[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ms
Subject:    RE: IIS Security
From:       "Wayne S Anderson" <waynea () avanade ! com>
Date:       2006-10-30 19:00:24
Message-ID: 425E0A476CF1DA4E967A34A904D1DB1E15859D42 () MAIL1 ! corp ! avanade ! org
[Download RAW message or body]


The IUSR_MachineName context is the anonymous context under which load 
processes run within windows.  As a comparison, let them know that they are 
essentially creating an environment where a guest account is being given 
administrative privileges and then exposed to the world.

In such a context, you can somewhat mitigate some of the risk by using 
application level firewall, alocal URI preprocessor, and being VERY careful 
that you put proper [lack of] privileges in place on the overall filesystem, 
except for specific resources which are allowed.  Your IIS configuration and 
hardening also becomes key.  Stringent monitoring will need to be in place.

Obviously, if they move forward with this configuration, make sure that 
network access control has been configured appropriately so that any 
compromise of this machine is mitigated in terms of affecting any other 
resource in the enterprise.

Realistically, they need to understand that they might as well just hand out 
administrative access to that machine or just make the IIS site run under 
administrator in the first place as there seems VERY little reason to make the 
privilege separation if you are then going to thwart it by granting the 
subordinated account administrative privilege.

Wayne S. Anderson

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On 
Behalf Of alex2@alexackley.com
Sent: Friday, October 27, 2006 8:54 AM
To: focus-ms@securityfocus.com
Subject: IIS Security

We've a vertical package that includes a web based portal.  (quite common for 
many Enterprise packages)

The problem lies in some of the requirements that the company puts on running 
this portal.

The major one is that of adding the IUSR_machinename account to the local 
admin group.
I know this is horrible, but need specific reasons why this shouldn't be done 
so that I can bring it to my boss and get it fixed.

Thanks

---------------------------------------------------------------------------
---------------------------------------------------------------------------


["smime.p7s" (application/x-pkcs7-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]