|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Anonymous access VulnerabilitiesI am trying to dig up any documented issues where having IIS sites set for
anonymous access causes the webs or server to be more vulnerable to attack. From what I can tell, if an attacker penetrated your firewall and got in, all he wouldbe able to do (for themost part) is browse anonymous sites and possibly gain knowledge to do much more than that by doing so. I am a fan of NT Challenge Response basically because it allows you to track who is accesing the sites and it requires any potential hacker to not be able to rely on the availability of the anonymous user. So unless he has a valid domain ID and is in the Domain Users group, he is out of luck when it comes to browsing sites. What I need is some information that illustrates this being a vulnerability so that I have something to reference in my documentation that shows that this is not just personal preference. On Fri, 1 Apr 2005 14:59:02 -0800, "Jayhawktuba"
<Jayhawkt***@discussions.microsoft.com> wrote: >I am trying to dig up any documented issues where having IIS sites set for Uhhh.... More vulnerable than what? Than a site with security?>anonymous access causes the webs or server to be more vulnerable to attack. Seems like a "well duh..." answer to me. >From what I can tell, if an attacker penetrated your firewall and got in, First, anyone can browse anonymous sites. Period. Without>all he wouldbe able to do (for themost part) is browse anonymous sites and >possibly gain knowledge to do much more than that by doing so. "pentrating" the firewall. That's what anonymous means. Second, if your firewall is penetrated then you need to worry about your firewall security, not whether your web server allows anonymous access. >I am a fan of NT Challenge Response basically because it allows you to track Ah, but it *is* a personal preference. Anonymous access is designed>who is accesing the sites and it requires any potential hacker to not be able >to rely on the availability of the anonymous user. So unless he has a valid >domain ID and is in the Domain Users group, he is out of luck when it comes >to browsing sites. What I need is some information that illustrates this >being a vulnerability so that I have something to reference in my >documentation that shows that this is not just personal preference. to allow anonymous users to access the site. That means they are anonymous. They don't log in. There's no account/password required. If you want a secure site with account/password access, you don't use anonymous. If you want anonymous access and no need for login, then you use anonymous. It's not a decision to use one or the other to change vulnerability to attack, it's a functional design for operation of the web site. Jeff I think that you missed what I was asking. You always need to research the
"What if's" in regards to what someone can do once they infiltrate your network. There are many ways that this can happen. The most common method is to send an email with an infected attachment in hopes that one person uses poor judgement and opens it. I am wanting to find out ANY vulnerabilities in anonymous access, not just what happens if someone hacks in through the firewall. You said... > First, anyone can browse anonymous sites. Period. Without Really NOW... SO.. if there is an internal site and it is inside of my > "pentrating" the firewall. That's what anonymous means firewall and the site is anonymous, then someone from the outside can access that site without penetrating the firewall? Sounds like a physical impossibility to me. Anonymous access just merely means that the site is wide open "IF" someone can get to it. Since our internal sites are protected by a firewall, we are just trying to find out if the server is any more vulnerable by making sites accessible via anonymous access than if NT Chall Resp were used. PERIOD. Also, are you saying that we should JUST worry about our firewall and nothing else? That we should just leave it up to the firewall to provide us with every bit of our security? WOW.. better tell MS that all of these patches and hotfixes of theirs are just a waste of time because if someone were to penetrate the firewall, we should just worry about our firewall. If you are going to try to assist someone, then politely give them the info that they ask for, but please leave the sarcasm and ego at home. I think what Jeff's trying to say is that an "anonymous access" site, and a
"site that requires authentication" are two completely different things. For example, if you go and visit www.microsoft.com, then you don't need to provide a username/password. It's a site that allows anonymous access. On the other hand, if you have some kind of internal application and you need to restrict the users who can use it, then "yes" you should have some kind of authentication/authorization system. You could either "roll your own" (e.g. authentication where a user types a username/password into a HTML form, and you use server-side technology like ASP/ASP.NET to implement the security system), or you can use HTTP based authentication (Kerberos, NTLM, Basic, Digest etc). You could also use "machine" authentication, by creating allowed/denied sets of IP addresses (in the case that you don't need client user authentication) whereby the IP addresses of allowed machines can connect, but others (e.g. of your firewall, and all machines outside your firewall) can not connect. Basically, allowing "anonymous access" isn't a security risk per se. Only sites where anyone can view everything should be setup with "anonymous access" allowed. If your site does require authentication or authorization, then allowing "anonymous access" is a misconfiguration and is definately a security issue. It's a bit like setting up an anonymous public FTP site. If the site is really an anonymous public FTP site, then allowing anonymous access doesn't present any security issues. However if it isn't really an anonymous public FTP site, then allowing anonymous access is a misconfiguration, and is a security issue. Does that help? Cheers Ken Show quote "Jayhawktuba" <Jayhawkt***@discussions.microsoft.com> wrote in message news:6AC41B6A-948B-4B03-90D8-C849CF1C16E7@microsoft.com... :I think that you missed what I was asking. You always need to research the : "What if's" in regards to what someone can do once they infiltrate your : network. There are many ways that this can happen. The most common method is : to send an email with an infected attachment in hopes that one person uses : poor judgement and opens it. I am wanting to find out ANY vulnerabilities in : anonymous access, not just what happens if someone hacks in through the : firewall. : : You said... : > First, anyone can browse anonymous sites. Period. Without : > "pentrating" the firewall. That's what anonymous means : : Really NOW... SO.. if there is an internal site and it is inside of my : firewall and the site is anonymous, then someone from the outside can access : that site without penetrating the firewall? Sounds like a physical : impossibility to me. Anonymous access just merely means that the site is wide : open "IF" someone can get to it. Since our internal sites are protected by a : firewall, we are just trying to find out if the server is any more vulnerable : by making sites accessible via anonymous access than if NT Chall Resp were : used. PERIOD. : : Also, are you saying that we should JUST worry about our firewall and : nothing else? That we should just leave it up to the firewall to provide us : with every bit of our security? WOW.. better tell MS that all of these : patches and hotfixes of theirs are just a waste of time because if someone : were to penetrate the firewall, we should just worry about our firewall. : : If you are going to try to assist someone, then politely give them the info : that they ask for, but please leave the sarcasm and ego at home. Ken,
Yes.. that is very well put. I think that any corporation who values the privacy and integrity of their data needs to require all users to have a valid domain account. The chances of anyone infiltrating our network and subsequently browsing our intranet are small, but NTLM is just good practice to use. I am typing up some documentation for us to keep on hand regarding NTLM vs Anonymous access because we need to have a company standard regarding "what method of authentication we need to utilize," and why we want to use it or ban it. Thanks for the very well worded response.. Take care.. Rob Show quote "Ken Schaefer" wrote: > I think what Jeff's trying to say is that an "anonymous access" site, and a > "site that requires authentication" are two completely different things. > > For example, if you go and visit www.microsoft.com, then you don't need to > provide a username/password. It's a site that allows anonymous access. > > On the other hand, if you have some kind of internal application and you > need to restrict the users who can use it, then "yes" you should have some > kind of authentication/authorization system. You could either "roll your > own" (e.g. authentication where a user types a username/password into a HTML > form, and you use server-side technology like ASP/ASP.NET to implement the > security system), or you can use HTTP based authentication (Kerberos, NTLM, > Basic, Digest etc). You could also use "machine" authentication, by creating > allowed/denied sets of IP addresses (in the case that you don't need client > user authentication) whereby the IP addresses of allowed machines can > connect, but others (e.g. of your firewall, and all machines outside your > firewall) can not connect. > > Basically, allowing "anonymous access" isn't a security risk per se. Only > sites where anyone can view everything should be setup with "anonymous > access" allowed. If your site does require authentication or authorization, > then allowing "anonymous access" is a misconfiguration and is definately a > security issue. It's a bit like setting up an anonymous public FTP site. If > the site is really an anonymous public FTP site, then allowing anonymous > access doesn't present any security issues. However if it isn't really an > anonymous public FTP site, then allowing anonymous access is a > misconfiguration, and is a security issue. > > Does that help? > > Cheers > Ken > > -- > Blog: www.adopenstatic.com/cs/blogs/ken/ > Web: www.adopenstatic.com > > > "Jayhawktuba" <Jayhawkt***@discussions.microsoft.com> wrote in message > news:6AC41B6A-948B-4B03-90D8-C849CF1C16E7@microsoft.com... > :I think that you missed what I was asking. You always need to research the > : "What if's" in regards to what someone can do once they infiltrate your > : network. There are many ways that this can happen. The most common method > is > : to send an email with an infected attachment in hopes that one person uses > : poor judgement and opens it. I am wanting to find out ANY vulnerabilities > in > : anonymous access, not just what happens if someone hacks in through the > : firewall. > : > : You said... > : > First, anyone can browse anonymous sites. Period. Without > : > "pentrating" the firewall. That's what anonymous means > : > : Really NOW... SO.. if there is an internal site and it is inside of my > : firewall and the site is anonymous, then someone from the outside can > access > : that site without penetrating the firewall? Sounds like a physical > : impossibility to me. Anonymous access just merely means that the site is > wide > : open "IF" someone can get to it. Since our internal sites are protected by > a > : firewall, we are just trying to find out if the server is any more > vulnerable > : by making sites accessible via anonymous access than if NT Chall Resp were > : used. PERIOD. > : > : Also, are you saying that we should JUST worry about our firewall and > : nothing else? That we should just leave it up to the firewall to provide > us > : with every bit of our security? WOW.. better tell MS that all of these > : patches and hotfixes of theirs are just a waste of time because if someone > : were to penetrate the firewall, we should just worry about our firewall. > : > : If you are going to try to assist someone, then politely give them the > info > : that they ask for, but please leave the sarcasm and ego at home. > > >  |
|||||||||||||||||||||||
Other interesting topics