Free IIS Security Forensic Analysis E-Book

From: Jason Coombs (jasonc_at_SCIENCE.ORG)
Date: 05/05/03

  • Next message: Nick Staff: "One way .net Passport authentication is flawed"
    Date:         Sun, 4 May 2003 12:32:16 -1000
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Aloha,

    After a year-long effort to conduct a thorough forensic analysis of Internet
    Information Services versions 4 through 6, I've recently released a 400-page
    e-book detailing my conclusions, findings, and security recommendations for
    administrators and programmers who work with IIS.

    IIS Security and Programming Countermeasures
    http://forensics.org/jasonc/iisforensics.zip

    FORENSICS.ORG is a non-profit computer forensics expert witness group. One of
    our missions is to provide affordable forensics services to the defense in
    criminal and civil court cases. We hope that this forensic guide to IIS
    security will be helpful as you decide what to do about your legacy IIS-based
    applications: migrate to IIS 6 or abandon IIS altogether?

    Feedback is welcome.

    Sincerely,

    Jason Coombs
    jasonc@science.org

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by IP3 Inc.
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    SECURITY QUESTIONS? We've got answers...Apply for a scholarship and become
    TICSA certified.

    Do not miss your opportunity to discover solutions to what our participants
    have identified as their top 5 IT Security Challenges. You will return to
    work better prepared to put into place an effective security strategy
    utilizing the latest security tools, bookmarks and URL's.

    <http://www.ip3seminars.com>

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo


  • Next message: Nick Staff: "One way .net Passport authentication is flawed"

    Relevant Pages

    • Re: Mac Server Hacked In Less Than 6 Hours
      ... Windows has RAS, and for it is built in since NT 3.1 ... | A typical IIS box and this Mac are not the same thing so the comparison ... IIS has been subject to quite a few bugs and so have ... Security isn't a proprietary attribute. ...
      (sci.crypt)
    • Re: DCOM calls fails - access denied
      ... That's exactly how I understood the ASP.NET security. ... But why does one configuration work but not the other? ... should get the token from IIS. ... If you set there a domain account, ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • RE: Security Training (Recomended books)
      ... Subject: Security Training ... I am reposting this list that I have posted on forensics and can be found ... Technology" coming out in mid-October. ... first complete guide to the field: investigative methods, tracking, evidence ...
      (Security-Basics)
    • Re: How to secure IIS?
      ... XP as well, because even if you don't install IIS, there are still a number ... If you think Windows 98 is secure, ... easy to attack, if there's no firewall... ... IIS security checklists] 3) install firewall and antivirus, ...
      (microsoft.public.inetserver.iis.security)
    • RE: .pdf security using ASP.NET security...
      ... I am wondering if using the aspnet_isapi.dll to handle PDF files security ... IIS has a list of Application Mappings which dictate whether a particular ... entries that tell aspnet_isapi.dll what to do with various file types. ... Files that do have app mappings require all the same steps, ...
      (microsoft.public.dotnet.framework.aspnet.security)