I've been doing some work with automatic administration of IIS 4.0 on Windows NT 4/SP4 over the last couple of days, and noticed a security problem. If I create a IISWebVirtualDir (sorry, don't have the machine in front of me at the moment, so my spellings/names might be wrong), I can set a username and password with which the directory will be read (which is handy for reading directories that the webserver otherwise wouldn't have access to). The IIS Programmer's Guide states that the password is stored encrypted in the metabase, when it's actually stored as plaintext---a security problem if you can dump the metabase data by other means, as you'll get plaintext valid user IDs and passwords. This seems like MS trying to cover up an obvious security problem by incorrect documentation. Of course, given the other hoops I've needed to jump through to get what should be a relatively simple admin task done automatically, I wasn't really suprised. -- Adam Sampson azzat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:50:43 PDT