt to keep from falling in.As much as everyone has knocked M$ products, IIS in particular, most of the most recently released vulnerabilities are entirely avoidable *WITHOUT* the hotfixes in question. 1 - Go through the relevant MS issued security checklist (Securing IIS4 or IIS5) 2 - Set ACL's sensibly: why would IUSR/IWAM accounts need to execute anything in the winnt\system directory, or most places for that matter? 3 - remove extension mappings for handlers you don't need 4 - remove virtual directory mappings you don't need/the like (/msadc, /scripts, ...) With these steps, while I remain open to correction, I don't see how any of the unicode, cgi double-decode or recent .printer overflows would have been easily exploitable.
Current thread:
- Re: Rash of navy web site defacements Jay D. Dyson (May 31)
- <Possible follow-ups>
- RE: Rash of navy web site defacements Andrew Thomas (Jun 01)
- RE: Rash of navy web site defacements Andrew Thomas (Jun 01)
- RE: Rash of navy web site defacements Otto . Dandenell (Jun 02)