> 1. Is there any current way of exploiting this vulnerability when > there is no scripting or execution allowed? I do not think so. Fault is placed in particular ISAPI extension msw3prt.dll, which by default is run by means of script mapping. If mapping for this DLL is not configured, it will not be loaded, and your system is not affected. But (as it turns out) Windows may enable this mapping automagically if you have Print Spooler service enabled. Problably safest way is to not only disable all unused services (Print Spooler in this case), but also delete unused ISAPI dll-s. > 2. Does a default IIS5 install allow scripting or execution? The > reason I ask this is because I see this vulnerability as a default > install problem mainly, and good admins removed that ISAPI scriptmap > long ago. IIS5 by default has scripting (i.e. ISAPI mapped extensions) enabled, execution disabled. Unfortunatelly it also comes with plenty of ISAPI extensions mapped by default, among them you will find such "celebrities" as .htr, .htw or .idc . Of course, main strength of IIS (which is ASP) is also ISAPI and thus to use Active Server Pages you need scripts enabled. However, its good practice to remove all mapping that you are not going to use. Especially, if you have no reason to use ASP then (IMHO) you may turn to some other - eventually much simpler thus safer - HTTP server. If you need ASP, you should put it's execution separate from inetinfo.exe - as it runs under LocalSystem account which is definitely not safe. Its achieved by "high isolation level" (or "high application protection") site setting which in turn creates COM+ application running under IWAM_(machine) account - you may change this account to some other as well as manage its priviledges. This applications process is owner of all ASP scripts threads running for specific site (however it still unclear to me if it applies to global.asa too). > I am analyzing whether an IIS5 server without hotfixes/patches that > was installed with best practices in mind is still secure, it seems I do not think that IIS5 without hotfixes/patches is secure. Please, read carefully http://www.microsoft.com/technet/security/current.asp?productID=17&servicePa ckId=1 . > separate disk partitions and removal of unneeded ISAPI extensions, a > lot of security is added. Please email me if you have any input or > thoughts on this. That's true, but primary by this means you decrease potential breach effect, not the breach possibility itself. Its good step, but you still need to carefully apply hotfixes for this parts of system that remain used (and vulnerable). Regards B.
This archive was generated by hypermail 2b30 : Fri May 11 2001 - 08:57:39 PDT