|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
localstart.asp vulnerabilityWe have been having a problem with a repeat vulnerability on one of our IIS 6.0 boxes: --------- Vulnerability Identified: IIS localstart.asp Authentication Prompt Severity: Medium Description: The Microsoft IIS server has a localstart.asp file and it is protected by NTLM authentication. Impact: A remote web client who requests the localstart.asp file will be prompted by the WWW-Authenticate: NTLM mechanism for authentication credentials for the web server. Attackers may leverage this authentication mechanism in a brute force authentication attack. ------------ Recommendation: If maintaining this file is not needed for normal business operations, Verizon Business recommends deleting it from the web server so attackers cannot use it to launch brute force authentication attacks against it. One of my coworkers attempted the recommended solution and removed localstart.asp, but it looks like the file is still there. Does anybody have a suggestion for getting rid of this for good? Default Site is not being used (currently in a stopped state). Is it possible to just delete the entire site? All the other active sites are hosted in a completely different inetpub location. Thanks for taking the time to read this! Adam If the website is not started, then there is no possibility of a brute force
attack. Deleting the file using Explorer still leave the relevant metabase entry - there is no possiblity of compromise because any request for the file will request in a 404 (File Not Found) but your analysis tool is probably investigating what settings are in the metabase. If you delete the metabase entry the warning will probably go away. You can delete the website as well, and that will make the warnings go away. Cheers Ken Show quoteHide quote "Adam" <A***@discussions.microsoft.com> wrote in message news:6B4212A1-AF8B-4D90-9FC0-D1A9AFD077D4@microsoft.com... > Good morning all, > > We have been having a problem with a repeat vulnerability on one of our > IIS > 6.0 boxes: > > --------- > Vulnerability Identified: IIS localstart.asp Authentication Prompt > > Severity: Medium > > Description: The Microsoft IIS server has a localstart.asp file and it is > protected by NTLM authentication. > > Impact: A remote web client who requests the localstart.asp file will be > prompted by the WWW-Authenticate: NTLM mechanism for authentication > credentials for the web server. Attackers may leverage this authentication > mechanism in a brute force authentication attack. > ------------ > > Recommendation: If maintaining this file is not needed for normal business > operations, Verizon Business recommends deleting it from the web server so > attackers cannot use it to launch brute force authentication attacks > against > it. > > One of my coworkers attempted the recommended solution and removed > localstart.asp, but it looks like the file is still there. Does anybody > have > a suggestion for getting rid of this for good? Default Site is not being > used (currently in a stopped state). Is it possible to just delete the > entire site? All the other active sites are hosted in a completely > different > inetpub location. > > Thanks for taking the time to read this! > > Adam > > 
Other interesting topics
IIS7 on Server 2008 Domain Controller
ASP Authentication on IIS 6.0 Windows 2003 Server 32bit help please Problem processing SSL certificate response. IIS IWA no longer works after VS2008 SP1 installed ASP can't use database on slave server IIS Restrictions How to use SSL host headers for multiple domains on the same serve WEB app with OLE server works on WinXP & IIS5 but not on Server200 DDOS attack ! IIS / W2K3 URI Limits |
|||||||||||||||||||||||
