Bad taste to reply to my own message, I know, but I missed off another check as part of ACL setting - remove IUSR/IWAM account write access from all directories that don't explicitly need it. This is a rare occurance - document uploads and the like on website, or file attachments to web-based mail systems. > -----Original Message----- > From: Andrew Thomas > Sent: Friday, June 01, 2001 10:49 AM > Subject: RE: Rash of navy web site defacements > > > -----Original Message----- > > From: Jay D. Dyson [mailto:jdysonat_private] > > Sent: Thursday, May 31, 2001 7:36 PM > > Subject: Re: Rash of navy web site defacements > --snip-- > > Exploiting IIS isn't simply trivial. You have to tie a board > > across your butt to keep from falling in. > > As much as everyone has knocked M$ products, IIS in particular, > most of the most recently released vulnerabilities are entirely > avoidable *WITHOUT* the hotfixes in question. > > 1 - Go through the relevant MS issued security checklist (Securing > IIS4 or IIS5) > 2 - Set ACL's sensibly: why would IUSR/IWAM accounts need to execute > anything in the winnt\system directory, or most places for > that matter? > 3 - remove extension mappings for handlers you don't need > 4 - remove virtual directory mappings you don't need/the like > (/msadc, /scripts, ...) > > With these steps, while I remain open to correction, I don't see how > any of the unicode, cgi double-decode or recent .printer overflows > would have been easily exploitable.
This archive was generated by hypermail 2b30 : Fri Jun 01 2001 - 14:54:20 PDT