RE: Microsoft .NET, ASP.NET, and IIS - any opinions?

From: Matthew Reams (mreams@intelixinc.com)
Date: 12/13/01 

Date: Thu, 13 Dec 2001 11:12:21 -0500
From: "Matthew Reams" <mreams@intelixinc.com>
To: <Ken@infosec101.org>, "Tracy Martin" <tracy@arisiasoft.com>, <focus-ms@securityfocus.com>

I couldn't get that link to work, but looking at http://foundstone.com,
I think they must have moved it to

http://www.foundstone.com/pdf/dotnet-security-framework

Regards,
Matt

> -----Original Message-----
> From: Ken Pfeil [mailto:Ken@infosec101.org]
> Sent: Wednesday, December 12, 2001 5:13 PM
> To: Tracy Martin; focus-ms@securityfocus.com
> Subject: RE: Microsoft .NET, ASP.NET, and IIS - any opinions?
>
>
> Tracy,
> The folks at Foundstone and Core just finished a review of
> the .Net framework from a security perspective that's worth a
> read. The whitepaper is available at
> http://www.foundstone.com/microsoft/dotnet
>
> Regards,
> Ken
>
> >
> -----Original Message-----
> > From: Tracy Martin [mailto:tracy@arisiasoft.com]
> > Sent: Wednesday, December 12, 2001 3:52 PM
> > To: focus-ms@securityfocus.com
> > Subject: Microsoft .NET, ASP.NET, and IIS - any opinions?
> >
> >
> > Greetings,
> >
> > We all know that IIS has it's flaws - and that for many of
> these there
> > are patches available (or at least workarounds). However, with the
> > immanent release of VisualStudio.NET and ASP.NET, I'm
> expecting to see
> > installs of IIS and the .NET runtimes (which, if I understand it
> > correctly, basically amounts to installing the full SDK - including
> > command line compilers) on servers all over.
> >
> > And this begs the question - has anyone who has insight
> into this done
> > any security studies on this combination? Is the addition
> of .NET to
> > IIS going to cause any additional security holes (over and
> above those
> > already present in IIS itself)? And are there recommendations for
> > closing these types of holes if encountered?
> >
> > I already know I'm going to be asked to set up such a
> server, and I'd
> > like to get a feel for what I'm letting myself in for. I know there
> > are patches available for IIS (and I've already applied them to the
> > IIS server we have live right now), but I'm curious if the
> addition of
> > .NET to the mix is going to introduce new problems (and also
> > interested in potential solutions to those problems while
> waiting for
> > "official fixes" from Microsoft).
> >
> > Any takers?
> >
> > Tracy
> >
> >
>
>

Relevant Pages

  • Re: IIS Antivirus solution?
    ... > Since you have IIS, I would also recommend deploying an intrusion ... >> separate from our SBS file server. ... >> Kind regards ...
    (microsoft.public.inetserver.iis.security)
  • Re: HELP! - IIS went down hard
    ... I'm thank ful for any suggestion that might help the problem. ... > server and it's impossible to start/restart the IIS. ... > uninstall the IIS to be able to reinstall it without success. ... >> Regards, ...
    (microsoft.public.inetserver.iis)
  • Re: [RE: Microsoft .NET, ASP.NET, and IIS - any opinions?]
    ... To change the thread identity you will need to modify the identity tag in the ... > From: Tracy Martin ... > We all know that IIS has it's flaws - and that for many of these there ... > I already know I'm going to be asked to set up such a server, ...
    (Focus-Microsoft)
  • RE: Search error
    ... Make sure that the .idq and .ida files are mapped to idq.dll in the IIS ... server. ...
    (microsoft.public.frontpage.extensions.windowsnt)
  • Re: HTTP Download of EXE
    ... guess that the server tried to run the files instead of sending them. ... IIS will send the data as ... >> If you do not agree, please give a Netmon sniff of the request which ...
    (microsoft.public.inetserver.iis)