Re: IIS Anonymous Security Issue

On Sep 11, 2:52 am, Reda Zeid <RedaZ...@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
Hi,

We're using content editor (as a backend) to update our website frontend
contents (WYSIWYG). The problem is that when we try to update the contents
through this backend, the server is denied and gives us the following message:

" r.a.d.editor5.6.0 Another process is using the resource (ascx/aspx file)
you are trying to update or the ASPNET user (IIS5) / NETWORK SERVICE account
(IIS6) has no write privileges for this file. The changes were not applied"

When we contacted the hosting company, they replied that we have to give
write privileges to the IIS Anonymous user on our server so we can solve this
issue, but this will cause another problem, is that this action will effect
negatively on the server security, and therefore the hackers can hacking our
website easier. They said that this is a Windows Server bug and no solution
for it yet. Kindly, reply to me with what we should do and are the above info
are correct that it can't be solved in right way?

We're using Windows Server 2003 Standard Edition and the page that we're
trying to update through the content editor is an ASPX.

Regards,


This is hardly a Windows Server bug. It is a security bug in the
application attempting to modify files on the server. It fails to
correctly authenticate to the server to perform privileged operations
like write files to it, so it relies on the anonymous user, which
requires no authentication, to perform the operation.

Does that sound like a Windows Server security issue, or general
laziness in the application to not authenticate correctly?

Now, the security concern is real. The assignment of blame is
incorrect.

Unfortunately, the correct solution, which is to make the content-
editor authenticate to your website front-end, is likely not trivial
(or else the hosting company would have figured it out already), so
you are pretty much stuck with their pathetic lie.

You either stick with this company and lower your security (which is
their fault, not Microsoft nor Windows Server issue), or you go with
someone else who has a better sense of security and comparable feature
package.

It is certainly possible to secure edit and upload content to Windows
Server 2003 with IIS6.

If you can disclose -- what company told you that this issue is a
Windows Server security bug with no solution yet? I'd like to know so
that I can warn anyone else about such unscrupulous dishonesty.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

.

Relevant Pages

  • RE: What server hardening are you doing these days?
    ... Visual Developer - Security: ... > Windows Server 2003 Security Guide: ... > Scenarios and Procedures for Microsoft Systems Management Server 2003: ... >> Because of these changes to the core operating system of Windows XP ...
    (Focus-Microsoft)
  • Re: RWW Security was compromised.
    ... Windows server security as my previous experience is Unix. ... > One of our clients RWW was compromised over the weekend. ...
    (microsoft.public.windows.server.sbs)
  • Re: RWW Restrictions
    ... Windows server security as my previous experience is Unix. ... Am I crazy to be so concerned about the administrator account being ...
    (microsoft.public.windows.server.sbs)
  • [NT] Vulnerabilities in Pragmatic General Multicast (PGM) Allows Denial of Service (MS08-036)
    ... Get your security news from a reliable source. ... the Pragmatic General Multicast (PGM) protocol that could allow a denial ... Note that the denial of service vulnerability would not ... Windows XP and Windows Server 2003 and rated Moderate for all supported ...
    (Securiteam)
  • Re: adding a new domain and removeing the old one?
    ... Setup trusts (if an external trust is configured and sidhistory is used, ... Install and configure migration tooling ... Translate security of the data/resources from source security ... Windows NT Server 4.0, Windows 2000, or Windows Server 2003 to a computer ...
    (microsoft.public.windows.server.active_directory)