IIS is not required for ISA unless you're running an application on ISA
that requires it.
Check out www.isaserver.org for tips on hardening ISA and the Windows 2000
Server Operations Guide for hardening W2K.
At 08:17 PM 3/19/2003 +1100, busu wrote:
>Hi,
>
>I am looking to configure ISA server in reverse proxy configuration.
>Any pointers for configuration file? Also any specific lockdown of OS
>and IIS on ISA server? Thank you
>cb
>
>
>
>----------------------------------------------------
>This mailbox protected from junk email by Matador
>from MailFrontier, Inc. http://info.mailfrontier.com
>
>-----Original Message-----
>From: Deus, Attonbitus [mailto:Thor (at) HammerofGod (dot) com [email concealed]]
>Sent: Thursday, 18 July 2002 4:40 AM
>To: Matej Pfajfar; focus-ms (at) securityfocus (dot) com [email concealed]
>Subject: Re: write permissions for IIS
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>At 05:02 AM 7/17/2002, Matej Pfajfar wrote:
>
> >Hi,
> >
> >A web application that my company is developing needs to create MS Word
> >documents on the fly. It seems that these need to be saved onto disk
> >before being shoved down the pipe to the browser, which requires IIS to
>be
> >given write permissions to a directorz that is readable from the web.
> >
> >I know this isn't quite right for security but it seems that there
>isn't a
> >choice - are there any extra precautions we could take? Have other
>people
> >found this problem as well?
>
>
>Depending on the web application configuration pooling, you could set up
>a
>COM+ component in Component Services to run under the context of a
>specific
>user- this user/process could be given write-only access to the doc
>directory but not read or execute. The IUSR account could then be given
>
>read-only access (specifically denying write and execute) to it to
>mitigate
>possible permission abuse. I think it would take some tweaking, but it
>is
>doable.
>
>AD
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP 7.1
>
>iQA/AwUBPTW6GYhsmyD15h5gEQLmYwCgw3LP07GaUi+fdnb6Cspg82JdJ6AAn1X+
>seYy9pU5Hmf0RoaWRSPPPv/F
>=UJR+
>-----END PGP SIGNATURE-----
>
>
>----------------------------------------------------------------------
>ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data!
>It's as simple as placing additional SQL commands into a Web Form input
>box giving hackers complete access to all your backend systems!
>http://www.spidynamics.com/mktg/sqlinjection33
----------------------------------------------------------------------
ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data!
It's as simple as placing additional SQL commands into a Web Form input
box giving hackers complete access to all your backend systems!
http://www.spidynamics.com/mktg/sqlinjection33
that requires it.
Check out www.isaserver.org for tips on hardening ISA and the Windows 2000
Server Operations Guide for hardening W2K.
At 08:17 PM 3/19/2003 +1100, busu wrote:
>Hi,
>
>I am looking to configure ISA server in reverse proxy configuration.
>Any pointers for configuration file? Also any specific lockdown of OS
>and IIS on ISA server? Thank you
>cb
>
>
>
>----------------------------------------------------
>This mailbox protected from junk email by Matador
>from MailFrontier, Inc. http://info.mailfrontier.com
>
>-----Original Message-----
>From: Deus, Attonbitus [mailto:Thor (at) HammerofGod (dot) com [email concealed]]
>Sent: Thursday, 18 July 2002 4:40 AM
>To: Matej Pfajfar; focus-ms (at) securityfocus (dot) com [email concealed]
>Subject: Re: write permissions for IIS
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>At 05:02 AM 7/17/2002, Matej Pfajfar wrote:
>
> >Hi,
> >
> >A web application that my company is developing needs to create MS Word
> >documents on the fly. It seems that these need to be saved onto disk
> >before being shoved down the pipe to the browser, which requires IIS to
>be
> >given write permissions to a directorz that is readable from the web.
> >
> >I know this isn't quite right for security but it seems that there
>isn't a
> >choice - are there any extra precautions we could take? Have other
>people
> >found this problem as well?
>
>
>Depending on the web application configuration pooling, you could set up
>a
>COM+ component in Component Services to run under the context of a
>specific
>user- this user/process could be given write-only access to the doc
>directory but not read or execute. The IUSR account could then be given
>
>read-only access (specifically denying write and execute) to it to
>mitigate
>possible permission abuse. I think it would take some tweaking, but it
>is
>doable.
>
>AD
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP 7.1
>
>iQA/AwUBPTW6GYhsmyD15h5gEQLmYwCgw3LP07GaUi+fdnb6Cspg82JdJ6AAn1X+
>seYy9pU5Hmf0RoaWRSPPPv/F
>=UJR+
>-----END PGP SIGNATURE-----
>
>
>----------------------------------------------------------------------
>ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data!
>It's as simple as placing additional SQL commands into a Web Form input
>box giving hackers complete access to all your backend systems!
>http://www.spidynamics.com/mktg/sqlinjection33
----------------------------------------------------------------------
ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data!
It's as simple as placing additional SQL commands into a Web Form input
box giving hackers complete access to all your backend systems!
http://www.spidynamics.com/mktg/sqlinjection33
[ reply ]