Re: FSO exploit

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 04/20/05 

Date: Wed, 20 Apr 2005 18:12:44 +1000

Open IIS Manager, right-click on a website and choose Properties. On the
Security tab click the "Edit" button under Anonymous Authentication. There
you can supply a custom account to be used for Anonymous Access for that
website.

Then, after setting a custom account for each website (so, each website has
it's own account), you need to set appropriate ACLs on the web content for
each website.

You can automate all of this with a bit of scripting. adsutil.vbs can be
used to configure the IIS stuff and xcacls can be used to configure the NTFS
permissions.

I'm pretty sure Microsoft has some hosting stuff on their website for
hosting companies to configure shared hosting securely.

Cheers
Ken 

-- 
Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com
"Savas" <Savas@discussions.microsoft.com> wrote in message 
news:E055976E-5C9E-4D6E-8904-62F2D9610110@microsoft.com...
: Thanks for the information. One thing that I do not understand. if I do 
not
: give write access to the general IUSR how can site visitors use pages that
: require writing to folder?
:
: I mean where do I put this user information so browser can access that
: website with read/write access?  I hope I made my question clear.
:
: "Ken Schaefer" wrote:
:
: > You need to create a custom Anonymous User account for each website. 
That
: > account should have Read/Write permissions for that individual website
: > *only*, and not any other website. That way a customer can write content 
to
: > their own website, but can't write any content to any other website -or-
: > read any content from any other site. Additionally you can restrict that
: > account's permissions to other parts of the system as well
: >
: > Cheers
: > Ken
: >
: > -- 
: > Blog: www.adopenstatic.com/cs/blogs/ken/
: > Web: www.adopenstatic.com
: >
: >
: >
: > "Savas" <Savas@discussions.microsoft.com> wrote in message
: > news:FBD46A3D-E1C0-498C-8FA9-35194391BFE1@microsoft.com...
: > : Hi,
: > :
: > : My server was hacked over this weekend using the FSO exploit. It is 
sad
: > that
: > : by uploading one simple asp file to one website in a server, hacker 
can
: > : access the whole machine, both drive C and drive D. Well I should have
: > played
: > : around with the IUSR permissions not allowing it to access drive C 
where
: > web
: > : files are not kept; however most sites hosted on my server require 
both
: > read
: > : and write access, giving the hacker the privilage to do anything 
he/she
: > wants.
: > :
: > : I thought of unregistering the FSO component but many sites use the
: > : Dictionary object wich woul dalso be disabled. I am really stuck and
: > cannot
: > : find a solution.
: > :
: > : Has anyone come up with a solution? I have limited hackers access to 
many
: > : areas by disabling IUSR access; however many folders still need IUSR 
to
: > write
: > : to them. Also this asp file can see inside access databases too; which 
is
: > : frightening.
: >
: >
: >