Re: Possible way to avoid unknown IIS vulnerabilities

From: Mike Lewinski (mike@rockynet.com)
Date: 08/10/01


Message-ID: <016b01c121ad$49342ee0$e25f753f@domain.com>
From: "Mike Lewinski" <mike@rockynet.com>
To: <incidents@securityfocus.com>
Subject: Re: Possible way to avoid unknown IIS vulnerabilities
Date: Fri, 10 Aug 2001 09:01:03 -0600


"Michael Katz" <mike@responsible.com> wrote:

> Using host headers on IIS servers will likely protect you from
> more than 90% of the attacks that are currently circulating, as
> most of them rely on scanning and exploitation via
> http://yourIPaddress. This is particularly true for Code Red v1
> and v2, the sadmind/IIS worm, the new Code Red II worm
> and the common scripted scans for decoding vulnerabilities.
> However, you should take the following into consideration:

An additional limitation is that some older browsers don't send host
headers. That means they can't see your sites, but then again anyone still
running a 2.0 browser won't see much of the web anyway.

If this method is used, I'd still define a default web site for the IP and
take a few additional actions:

1) Restrict anonymous access to the default web to local admin only
2) Restrict access to the default web by IP address to 127.0.0.1 only
3) Remove all permissions from the site (no read, script, exec)
4) Set directory ACL's to no access for all but admin
5) Stop the default web in the MMC

It may be overkill, but makes it less likely another admin will come along
and "fix" it.

Mike

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com