Re: IIS Seperate Partition?
From: John Alderson (jalderson_at_freebeer^at^adelphia^dot^net)
Date: 06/03/04
- Next message: Chrisss: "SFTP"
- Previous message: Dennis: "Re: SPS wont use kerberos"
- In reply to: Jeff Cochran: "Re: IIS Seperate Partition?"
- Next in thread: Jeff Cochran: "Re: IIS Seperate Partition?"
- Reply: Jeff Cochran: "Re: IIS Seperate Partition?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 3 Jun 2004 06:40:13 -0400
"Jeff Cochran" <jcochran.nospam@naplesgov.com> wrote in message
news:40be631d.22156028@msnews.microsoft.com...
> On Wed, 2 Jun 2004 06:49:16 -0700, "John Alderson"
> <smtpJAldersonisyourfriend@^&*ad3lphiainet> wrote:
>
>>
>>>-----Original Message-----
>>>On Sat, 29 May 2004 16:01:04 -0700, Ryan Riddell
>>><anonymous@discussions.microsoft.com> wrote:
>>>
>>>>I'm running Server 03 with a web server and file server
>>as well as acting as a domain controller.
>>>>
>>>>My question is if it would be more secure or considered
>>a good idea to have the web server on its own partition?
>>>
>>>It's a great idea to separate the content partition from
>>the OS
>>>partition. But it's not much of a security help.
>>
>>
>>I have to disagree Jeff. Take a look at my reply to Paul
>>Lynch in this thread on Nimda vs. CodeRed. Even if the
>>*only* thing you did was move your web content off of the
>>OS partition - that would have protected you from Nimda,
>>it's variants and many scripted attack kits.
>
> Or, had you installed the security patch, available six months prior
> to Code Red and a year prior to Nimda, you would have accomplished the
> same. Or even more prudently, moved the CMD.EXE file to a separate
> directory, a practice which has died off in the last decade since DOS
> bulletin boards have dropped out of style.
>
> Scripted attacks using any directory traversal are also not possible
> under Server 2003, the OS the original poster said he's running.
> Thus, moving the folder to another volume to prevent directory
> traversal is "not much of a security help."
>
Hi Jeff,
Moving cmd.exe and setting proper NTFS permissions would accomplish the same
goal, would you agree? Clearly, many people hadn't applied the patch ;-)
At the time, for my servers anyway, the patch was scheduled for the next
maintenance cycle which was a month or so away when Nimda hit. But I had
already assessed that the configuration disallowed meaninful exploitation.
This was proven out during the outbreak.
>>Even if, for the sake of argument, we assume that there
>>will never again be a directory traversal vulnerability
>>in IIS, what about the third party code you might have
>>loaded up to get at some functionality? What about the
>>custom application code? There are many sources of input
>>to a reasonably functional web application.
>
> And no way to predict the attack vector, nor to predict the mode of
> attack. Which makes moving the folder to a separate partition a shot
> in the dark that currently is of little use. Like changing the
> version reported for IIS and FTP banners, advising the change for
> security reasons is potentially more harmful since it imbues a false
> sense of security.
>
Here, we know the attack vector - directory traversal. What we don't know
is what component will fall to it. However, rather than treating the
symptoms - component X allows directory traversal - treat the problem.
Directory traversal allows you to break out of a web root and move *on that
volume*. If we agree that the majority of sensitive executables that could
do us damage reside on the OS partition, then not allowing any Directory
Traversal from wherever it might be from occurring on that volume is a
positive security step.
I've given proven, real world examples here of where that step alone
provided tangible and effective defense of otherwise defenseless servers. I
would submit that assuming that there won't be some component, either OS or
3rd party, that allows for directory traversal on a server that you might
control is a bad assumption.
>>Let me borrow your analogy here. By virtue of allowing
>>connection from the network, you are already letting them
>>into the house. Keep them in the front hall/living room
>>by strictly segregating content, don't give them the run
>>of the house ;-)
>
> Or deny all connections and keep them out. All security is a matter
> of balances. And anyone who is able to control a partition already
> has too much control. Even the ability to change content on a
> partition is too much access, and at that point a server should be
> rebuilt from scratch.
>
> Jeff
Give the book Exploiting Software a look, particularly with respect to heap
overflows. That mechanism in particular is what I was thinking of when I
rewrote your analogy. I think you'll see what I mean. Any time you are
allowing outside parties to connect to your system and send you data, you
are at risk. You're right, security is a matter of balances and managing
risk. Knowing where your threats are coming from is essential in that
battle.
John
- Next message: Chrisss: "SFTP"
- Previous message: Dennis: "Re: SPS wont use kerberos"
- In reply to: Jeff Cochran: "Re: IIS Seperate Partition?"
- Next in thread: Jeff Cochran: "Re: IIS Seperate Partition?"
- Reply: Jeff Cochran: "Re: IIS Seperate Partition?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
