[WEB4LIB] RE: Security Holes on IIS

William Barnes wbarnes at husky.bloomu.edu
Tue May 22 12:25:06 EDT 2001


Also if you remove all the default "applications" such as IISADMIN, IISADMPWD, IIS..., and MSDAC removed lots of holes.

Finally, I found if you install more than you need, you set yourself up as well.
Don't need SMTP? Don't install it.
Don't need FTP? don't install it.
Site server?  Why ever install this?

It seems to me that IIS defaults to "loose security", and Apache seems to defaults to "standard security."

If you have Cold Fusion, make sure you delete that CFDOCs directory as well...  Same deal as some of the IIS holes...


Thanks!
--Bill
*******************************************
*  Bill Barnes, RHCE, CNA, MCP, A+
*  Library Network Administrator
*  Harvey A. Andruss Library
*  Bloomsburg University
*  ph: 570-389-2813
*  e-mail: wbarnes at bloomu.edu
*******************************************


>>> "Dobbs, Aaron" <DobbsA at apsu.edu> 05/22/01 11:58AM >>>
Most importantly, don'tdo default installs.
The majority of IIS security holes can be plugged by moving the install
folder to a folder at a different "depth" from the root (C:\) and / or
having the server redirect requests from the default web folder to a
different folder.  
-Aaron
:-)'


-----Original Message-----
From: Gimon, Charles A
To: Multiple recipients of list
Sent: 5/21/01 3:15 PM
Subject: [WEB4LIB] FW: Security Holes on IIS

Note that a lot of the known holes in IIS have historically involved
either
the IIS online (web-based) Admin system or Front Page extensions.
Disabling
or removing those can solve a lot of problems in one swoop--and possibly
avoid future ones as well.

Most of the unsuccessful "script kiddie" attacks that we see here
involve
the iisadmin stuff.

--Charles Gimon
  Web Coordinator
  Minneapolis Public Library


> -----Original Message-----
> From: Andrew Mutch [mailto:amutch at waterford.lib.mi.us] 
> Sent: Monday, May 21, 2001 2:48 PM
> To: Multiple recipients of list
> Subject: [WEB4LIB] Security Holes on IIS
> 
> 
> If you are an administrator of a Microsoft NT 4 box running 
> IIS 4.0, I highly
> recommend that at the minimum, you should be aware of the 
> following resources:
> 
> 1) The Microsoft Security site with information on the latest 
> patches for IIS
> here:
> 
http://www.microsoft.com/technet/security/ 

If you have not been keeping up with the security patches that have been
released for IIS, you are in luck as Microsoft has released a
comprehensive
patch for IIS to address almost all of the patches released since SP5.

http://www.microsoft.com/technet/security/bulletin/MS01-026.asp 

2) Microsoft makes it easy for you so that you can receive Security
bulletings
automatically as soon as they are released:

http://www.microsoft.com/technet/security/notify.asp 

3) You should read this security checklist for IIS 4.0 to help you
eliminate
other security vulnerabilities.

http://www.microsoft.com/technet/security/iischk.asp 

While none of this will guarantee that you won't be attacked, hacked or
otherwise compromised, it will at least save one the embarassment of
trying
to
explain to the Boss why the server was hacked through a hole that has
been
public knowledge for a number of months.  It has been our experience
from
checking our server logs and dealing with some minor hacks that if your
server
is accessible to the public, you can expect it to be under continuous
attack
from various hacking-types around the world.  Most of them don't seem to
know
what they are doing but don't make it easy for them.

Andrew Mutch
Library Systems Technician
Waterford Township Public Library
Waterford, MI

Margaret Escherich wrote:

> Ugh, just discovered we have gotten this, too....
>
>  Margaret Escherich
>  Senior Librarian/Webmistress
>  Oakland Public Library
>  http://oaklandlibrary.org 
>



More information about the Web4lib mailing list