Re: Which Router for VPN and Webhosting

From: Leythos (void_at_nowhere.com)
Date: 09/22/03 

Date: Mon, 22 Sep 2003 05:27:48 GMT

In article <6dkbb.1977$iT4.1467931@news1.news.adelphia.net>,
davidwnh@adelphia.net says...
> The point is this Lars. If you are running a webserver you want to install a
> kernel, a webserver, and only the additional tools and software necessary to
> run and administer the webserver.
>
> Let's say another buffer overrun is found in IIS or one of the MS or third
> party isapi filters you use for dynamic content. An exploit is created for
> it which overwrites code in the IIS memory space that shovels a shell back
> to the hacker. Since IIS runs as system, and the cmd shell is actually being
> run on the server many things that are still installed on the server are
> still up for grabs. So disable what you can but if you can't uninstall it,
> one way or another much of it can be used against you to further a

All of our production web servers are set to that the MMC and CMD are
only executable by a select user account. Gaining access to the CMD
shell is not possible, even the OS system account can't access it. In
fact, I've done this on most of our admin tools, only a select user, one
that is not an admin, can execute them - the user is made an admin only
for the time needed to perform admin functions and then returned to user
status.

Been running IIS since 4 came out and never been compromised yet. 

-- 
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

Relevant Pages

  • Re: Which Router for VPN and Webhosting
    ... If you are running a webserver you want to install a ... > kernel, a webserver, and only the additional tools and software necessary to ... > Let's say another buffer overrun is found in IIS or one of the MS or third ... fact, I've done this on most of our admin tools, only a select user, one ...
    (alt.computer.security)
  • Re: ActiveSync Web Admin Tool wont run
    ... exchange on an SBS2003 SP1 server. ... You need to make a change to the way you install the mobile admin pack. ... Backup the metabase in IIS (right click the servername in IIS -> all ...
    (microsoft.public.windows.server.sbs)
  • Re: ActiveSync Web Admin Tool wont run
    ... exchange on an SBS2003 SP1 server. ... You need to make a change to the way you install the mobile admin pack. ... Backup the metabase in IIS (right click the servername in IIS -> all ...
    (microsoft.public.windows.server.sbs)
  • Re: .plx
    ... Assuming you're running on a Windows machine with IIS as ... your webserver and you did the default ActiveState perl ... If you *didn't* use the default ActiveState install options ...
    (comp.lang.perl.misc)
  • Re: Page Cannot Be Displayed Errors
    ... It sounds like you are quite close to the webserver. ... need to connect directly to IIS) ... If you see requests in the network monitor ... There is a network monitor included in Windows Server 2003 (not sure about ...
    (microsoft.public.inetserver.iis)