Re: Domain Account used for IIS6 Anonymous Account Risks?

Ken..

Thank you for your comment. Can you direct me to where I can obtain further
information, examples of exploitation? Horror stories and etc?

This is definately not my idea of a secure transaction enviroment, but I am
losing the battle with the vendor, who says that this is the "only" way their
application will run.



"Ken Schaefer" wrote:

Well the most obvious risk is that IIS knows the password for the xyzweb
account. If someone can get IIS to execute arbitrary code (e.g. by uploading
some of their own webpages) then IIS can connect to serverB using the
domain\xyzweb account, and that account has full privileges on serverB

Cheers
Ken


"gdknox" <gdknox@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0848C043-E0CE-4913-92B6-905CE66FB6E2@xxxxxxxxxxxxxxxx
Here is the situation:

Two servers: ServerA is a IIS6 server
ServerB is a application server with a DB

ServerA sits in public IP space, ServerB is in private with an access list
on a router allowing the two to communicate.


ServerA is using a domain user account say “xyzweb” for the IIS Anonymous
user and has no elevated rights on this server.

ServerB has this same domain account “xyzweb” in its local admin group.


When joe-public accesses ServerA the anon account “xyzweb” accesses data
records from ServerB. Now this access is being done with com objects or
something of the sort.

Knowing all of this and knowing that as far as the application vendor,
this
is the only way it will work….lets discuss risks:

Any comments are most appreciated.


.

Relevant Pages

  • Re: Domain Account used for IIS6 Anonymous Account Risks?
    ... Well the most obvious risk is that IIS knows the password for the xyzweb account. ... If someone can get IIS to execute arbitrary code then IIS can connect to serverB using the domain\xyzweb account, and that account has full privileges on serverB ...
    (microsoft.public.inetserver.iis.security)
  • RE: SQL Mail
    ... For SQL Mail to work, you need to have the service running under a domain ... Unless it is a domain account, ... > need to be able to send email via SQL from ServerB to ServerA. ...
    (microsoft.public.sqlserver.server)
  • Re: SQL Mail
    ... local account syncd with same password as domain account.. ... I have another mailbox on the domain XXX called pete.. ... > need to be able to send email via SQL from ServerB to ServerA. ...
    (microsoft.public.sqlserver.server)
  • Re: Domain Account used for IIS6 Anonymous Account Risks?
    ... In general there aren't any "known" vulnerabilities in Windows, IIS or probably your application that haven't been patched. ... but unless the vendor can explain why the application needs Administrator privileges, your answer should be that your security policy calls for least privilege, and the vendor should tell you what the actual privileges required of the application are. ... some of their own webpages) then IIS can connect to serverB using the ... domain\xyzweb account, and that account has full privileges on serverB ...
    (microsoft.public.inetserver.iis.security)
  • RE: Copy Database Wizard Fails to Copy Files
    ... I had the exact same problem until I executed the package under an account ... Regards, ... > simple table) on ServerA to ServerB. ... > Put the database Test in single user mode.......Ok ...
    (microsoft.public.sqlserver.dts)