RE: Rash of navy web site defacements

[Andrew Thomas <andrew () unysen com>]

Bad taste to reply to my own message, I know, but I missed off 
another check as part of ACL setting - remove IUSR/IWAM account
write access from all directories that don't explicitly need it.
This is a rare occurance - document uploads and the like on
website, or file attachments to web-based mail systems.

> -----Original Message-----
> From: Andrew Thomas 
> Sent: Friday, June 01, 2001 10:49 AM
> Subject: RE: Rash of navy web site defacements
>
> > -----Original Message-----
> > From: Jay D. Dyson [mailto:jdyson () treachery net]
> > Sent: Thursday, May 31, 2001 7:36 PM
> > Subject: Re: Rash of navy web site defacements
> --snip--
> >     Exploiting IIS isn't simply trivial.  You have to tie a board
> > across your butt to keep from falling in.
>
> As much as everyone has knocked M$ products, IIS in particular,
> most of the most recently released vulnerabilities are entirely
> avoidable *WITHOUT* the hotfixes in question.
>
> 1 - Go through the relevant MS issued security checklist (Securing
> IIS4 or IIS5)
> 2 - Set ACL's sensibly: why would IUSR/IWAM accounts need to execute
> anything in the winnt\system directory, or most places for 
> that matter?
> 3 - remove extension mappings for handlers you don't need
> 4 - remove virtual directory mappings you don't need/the like
>  (/msadc, /scripts, ...)
>
> With these steps, while I remain open to correction, I don't see how
> any of the unicode, cgi double-decode or recent .printer overflows
> would have been easily exploitable.