Re: New IIS Lockdown tool from Microsoft
From: David LeBlanc (dleblanc@MINDSPRING.COM)Date: 10/11/01
- Previous message: Y. W. Ko: "Re: NTFS inherited permissions bug on W2K"
- In reply to: Buchenauer, Christian: "Re: New IIS Lockdown tool from Microsoft"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <031401c15276$c90c9c70$0100a8c0@davenet.local> Date: Thu, 11 Oct 2001 09:47:46 -0700 From: David LeBlanc <dleblanc@MINDSPRING.COM> Subject: Re: New IIS Lockdown tool from Microsoft To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
I'm leaving the original post in on purpose - it may be needed to refer to.
Couple of points where I have some questions and also some suggestions -
giving IUSR write and delete permissions to the perl modules seems
dangerous - why is this required?
Nice list of the DLLs and exes in system32 that are required, but also be
sure to set the inherited permissions on the directory level so that new
files get ACL'd appropriately. I would also consider ACLing all command-line
tools to deny execute to IUSR and IWAM.
Using perl as a CGI also seems very risky - don't get me wrong, I love
perl - but if I had a directory traversal exploit, and could find perl.exe,
I would then have the equivalent of a command line. IIRC, perl can be loaded
as an ISAPI DLL, and is somewhat more secure.
I also don't see your permissions for the web site itself.
> -----Original Message-----
> From: Windows NTBugtraq Mailing List
> [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM]On Behalf Of Buchenauer,
> Christian
> Sent: Wednesday, October 10, 2001 7:28 AM
> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> Subject: Re: New IIS Lockdown tool from Microsoft
>
>
> Hi Russ
>
> Just my 2c regarding proper ACL's on NT4:
>
> The recent discussion about IIS and security has clearly shown that
> appropriate ACL's are an absolute "must have".
> While building a IIS-webserver, one would need to - as part
> of the setup
> process! - set the ACL properly; from the very beginning. We use a
> script with cacls here; why does not everyone do so?
>
> For a basic NT 4 IIS server with perl running on it, you only need the
> permissions as shown below [1]. These permissions go for NT
> system only;
> on the website-files, the ACL may be different.
> I got these data while observing the security log and setting the
> required permissions file per file. The same method would be used to
> adjust the ACL for FrontPage, databases etc.
>
>
> Maybe someone on the list can think of a script which does this
> automatically?
> -> do a GET request on a website on the server
> -> monitor the security log for event-ID's 560 (failed access to file)
> -> set the ACL accordingly / write the filename into a file for manual
> approval
>
> (the known best practices - patching, removal of mappings -
> remain valid
> of course)
>
> Regards
> Christian
>
>
> [1] Permissions needed to run IIS4, Perl:
>
> - RWXD for IUSR_hostname:
> <path to>\Perl\site
> <path to>\Perl\lib\AutoLoader.pm
> <path to>\Perl\lib\Carp.pm
> <path to>\Perl\lib\DynaLoader.pm
> <path to>\Perl\lib\Exporter.pm
> <path to>\Perl\lib\overload.pm
> <path to>\Perl\lib\strict.pm
> <path to>\Perl\lib\vars.pm
> <path to>\Perl\lib\auto\DynaLoader\dl_findfile.al
> <path to>\Perl\lib\CGI\Carp.pm
> <path to>\Perl\site\lib\OLE.pm
> <path to>\Perl\site\lib\Win32\OLE.pm
> <path to>\Perl\site\lib\Win32\OLE\Lite.pm
> <path to>\Perl\site\lib\Win32\OLE\Variant.pm
>
> - RX for IUSR_hostname:
> C:\
> C:\Programs
> C:\Programs\Perl\site\lib
> C:\Programs\Perl\site\lib\auto\Win32
> C:\WINNT
> C:\TEMP
> C:\WINNT\Help\common
> C:\WINNT\system32
> <path to>\System\ADO\msader15.dll
> <path to>\System\ADO\msado15.dll
> <path to>\System\ADO\msadrh15.dll
> <path to>\System\MSADC\msadce.dll
> <path to>\System\MSADC\msadcer.dll
> <path to>\System\OLE DB\msdasql.dll
> <path to>\System\OLE DB\msdasqlr.dll
> <path to>\System\OLE DB\msdatl2.dll
> <path to>\System\OLE DB\oledb32.dll
> <path to>\System\OLE DB\oledb32r.dll
> C:\Programs\Perl\bin\perl.exe
> C:\Programs\Perl\bin\perlcore.dll
> C:\WINNT\system32\expsrv.dll
> C:\WINNT\system32\MSAFD.DLL
> C:\WINNT\system32\msdart32.dll
> C:\WINNT\system32\msjet40.dll
> C:\WINNT\system32\msjint40.dll
> C:\WINNT\system32\MSJTER40.DLL
> C:\WINNT\system32\msjtes40.dll
> C:\WINNT\system32\MSRD2X40.DLL
> C:\WINNT\system32\msrd3x40.dll
> C:\WINNT\system32\mswstr10.dll
> C:\WINNT\system32\odbccp32.dll
> C:\WINNT\system32\odbcji32.dll
> C:\WINNT\system32\odbcjt32.dll
> C:\WINNT\system32\PerlCRT.dll
> C:\WINNT\system32\RNR20.DLL
> C:\WINNT\system32\STDOLE2.TLB
> C:\WINNT\system32\vbajet32.dll
> C:\WINNT\system32\WINSPOOL.DRV
> C:\WINNT\system32\WSHTCPIP.DLL
> C:\WINNT\system32\drivers\etc\HOSTS
> C:\WINNT\system32\inetsrv\asp.dll
> C:\WINNT\system32\inetsrv\ssinc.dll
>
============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&BI;=245&UL;=http://www.ant
ivirus.com/smex2000_rebate
- Previous message: Y. W. Ko: "Re: NTFS inherited permissions bug on W2K"
- In reply to: Buchenauer, Christian: "Re: New IIS Lockdown tool from Microsoft"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
