Re: Newbie IIS general sec concerns

From: Jeff Cochran (jcochran.nospam@naplesgov.com)
Date: 04/01/03


From: jcochran.nospam@naplesgov.com (Jeff Cochran)
Date: Tue, 01 Apr 2003 13:25:28 GMT


On Mon, 31 Mar 2003 18:35:39 -0800, "j. green"
<netengineer@hushmail.com> wrote:

>I have a few newbie concerns re IIS security & was hoping
>to get some advisement: After configuring IIS 5.0 w/ Win
>SP3, IIS lockdown, the hisecweb security template,
>tightened ntfs permissions, ... etc., after scanning the
>box w/ a vul scanner, there were still some 30+ vul's re
>things like Webdav, asp, .htr, directory
>traversal, /_vti_bin/shtml.dll, etc., & others related to
>DoS. I guess my question is what else do I need to do?
>I've looked at several IIS sec sites, and they all seem to
>point to the same MS urls. And, w/ the box patched to
>current & "tightened down", I was somewhat surprised to
>see so many existing vul's. Surely some of them are
>related to the asp coding which is outside of my control,
>but I'd hate to get rooted over something that is easy to
>remedy. Anything else I should be doing?

Well, a vulnerability is a liability if you don't use that service,
but if you use that service you can't turn it off. WebDav for
example. If you don't use it turn it off. If you do use it, make
sure you're patched. Actually, patch even if you turn it off.

What worries me more is that you're seeing vulnerabilities for
directory traversal, which was pacthed eons ago. Also, WebDav, HTR,
ASP, etc. are blocked using the IISLockdown tool, so you may have
misconfigured it or chosen options that aren't valid for your setup.

As for anything else, did you subscribe to the security bulletins?
The SANS list? BugTraq? The IISAdmin list? These all will alert you
to vulnerabilities as they are discovered. Are you running HFNetChk
or MBSA? Regularlay? How about virus scanning? Have you locked out
everything in your firewall? Here's another area you could block
WebDav vulnerabilities.

Also, what "scanner" are you using to check these vulnerabilities?
>From waht you say you installed, you shouldn't see 30+ actual
vulnerabilities. I have a feeling the "scanner" is warning you of
problems you don't have.

Jeff



Relevant Pages

  • Windows Buffer Overflows
    ... "While many may believe that the risk for these types of vulnerabilities is ... The recent .asp exploits that I have seen all work in a similar way. ... which is a static memory address ...
    (Vuln-Dev)
  • Windows Buffer Overflows
    ... "While many may believe that the risk for these types of vulnerabilities is ... The recent .asp exploits that I have seen all work in a similar way. ... which is a static memory address ...
    (Bugtraq)
  • [Full-disclosure] [ GLSA 200711-03 ] Gallery: Multiple vulnerabilities
    ... Title: Gallery: Multiple vulnerabilities ... The WebDAV and Reupload modules of Gallery contain multiple unspecified ... the Gentoo Security Website: ...
    (Full-Disclosure)
  • [ GLSA 200711-03 ] Gallery: Multiple vulnerabilities
    ... Title: Gallery: Multiple vulnerabilities ... The WebDAV and Reupload modules of Gallery contain multiple unspecified ... the Gentoo Security Website: ...
    (Bugtraq)
  • RE: Reporting Point Install
    ... Yes, and Webdav, Bits, ASP is enabled ... >>Reporting Point never installs. ... >>WWWRoot Not defined in the registry ...
    (microsoft.public.sms.setup)