mailing list archives
From: "Kenzo" <kenzo_chin () hotmail com>
Date: Mon, 10 Feb 2003 12:38:13 -0600
IIS lockdown is setup and all the updates are up to dates using MBSA.
I guest I'm just gonna have to tell him too bad.
And present these reasons to my boss.
----- Original Message -----
From: "* KAPIL *" <kapil () kapilville com>
To: "'Kenzo'" <kenzo_chin () hotmail com>; <security-basics () securityfocus com>
Sent: Friday, February 07, 2003 6:13 PM
Subject: RE: permission
I don't think it's a good idea to give any sort of access to the root.
Your website shouldn't be on the system volume anyway. If you need to
test some sort of program/code that requires access to all of C:....then
that's just bad programming. Why can't he test with access to a folder
that's specially created for testing? ...or test on a development box
that's not open to the public. In reality, if you're not a huge company,
don't have many enemies, have a low traffic site and take other
precautions to secure the network, you're fairly safe....still not a
good idea though. I would also recommend downloading and running The IIS
Lockdown Tool and the Microsoft Baseline Security Analyzer....both
available for free from Microsoft.
Stand Up For Free Speech
From: Kenzo [mailto:kenzo_chin () hotmail com]
Sent: Friday, February 07, 2003 1:47 PM
To: security-basics () securityfocus com
OK, I need some input from you guys on this.
Our webmaster seems to think that giving the guest internet user read
access to the C drive is OK as long as you don't set IIS to list content
and other stuff that I don't understand, since I don't know anything
about running a website. I told him that by doing so, most subfolders
will also take that permission, so if someone that knows what they're
doing could compromise that account, they would have read access to
almost the whole C drive. the box is a win2k server with IIS5. I
believe he wants to do this for some error checking for a C or java
program. The program suppose to check to make sure that the drive has
enought space before it starts writing or copying things and for that it
needs read access to the C drive. To me, even thought I don't know
anything about programing and webhosting, it doesn't look right from the
security point of view.
Please give me some input on this if it's OK or not and why, so that I
can tell him yes it's OK or NO it's not OK because of this and that.