RE: Microsoft .NET, ASP.NET, and IIS - any opinions?
From: Ryan Counts (webmaster@badsushi.com)Date: 12/14/01
- Previous message: Charles Smith: "Re: Security software produced outside the US"
- In reply to: Alderson, John: "RE: Microsoft .NET, ASP.NET, and IIS - any opinions?"
- Next in thread: NVujic@sn.com: "RE: Logging off users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Ryan Counts" <webmaster@badsushi.com> To: "'Alderson, John'" <John.Alderson@FMR.COM>, "'Tracy Martin '" <tracy@arisiasoft.com>, <focus-ms@securityfocus.com> Date: Fri, 14 Dec 2001 11:11:05 -0600
I just remembered something that might help. In the install folder of
the .net framework, there's a series of config files. The one that
seems most relevant is security.config, where the admin has a good bit
of control over minute details of the security context of the framework.
There's a few other files in the Config sub-folder of the framework that
are also useful and give the admin control over maximum threads, etc.
In a way, this seems like the admin has more control over .net than in a
good number of architectures out there.
-----Original Message-----
From: Alderson, John [mailto:John.Alderson@FMR.COM]
Sent: Thursday, December 13, 2001 6:45 PM
To: 'Tracy Martin '; 'focus-ms@securityfocus.com '
Subject: RE: Microsoft .NET, ASP.NET, and IIS - any opinions?
Tracy,
Do check the release notes with the Redist package (as mentioned by Chip
Andrews) or the SDK for info on the context that the .Net runtimes are
running as by default. I believe that in Beta 2 they are running as
SYSTEM
by default but there are explicit instructions on changing this to a
more
appropriate user context. I don't have my notes here at home so I
apologize
for being a bit vague.
John Alderson
-----Original Message-----
From: Tracy Martin
To: focus-ms@securityfocus.com
Sent: 12/12/01 1:52 PM
Subject: Microsoft .NET, ASP.NET, and IIS - any opinions?
Greetings,
We all know that IIS has it's flaws - and that for many of these there
are
patches available (or at least workarounds). However, with the immanent
release of VisualStudio.NET and ASP.NET, I'm expecting to see installs
of
IIS and the .NET runtimes (which, if I understand it correctly,
basically
amounts to installing the full SDK - including command line compilers)
on
servers all over.
And this begs the question - has anyone who has insight into this done
any
security studies on this combination? Is the addition of .NET to IIS
going
to cause any additional security holes (over and above those already
present
in IIS itself)? And are there recommendations for closing these types of
holes if encountered?
I already know I'm going to be asked to set up such a server, and I'd
like
to get a feel for what I'm letting myself in for. I know there are
patches
available for IIS (and I've already applied them to the IIS server we
have
live right now), but I'm curious if the addition of .NET to the mix is
going
to introduce new problems (and also interested in potential solutions to
those problems while waiting for "official fixes" from Microsoft).
Any takers?
Tracy
- Previous message: Charles Smith: "Re: Security software produced outside the US"
- In reply to: Alderson, John: "RE: Microsoft .NET, ASP.NET, and IIS - any opinions?"
- Next in thread: NVujic@sn.com: "RE: Logging off users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
