IIS 6 features
From: Ross, Jason (Jason.Ross_at_GlobalCrossing.com)
Date: 10/29/03
- Previous message: Jonel Rienton: "RE: Win Server 2k3 Hardening"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com> Date: Wed, 29 Oct 2003 08:59:21 -0500
Hello,
I'm just starting out with Windows 2003 Server and IIS 6.0.
Naturally, the first thing I did was check out the "features"
section at Microsoft's website. I've got to admit, there's some
pretty cool stuff, but there's also some things that I just don't
get ... I've pasted some of those items below, along with my thoughts.
Maybe I'm missing something, can someone please let me know if I'm
way off base with the conclusions I'm jumping to ?
Hopefully I'm not duplicating a previous thread. I did a search for "2003"
on the focus-ms list and didn't see anything along these lines.
Regards,
Jason Ross
--- Begin IIS features & Responses ---
1. Rapid Fail Protection
"IIS 6.0 can be configured so that if an application pool fails
too often within a short amount of time, its processes will be
automatically disabled. Rapid-fail protection places the application
pool in "out of service" mode, and IIS 6.0 immediately returns a
"503 Service Unavailable" error message to any new or queued requests
to the Web sites and applications that are in the application pool.
Custom actions, such as a debugging action or administrator notification,
can be triggered when an application pool has been stopped automatically.
Rapid-fail protection also helps protect a Web server against
denial-of-service attacks and increases the overall reliability of a
Web server infrastructure."
So, the answer to Denial of Service attacks is to deny service ?
2. Buffer and Memory Overflow Protection
"IIS 6.0 now helps protect against the most common method of attacks on
Web servers-buffer and memory overflow situations. An attacker can penetrate
a server by taking advantage of the way a Web server processes data
transmissions
of unknown size. IIS 6.0 closes this vulnerability with memory-overflow
protection,
which helps ensure that once a buffer or memory overflow has been detected
in a
particular worker process, the worker process will be shut down so that it
cannot
affect other worker processes."
OK. This seems to mean that anytime someone executes a buffer or memory
overflow
the IIS response is to retaliate with a Denial Of Service ...
3. Microsoft Passport Authentication
"IIS 6.0 and Windows Server 2003 supports authentication using the Microsoft
Passport service. Passport is a Web service that is maintained by Microsoft,
and users who register with Passport can be authenticated anywhere on the
Internet by applications that present logon credentials to Passport. If
Passport
determines that the credentials are valid, it returns an authentication
ticket
that an IIS 6.0 application can encode in a cookie to prevent the user from
having
to log on time after time. When used with IIS 6.0, Passport integration
provides a
single-sign-on experience for Web users."
This one just plain scares me. I'm waiting for the "anyone with a hotmail
account
can login to IIS6 servers if they use Passport Authentication"
vulnerability.
Also, the passport license agreement states in part:
"All content and software (if any) that is made available to view and/or
download
from the Web pages that are part of the .NET Passport Services ("Software")
is
owned by and is the copyrighted work of Microsoft and/or its suppliers"
Does that mean that any content and software I place on servers using IIS
and taking
advantage of the Passport features now becomes MS property?
While I understand that isn't the intent of the EULA ( I hope =)
I think the wording actually does make that the case.
--- Begin Sources ---
IIS Features Text available at:
http://www.microsoft.com/windowsserver2003/iis/evaluation/features/default.m
spx
Passport EULA Text available at:
http://www.passport.net/Consumer/TermsOfUse.asp
All quoted text in this document is likely the copyright of Microsoft Corp.
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
---------------------------------------------------------------------------
- Previous message: Jonel Rienton: "RE: Win Server 2k3 Hardening"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
