Re: Global.asa security under IIS 6.0

["Matt Fisher" <mattfisher () comcast net>]

IIS won't serve global.asa by default, but be very careful not to make
inadvertent backups of it ... they'll drop their source, and if you happen
to have a dsn-less ado connection string in there ....

I've also gotten them off a fine default SiteServer script (something like
"viewsource.asp") but that's a whole different matter.

----- Original Message ----- 
From: "Michael Howard" <mikehow () microsoft com>
To: "Bénoni MARTIN" <Benoni.MARTIN () libertis ga>;
<webappsec () securityfocus com>; <pen-test () securityfocus com>
Sent: Wednesday, June 09, 2004 1:09 PM
Subject: RE: Global.asa security under IIS 6.0


Iis won't serve up global.asa to users, that said, you shouldn't store
sensitive data in there either!

[Writing Secure Code 2nd Edition]
http://www.microsoft.com/mspress/books/5957.asp
[Protect Your PC] http://www.microsoft.com/protect
[Blog] http://blogs.msdn.com/michael_howard
[Annual Security Training]
http://mste/training/offerings.asp?offeringid=7142

-----Original Message-----
From: Bénoni MARTIN [mailto:Benoni.MARTIN () libertis ga]
Sent: Tuesday, June 08, 2004 1:18 AM
To: webappsec () securityfocus com; pen-test () securityfocus com
Subject: Global.asa security under IIS 6.0

Hi list !

I am wondering about how much secure is the "global.asa" file in ASP. It =
seems that we can gather there most of the parameters used with our ASP =
pages, but it can be also a weakness if a malicious guy gets access to = it
!


So anyone one knows how secure is it to use global.asa, how can we get = it
from a website (IIS refuses access to it with an =
http://blahblahblah.com/global.asa)...and how can we avoid people = stealing
if ?


Thanks in advance!