Re: IIS 6 features
From: Ken Schaefer (ken_at_adOpenStatic.com)
Date: 10/31/03
- Previous message: Erick Kinnee: "Re: Event Log messages for failed logon attempts"
- Next in thread: Roel Harbers: "Re: IIS 6 features"
- Maybe reply: Roel Harbers: "Re: IIS 6 features"
- Maybe reply: Eli Allen: "Re: IIS 6 features"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <focus-ms@securityfocus.com> Date: Fri, 31 Oct 2003 12:44:10 +1100
Hi Jason,
Point 1) the purpose of Rapid Fail Protection is to increase the reliability
of your web *server*. In the case where a web application pool is failing
multiple times in rapid sucession, there doesn't seem to be any point
expending resources cycling up another w3 worker process, only for it to
fail again. You can configure how and when Rapid Fail Protection kicks in.
This is designed to increase the stability of the overall web server (not a
particular web site or web app pool), which may be serving multiple websites
(or multiple web app pools). A denial of service attack against a particular
web application (eg by exploiting vulnerable code, maybe even user supplied
code) should thus be partially, or completely isolated from the rest of the
webserver (and other web app pools).
Point 2) It's not "denial of service". I don't see anything quoted saying
that you can't spin up another worker process if you want. However, if there
is some kind of buffer overflow vulnerability in the web app, I don't
understand why you'd want to.
Point 3) Um - did you actually turn on "Passport Authentication"? If you
didn't, then I don't see what your concerned about.
<meta comment />
Your post, to me, borders on flamebait. It seems that you've gone out of
your way to mis-characterise or mis-interpret what you are reading. If
that's the case, I'm sorry I wasted the list's time. If you are genuinely
interested in getting to know IIS 6, then I suggest reading the IIS Res Kit:
Cheers
Ken
----- Original Message -----
From: "Ross, Jason" <Jason.Ross@GlobalCrossing.com>
To: <focus-ms@securityfocus.com>
Sent: Thursday, October 30, 2003 12:59 AM
Subject: IIS 6 features
: Hello,
:
: I'm just starting out with Windows 2003 Server and IIS 6.0.
:
: Naturally, the first thing I did was check out the "features"
: section at Microsoft's website. I've got to admit, there's some
: pretty cool stuff, but there's also some things that I just don't
: get ... I've pasted some of those items below, along with my thoughts.
:
: Maybe I'm missing something, can someone please let me know if I'm
: way off base with the conclusions I'm jumping to ?
:
: Hopefully I'm not duplicating a previous thread. I did a search for "2003"
: on the focus-ms list and didn't see anything along these lines.
:
: Regards,
: Jason Ross
:
:
: --- Begin IIS features & Responses ---
:
: 1. Rapid Fail Protection
: "IIS 6.0 can be configured so that if an application pool fails
: too often within a short amount of time, its processes will be
: automatically disabled. Rapid-fail protection places the application
: pool in "out of service" mode, and IIS 6.0 immediately returns a
: "503 Service Unavailable" error message to any new or queued requests
: to the Web sites and applications that are in the application pool.
: Custom actions, such as a debugging action or administrator notification,
: can be triggered when an application pool has been stopped automatically.
: Rapid-fail protection also helps protect a Web server against
: denial-of-service attacks and increases the overall reliability of a
: Web server infrastructure."
:
: So, the answer to Denial of Service attacks is to deny service ?
:
:
:
: 2. Buffer and Memory Overflow Protection
: "IIS 6.0 now helps protect against the most common method of attacks on
: Web servers-buffer and memory overflow situations. An attacker can
penetrate
:
: a server by taking advantage of the way a Web server processes data
: transmissions
: of unknown size. IIS 6.0 closes this vulnerability with memory-overflow
: protection,
: which helps ensure that once a buffer or memory overflow has been detected
: in a
: particular worker process, the worker process will be shut down so that it
: cannot
: affect other worker processes."
:
: OK. This seems to mean that anytime someone executes a buffer or memory
: overflow
: the IIS response is to retaliate with a Denial Of Service ...
:
:
:
:
: 3. Microsoft Passport Authentication
: "IIS 6.0 and Windows Server 2003 supports authentication using the
Microsoft
:
: Passport service. Passport is a Web service that is maintained by
Microsoft,
:
: and users who register with Passport can be authenticated anywhere on the
: Internet by applications that present logon credentials to Passport. If
: Passport
: determines that the credentials are valid, it returns an authentication
: ticket
: that an IIS 6.0 application can encode in a cookie to prevent the user
from
: having
: to log on time after time. When used with IIS 6.0, Passport integration
: provides a
: single-sign-on experience for Web users."
:
: This one just plain scares me. I'm waiting for the "anyone with a hotmail
: account
: can login to IIS6 servers if they use Passport Authentication"
: vulnerability.
:
: Also, the passport license agreement states in part:
: "All content and software (if any) that is made available to view and/or
: download
: from the Web pages that are part of the .NET Passport Services
("Software")
: is
: owned by and is the copyrighted work of Microsoft and/or its suppliers"
:
: Does that mean that any content and software I place on servers using IIS
: and taking
: advantage of the Passport features now becomes MS property?
:
: While I understand that isn't the intent of the EULA ( I hope =)
: I think the wording actually does make that the case.
:
:
:
:
: --- Begin Sources ---
: IIS Features Text available at:
:
http://www.microsoft.com/windowsserver2003/iis/evaluation/features/default.m
: spx
:
: Passport EULA Text available at:
: http://www.passport.net/Consumer/TermsOfUse.asp
:
: All quoted text in this document is likely the copyright of Microsoft
Corp.
:
: --------------------------------------------------------------------------
-
: Network with over 10,000 of the brightest minds in information security
: at the largest, most highly-anticipated industry event of the year.
: Don't miss RSA Conference 2004! Choose from over 200 class sessions and
: see demos from more than 250 industry vendors. If your job touches
: security, you need to be here. Learn more or register at
: http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
: and use priority code SF4.
: --------------------------------------------------------------------------
-
:
:
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
---------------------------------------------------------------------------
- Previous message: Erick Kinnee: "Re: Event Log messages for failed logon attempts"
- Next in thread: Roel Harbers: "Re: IIS 6 features"
- Maybe reply: Roel Harbers: "Re: IIS 6 features"
- Maybe reply: Eli Allen: "Re: IIS 6 features"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
