Re: Requisites for a very unsafe IIS5!

From: Jason Brown [MSFT] (i-brjaso_at_online.microsoft.com)
Date: 03/09/05

Next message: seeker01: "why internet OWA clients cant logon - HTTP 500"
Previous message: Aaron Tiainen: "Re: IIS 401 Error"
In reply to: Miha Pihler [MVP]: "Re: Requisites for a very unsafe IIS5!"
Next in thread: Jeff Cochran: "Re: Requisites for a very unsafe IIS5!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 9 Mar 2005 12:04:32 +1100

Unless of course that's the point of the presentation - ongoing improvement,
the importance of patching your boxes, keeping naked installs offline,
slipstreaming patches into fresh installs to mitigate the danger from new
installs etc...

otherwise agreed. I'd also be looking at vulnerabilities in the the
application layer such as SQL injection, Session hijacking, cross-site
scripting, packet sniffing and so on - they're more common than unpatched
IIS boxes by far, and easier to demo exploits on.

-- 
Jason Brown
Microsoft GTSC, IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message 
news:ewoPPHAJFHA.3076@tk2msftngp13.phx.gbl...
> Hi John,
>
> If you really want to teach users something, then have a fully patched up 
> computer; then show them vulnerabilities...
>
> I don't see much point in showing off 4 or more years old holes that were 
> patched up long time ago.
>
> -- 
> Mike
> Microsoft MVP - Windows Security
>
> "John Leerentveld" <john.leerentveld@carthago-ict.nl> wrote in message 
> news:1110291647.265077@ram.introweb.nl...
>> Hi,
>> for an ethical hacking training I need to have a IIS configuration that's 
>> very unsecure, so I can test
>> and show the vulnerability.
>> What should I do? Install Windows 20000 out-of-the-box without any 
>> SP's/patches?
>>
>> John
>>
>
>

Next message: seeker01: "why internet OWA clients cant logon - HTTP 500"
Previous message: Aaron Tiainen: "Re: IIS 401 Error"
In reply to: Miha Pihler [MVP]: "Re: Requisites for a very unsafe IIS5!"
Next in thread: Jeff Cochran: "Re: Requisites for a very unsafe IIS5!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: [SLE] SuSE / Novell Patch System on 9.3
... I have been a Linux user since 1996 and I have used numerous ... > reviewing of my failed installs and I found if I didn't patch the system it ... The first round the window manager ... > friendly problems in their patches. ...
(SuSE)
Re: [opensuse] 10.1 Yast Online Update
... In 10.1 YOU shows all patches and the ones with blue or black checkmark ... If all patches showing have just checkmarks, ... note on the right-hand window saying that the installed and available ... Then hitting "Accept" actually installs the ...
(SuSE)
Re: Solaris 10 installation questions and bugs?
... >> There are no patches for Solaris 10 available as of now. ... Summary: Sun One Application Server 7.0: Java API for XML Parsing 1.2 Patch ... Installs fine on my Solaris 10 test machine: ... Validating patches... ...
(comp.unix.solaris)
Re: Cant access soundcard by several application at the same time.
... > makefiles generate a kernel.rpm. ... Portage just installs the source and patches it if you choose ...
(alt.os.linux)
Re: How many times can i install XP on same computer
... I phone to get the key (the boxes are not on line), and after the first refusal I feigned ignorance and pleaded extenuating circumstances to get an extra activation. ... since you last activated that specific Product Key, ... CD and the first key on the list for I think four installs, ... I bought a new drive and installed XP. ...
(microsoft.public.windowsxp.general)