Re: URLScan (and Demarc PureSecure)
From: Kirk Schafer (jogglie@excite.com)Date: 03/20/02
- Previous message: Evans, Dave: "PGP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: security-basics@securityfocus.com, focus-ids@securityfocus.com From: "Kirk Schafer" <jogglie@excite.com> Date: Wed, 20 Mar 2002 15:16:19 -0500 (EST)
Note: I added focus-ids to the recipient list - if you reply to this, and it's not related to Intrusion Detection, please remove that recipient. The original "thread" is below.
Yes, it's too bad you can't somehow certify specific EXE's as safe, and block all others - or even allow by "zone".
Demarc's IDS product, PureSecure, discussed in "focus-ids" before, doesn't work if URLScan is installed and enabled, and blocks DMarcD.exe, even though you're requesting the object from your local machine. Even after modifying URLScan's entries, I still had problems related to Demarc and local security.
Never one to leave dangling references (i.e., this is not a plug), Demarc Security's Intrusion Detection System is a free *nix/Win product, based on Snort, available here: www.demarc.com
Kirk
--------------------- Nonstandard forwarded thread below
From dumbwabbit@yahoo.com 3/20/02 11:49:
i know you can (and I do) move and ACL critical system
files (eg cmd.exe and other stuff from %systemroot%
locations), and allow *only* access to certain
directories containing executables, and there are
other ways of configuring it, I have done it... I just
still have reservations when it comes to allowing .exe
through IIS at all.
--- Charles Otstot <charles.otstot@ncmail.net>; wrote:
> I have seen some messages in the Microsoft IIS and
> security news groups
> on opeing up specific .exe's via URLScan.
>
> Although the solutions were rather convoluted, you
> may want to check
> some of the groups there and post a question or two.
> I haven't worked
> with URLScan to the depth of knowing this one off
> the top of my head,
> but if I recall correctly, it *can* be done.
>
> Charlie
>
> dumbwabbit wrote:
>
> > Hmm, I would NOT recommend opening up the .exe
> > extension.
> > Rather, you may want to consider redirecting them
> to
> > an FTP site, either your own, or the Citrix
> download
> > location (if there is one, sorry I don't know,
> never
> > used this client).
> > Baaaaaad security risk to allow .exe
> > just my
> > .000002
> >
> > --- "Bonner, Jon" <Jon.Bonner@k12.sd.us>; wrote:
> > > Open the following file:
> > >
> %systemroot%\system32\inetsrv\urlscan\urlscan.ini.
> > > Scroll down in the file until you find the
> section
> > > containing the text ";
> > > Deny executables that could run on the server"
> and
> > > then place a semicolon in
> > > front of the EXE that appears below it. This
> > > comments out EXE so that
> > > URLScan will stop blocking files with that
> > > extension. Then restart IIS or
> > > reboot your server.
> > >
> > > Jon Bonner
> > >
> > >
> > > -----Original Message-----
> > > From: CHM Security
> [mailto:chmsecurity@hotmail.com]
> > > Sent: Friday, March 08, 2002 5:56 PM
> > > To: security-basics@securityfocus.com
> > > Subject: URLScan
> > >
> > >
> > >
> > >
> > > I am running Citrix nfuse on a IIS 5 server and
> > > attempted to install the
> > > urlscan.exe from M$. I have very limited
> knowledge
> > > on web servers and
> > > everytime I install the urlscan it kills the
> ability
> > > of clients to download
> > > the citrix web client (ica32t.exe) file. Like I
> said
> > > I have very limited
> > > knowledge of web servers and I'm not sure how I
> can
> > > edit the urlscan ruleset
> > >
> > > to allow this to happen. I would really like to
> run
> > > the urlscan tool to
> > > receive all of the benefits it provides, but as
> of
> > > right now I can't because
> > >
> > > it kills necessary functionality. Any help would
> be
> > > greatly appreciated!
------------------------------------------------
- Previous message: Evans, Dave: "PGP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
