Re: IIS Security

[Saqib Ali <docbook.xml () gmail com>]

1) The traversal attacks used in the past, required running the
cmd.exe  file on the system partition. If your WWWROOT was on the
system partition, it was much easier to traverse to cmd.exe. It is
much harder if your WWWROOT is on a non-system partition.

2) Some of the attacks is the past assumed that the wwwroot was
c:\inetsdk\wwwroot so thesee attacks were successful. If the wwwroot
partition had been on a separate partition these attacks might have
failed.

3) It is much easier to control the permisssions for the anonymous
account (INETUSER) that IIS uses, if the WWWROOT is located on a
seperate partition.


On 11/21/05, Schmidt, Albert E <AES () ola state md us> wrote:
> If the default IIS account only has access to the root document, what is the harm of placing the root document on the 
> same disk partition as the operating system?  If the account does not have access to the operating system files.


In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
Consensus is good, but informed dictatorship is better.