Re: Domain Account used for IIS6 Anonymous Account Risks?

From: "Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx>
Date: Wed, 18 Mar 2009 18:16:14 +1100

Well the most obvious risk is that IIS knows the password for the xyzweb account. If someone can get IIS to execute arbitrary code (e.g. by uploading some of their own webpages) then IIS can connect to serverB using the domain\xyzweb account, and that account has full privileges on serverB

Cheers
Ken

"gdknox" <gdknox@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:0848C043-E0CE-4913-92B6-905CE66FB6E2@xxxxxxxxxxxxxxxx

Here is the situation:

Two servers: ServerA is a IIS6 server
ServerB is a application server with a DB

ServerA sits in public IP space, ServerB is in private with an access list
on a router allowing the two to communicate.

ServerA is using a domain user account say “xyzweb” for the IIS Anonymous
user and has no elevated rights on this server.

ServerB has this same domain account “xyzweb” in its local admin group.

When joe-public accesses ServerA the anon account “xyzweb” accesses data
records from ServerB. Now this access is being done with com objects or
something of the sort.

Knowing all of this and knowing that as far as the application vendor, this
is the only way it will work….lets discuss risks:

Any comments are most appreciated.

Follow-Ups:
- Re: Domain Account used for IIS6 Anonymous Account Risks?
  - From: gdknox

References:
- Domain Account used for IIS6 Anonymous Account Risks?
  - From: gdknox

Prev by Date: Re: SSL implenmentation in the IIS
Next by Date: Re: securing a browseable IIS directory
Previous by thread: Domain Account used for IIS6 Anonymous Account Risks?
Next by thread: Re: Domain Account used for IIS6 Anonymous Account Risks?
Index(es):
- Date
- Thread

Relevant Pages

RE: SQL Mail
... For SQL Mail to work, you need to have the service running under a domain ... Unless it is a domain account, ... > need to be able to send email via SQL from ServerB to ServerA. ...
(microsoft.public.sqlserver.server)
Re: SQL Mail
... local account syncd with same password as domain account.. ... I have another mailbox on the domain XXX called pete.. ... > need to be able to send email via SQL from ServerB to ServerA. ...
(microsoft.public.sqlserver.server)
Re: Domain Account used for IIS6 Anonymous Account Risks?
... In general there aren't any "known" vulnerabilities in Windows, IIS or probably your application that haven't been patched. ... but unless the vendor can explain why the application needs Administrator privileges, your answer should be that your security policy calls for least privilege, and the vendor should tell you what the actual privileges required of the application are. ... some of their own webpages) then IIS can connect to serverB using the ... domain\xyzweb account, and that account has full privileges on serverB ...
(microsoft.public.inetserver.iis.security)
RE: Copy Database Wizard Fails to Copy Files
... I had the exact same problem until I executed the package under an account ... Regards, ... > simple table) on ServerA to ServerB. ... > Put the database Test in single user mode.......Ok ...
(microsoft.public.sqlserver.dts)
Re: Domain Account used for IIS6 Anonymous Account Risks?
... If someone can get IIS to execute arbitrary code (e.g. by uploading ... some of their own webpages) then IIS can connect to serverB using the ... domain\xyzweb account, and that account has full privileges on serverB ... Knowing all of this and knowing that as far as the application vendor, ...
(microsoft.public.inetserver.iis.security)