[prev in list] [next in list] [prev in thread] [next in thread]
List: focus-ms
Subject: RE: IIS Security
From: "Wayne S Anderson" <waynea () avanade ! com>
Date: 2006-10-30 19:00:24
Message-ID: 425E0A476CF1DA4E967A34A904D1DB1E15859D42 () MAIL1 ! corp ! avanade ! org
[Download RAW message or body]
The IUSR_MachineName context is the anonymous context under which load
processes run within windows. As a comparison, let them know that they are
essentially creating an environment where a guest account is being given
administrative privileges and then exposed to the world.
In such a context, you can somewhat mitigate some of the risk by using
application level firewall, alocal URI preprocessor, and being VERY careful
that you put proper [lack of] privileges in place on the overall filesystem,
except for specific resources which are allowed. Your IIS configuration and
hardening also becomes key. Stringent monitoring will need to be in place.
Obviously, if they move forward with this configuration, make sure that
network access control has been configured appropriately so that any
compromise of this machine is mitigated in terms of affecting any other
resource in the enterprise.
Realistically, they need to understand that they might as well just hand out
administrative access to that machine or just make the IIS site run under
administrator in the first place as there seems VERY little reason to make the
privilege separation if you are then going to thwart it by granting the
subordinated account administrative privilege.
Wayne S. Anderson
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of alex2@alexackley.com
Sent: Friday, October 27, 2006 8:54 AM
To: focus-ms@securityfocus.com
Subject: IIS Security
We've a vertical package that includes a web based portal. (quite common for
many Enterprise packages)
The problem lies in some of the requirements that the company puts on running
this portal.
The major one is that of adding the IUSR_machinename account to the local
admin group.
I know this is horrible, but need specific reasons why this shouldn't be done
so that I can bring it to my boss and get it fixed.
Thanks
---------------------------------------------------------------------------
---------------------------------------------------------------------------
["smime.p7s" (application/x-pkcs7-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic