RE: Securing IIS/5 with ASP

From: dave (dave@netmedic.net)
Date: 01/28/03

  • Next message: bugtraq@t-swat.com: "Re: Win2k log management" 
    From: "dave" <dave@netmedic.net>
To: "'Holmes, Tyran'" <tholmes@ascendone.com>, "'Ralph Los'" <RLos@enteredge.com>, "'Chris Neppes'" <cneppes@port80software.com>, <focus-ms@securityfocus.com>
Date: Tue, 28 Jan 2003 13:48:15 -0500

    I am just going to make the assumption that you have "Enable Parent Paths"
    disabled, which you should for security reasons.

    You need to make a Virtual Directory in that website for your "Includes"
    place all your include ref's in there.

     

    Dave Kleiman
    dave@netmedic.net
    www.netmedic.net

     

    -----Original Message-----
    From: Holmes, Tyran [mailto:tholmes@ascendone.com]
    Sent: Friday, January 24, 2003 16:32
    To: Ralph Los; focus-ms@securityfocus.com
    Subject: RE: Securing IIS/5 with ASP
    Sensitivity: Confidential

    Is the account (IUSR...) active? I know I remember getting some errors
    for the IUSR accts in the Event Log on an IIS server and found that my
    cohort had disabled the accounts. Just a thought...

    -----Original Message-----
    From: Ralph Los [mailto:RLos@enteredge.com]
    Sent: Friday, January 24, 2003 12:56 PM
    To: 'focus-ms@securityfocus.com'
    Subject: Securing IIS/5 with ASP
    Sensitivity: Confidential

    Hello,
            I have a document I've built over the years about securing
    IIS/5,
    with regards to permissions, etc right down to the file level. This
    often
    works, except when I get that pesky ASP engine involved. I'm sick of
    HTTP/500 errors! I know for a fact the error is with file permissions,
    but
    I can't pin-point which file(s) are causing it. I've had the
    dllhost.exe
    keep getting "ACCESS DENIED" (Using NTFileMon from sysinternals.com) on
    C:\winnt\system32\<some_file> but...the permissions on that
    file/folder/whatever are IUSR/IWAM/SYSTEM (RWX).

            Bottom line, does anyone have a definitive "baseline IIS/5
    w/ASP"
    security document done I could look over? Just curious - dying to know
    what
    I'm missing.

    ?Ralph

    Relevant Pages

    • Re: File Upload - Security Issues
      ... You want to upload a file for what reason and you do ... file and what pitfalls you see re: security might be helpful on this end?! ... files to an IIS server that doesn't have MS Office actually installed? ... 2* Upon submit this is submitted to an ASP page that then (using the XML ...
      (microsoft.public.scripting.vbscript)
    • AW: ASP Dot Net Security Guidelines
      ... Betreff: Re: ASP Dot Net Security Guidelines ... Basically you'll treat an asp.net application server as you would an asp ... > to set the permissions as it brings up access denied errors on the ...
      (Focus-Microsoft)
    • Re: VB Component debugging as anonymous access
      ... formatting the date on the LCID 1046 as dd/mm/yyyy, ... behavior both in ASP and in my component, ... security on the Web Server, ... Thats why I need the debugger ...
      (microsoft.public.inetserver.asp.components)
    • Re: ASP Error 0178 - Please - way behind deadline... (yes - Ive done IUSR_XXX)
      ... just look at the NTFS file system permissions. ... ASP Session replacement for webfarms ... The IIS folder security (set in the IIS MMC ...
      (microsoft.public.inetserver.iis.security)
    • RE: passwords in asp pages
      ... > I am new to security and I have no training in asp programming, ... > server and the user does not see them, and there do not seem to be any ... vulnerability is 0day; unknown to vendors, ...
      (Security-Basics)