Re: Server security

From: Jason Brown [MSFT] (i-brjaso_at_online.microsoft.com)
Date: 03/14/05


Date: Mon, 14 Mar 2005 13:36:02 +1100

Sounds like if you were finding new, hard to erase folders in the wwwroot
then you were probably sitting there with anonymous access enabled to FTP
(or a very weak password), which is a pretty common attack on freshly set-up
boxes. It's not something that MBSA would pick up, and it's not something
you'd have fixed by a patch - it's a misconfiguration.

I assume you've closed it now?

-- 
Jason Brown
Microsoft GTSC, IIS
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Jorge Pérez" <jlperezBORRARESTO@epm.net.co> wrote in message 
news:%232RMFjDKFHA.2736@TK2MSFTNGP09.phx.gbl...
> Hi Jason,
>
> Thanks for you reply. As you say my friend has given me a lot of support 
> and it looks that many problems have been corrected to the date, but 
> anyway after all the problems that I had with the server, I have the 
> purpose of at least learning some basics on server security. It's a must 
> for me.
>
> I can tell you that I noticed that we had a security problem because I 
> started finding lots of new folders and/or files in the IIS folder, which 
> I erased many times and again were created in the server. Now we have a 
> folder with no name which I haven't been able to remove.
>
> As you suggest, about patches, we are up to date with the latest ones, 
> windows update is active in our server and I'm permanently checking and 
> installing new ones when I log into the server and receive alerts of new 
> patches ready to install. Now I'm also using Microsoft Baseline Security 
> Analyzer and tools like TcpView, ProcExp and other ones that my friend 
> installed in the server.
>
> I will start reading from the links that you returned me in your answer, 
> and for sure I will be back with new questions as I learn about the 
> matter. Once again, thank you very much for your time.
>
> Best regards,
>
> Jorge Pérez
>
> Jason Brown [MSFT] wrote:
>> Hi Jorge,
>>
>> There are plenty of resources out there - try Technet for instance 
>> http://www.microsoft.com/technet/
>>
>> also www.iisanswers.com
>> www.iisfaq.com
>> www.securityfocus.com
>>
>> You'll probably find MBSA extremely useful, too:
>>
>> http://www.microsoft.com/technet/security/tools/mbsahome.mspx
>>
>> I'd suggest also, since your friend claims to know what he's talking 
>> about, that you draft him in to actually give you some details on his 
>> 'more holes than swiss cheese' assertion, because without some detail, 
>> that's really no good to you.
>>
>> A major part of security is just common sense - making sure your 
>> passwords are strong, that anonymous FTP is disabled or tightened, that 
>> patches are applied, services you don't use are turned off and so on.
>>
>> What sort of hack were you subject to?
>>