Re: permission
From: Kenzo (kenzo_chin@hotmail.com)
Date: 02/10/03
- Previous message: R.K.Davis: "Advisory Mailing List (was Symantec...)"
- In reply to: * KAPIL *: "RE: permission"
- Next in thread: Bill Lavalette: "RE: permission"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Kenzo" <kenzo_chin@hotmail.com> To: <security-basics@securityfocus.com> Date: Mon, 10 Feb 2003 12:38:13 -0600
IIS lockdown is setup and all the updates are up to dates using MBSA.
I guest I'm just gonna have to tell him too bad.
And present these reasons to my boss.
thanks guys.
----- Original Message -----
From: "* KAPIL *" <kapil@kapilville.com>
To: "'Kenzo'" <kenzo_chin@hotmail.com>; <security-basics@securityfocus.com>
Sent: Friday, February 07, 2003 6:13 PM
Subject: RE: permission
> I don't think it's a good idea to give any sort of access to the root.
> Your website shouldn't be on the system volume anyway. If you need to
> test some sort of program/code that requires access to all of C:....then
> that's just bad programming. Why can't he test with access to a folder
> that's specially created for testing? ...or test on a development box
> that's not open to the public. In reality, if you're not a huge company,
> don't have many enemies, have a low traffic site and take other
> precautions to secure the network, you're fairly safe....still not a
> good idea though. I would also recommend downloading and running The IIS
> Lockdown Tool and the Microsoft Baseline Security Analyzer....both
> available for free from Microsoft.
>
> -------------------------
> Stand Up For Free Speech
> http://www.eff.org
>
> -----Original Message-----
> From: Kenzo [mailto:kenzo_chin@hotmail.com]
> Sent: Friday, February 07, 2003 1:47 PM
> To: security-basics@securityfocus.com
> Subject: permission
>
>
> OK, I need some input from you guys on this.
> Our webmaster seems to think that giving the guest internet user read
> access to the C drive is OK as long as you don't set IIS to list content
> and other stuff that I don't understand, since I don't know anything
> about running a website. I told him that by doing so, most subfolders
> will also take that permission, so if someone that knows what they're
> doing could compromise that account, they would have read access to
> almost the whole C drive. the box is a win2k server with IIS5. I
> believe he wants to do this for some error checking for a C or java
> program. The program suppose to check to make sure that the drive has
> enought space before it starts writing or copying things and for that it
> needs read access to the C drive. To me, even thought I don't know
> anything about programing and webhosting, it doesn't look right from the
> security point of view.
>
> Please give me some input on this if it's OK or not and why, so that I
> can tell him yes it's OK or NO it's not OK because of this and that.
>
> Thanks.
>
- Next message: Anthony, Shayla: "RE: Compromised Server Project"
- Previous message: R.K.Davis: "Advisory Mailing List (was Symantec...)"
- In reply to: * KAPIL *: "RE: permission"
- Next in thread: Bill Lavalette: "RE: permission"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
