IIS 4 Security
From: anyluser (anyluser@yahoo.com)
Date: 12/10/02
- Previous message: A. Bluecoat: "ISM Permissions?"
- Next in thread: Mike Coppins: "Re: IIS 4 Security"
- Reply: Mike Coppins: "Re: IIS 4 Security"
- Maybe reply: Henry Sieff: "RE: IIS 4 Security"
- Maybe reply: Brian W. Spolarich: "RE: IIS 4 Security"
- Maybe reply: Ogle Ron (Rennes): "RE: IIS 4 Security"
- Maybe reply: Deus, Attonbitus: "RE: IIS 4 Security"
- Maybe reply: Deus, Attonbitus: "Re: IIS 4 Security"
- Maybe reply: LordInfidel: "RE: IIS 4 Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 10 Dec 2002 13:52:50 -0800 (PST) From: anyluser <anyluser@yahoo.com> To: focus-ms@securityfocus.com
A friend and I are having a (friendly) debate and I
was wondering the SecBasics crowd thought.
The Hypothetical Situation: A publicly available yet
password protected web site is hosted using IIS 4 w/o
SSL. It is completly unpatched and yet there are no
sites or pages that can be accessed w/o a valid
username and password. IOW, no anon access, ever.
My Premise: It is reasonably secure right up until a
brute force attack or eaves dropping yields a valid
username/pass. If there are no URLs that don't
require username and pass then a malformed URL will be
challened just as thoroughly, relegating exposure.
His Argument: It can still be hacked b/c the username
and password can be bypassed even w/o a directed
effort towards discovering valid auth info (brute
force). Note: He thinks it's possible but in
practice doesnt know how to do it or if it can indeed
be done.
The only thing I could imagine happening is that
someone telnets into port 80 and passes a URL in that
way, but I didnt tell him that :) Since I dont know
how to do that yet (I'm about to google it) I can't
test it.
So what do yall think? How secure is a pw protected
site from attack w/o a valid username and password?
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
- Next message: Mike Coppins: "Re: IIS 4 Security"
- Previous message: A. Bluecoat: "ISM Permissions?"
- Next in thread: Mike Coppins: "Re: IIS 4 Security"
- Reply: Mike Coppins: "Re: IIS 4 Security"
- Maybe reply: Henry Sieff: "RE: IIS 4 Security"
- Maybe reply: Brian W. Spolarich: "RE: IIS 4 Security"
- Maybe reply: Ogle Ron (Rennes): "RE: IIS 4 Security"
- Maybe reply: Deus, Attonbitus: "RE: IIS 4 Security"
- Maybe reply: Deus, Attonbitus: "Re: IIS 4 Security"
- Maybe reply: LordInfidel: "RE: IIS 4 Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
