At 03:55 PM 4/26/98 -0700, chameleon wrote: >4. I saw a post today I believe about someone being able to connect to a >server with frontpage server extensions and being able to alter the page >without any password. The reason you can do this is the NT everyone group. >Its very common that a server with, NT4.0 server, IIS3.0 and frontpage >server extensions installed, you can alter their webpage via frontpage >because the everyone group is on the computer and it drops you right in. >That shouldnt be too hard to understand. Note: Right after installation of >frontpage server extensions on a NT4.0 IIS3.0 box it addes the everyone >group to have access to the server via frontpage explorer etc. This is from lameness on the part of the admin. When FP is running on NT, you have an admin.dll and an author.dll. The NTFS ACL on these DLLs sets who can do what. You typically want to make an authors group, and set permissions to the DLL for that group. If you set permissions on the DLL to give access to everyone, then everyone is an author or an admin - whatever. If the admin has also left the NTFS permissions on the web site at default, you can probably use it to insert new content, and cause various bits of mayhem. Note that these DLLs aren't always global - there are ways to restrict certain areas by adding more DLLs and changing their permissions. See pg 371-372 in the IISRK for details. Note - I have no idea what the default install permissions are. David LeBlanc dleblancat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:51:26 PDT