|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Domain Account used for IIS6 Anonymous Account Risks?Two servers: ServerA is a IIS6 server ServerB is a application server with a DB ServerA sits in public IP space, ServerB is in private with an access list on a router allowing the two to communicate. ServerA is using a domain user account say “xyzweb†for the IIS Anonymous user and has no elevated rights on this server. ServerB has this same domain account “xyzweb†in its local admin group. When joe-public accesses ServerA the anon account “xyzweb†accesses data records from ServerB. Now this access is being done with com objects or something of the sort. Knowing all of this and knowing that as far as the application vendor, this is the only way it will work….lets discuss risks: Any comments are most appreciated. Well the most obvious risk is that IIS knows the password for the xyzweb
account. If someone can get IIS to execute arbitrary code (e.g. by uploading some of their own webpages) then IIS can connect to serverB using the domain\xyzweb account, and that account has full privileges on serverB Cheers Ken Show quoteHide quote "gdknox" <gdk***@discussions.microsoft.com> wrote in message news:0848C043-E0CE-4913-92B6-905CE66FB6E2@microsoft.com... > Here is the situation: > > Two servers: ServerA is a IIS6 server > ServerB is a application server with a DB > > ServerA sits in public IP space, ServerB is in private with an access list > on a router allowing the two to communicate. > > > ServerA is using a domain user account say “xyzweb†for the IIS Anonymous > user and has no elevated rights on this server. > > ServerB has this same domain account “xyzweb†in its local admin group. > > > When joe-public accesses ServerA the anon account “xyzweb†accesses data > records from ServerB. Now this access is being done with com objects or > something of the sort. > > Knowing all of this and knowing that as far as the application vendor, > this > is the only way it will work….lets discuss risks: > > Any comments are most appreciated. Ken..
Thank you for your comment. Can you direct me to where I can obtain further information, examples of exploitation? Horror stories and etc? This is definately not my idea of a secure transaction enviroment, but I am losing the battle with the vendor, who says that this is the "only" way their application will run. Show quoteHide quote "Ken Schaefer" wrote: > Well the most obvious risk is that IIS knows the password for the xyzweb > account. If someone can get IIS to execute arbitrary code (e.g. by uploading > some of their own webpages) then IIS can connect to serverB using the > domain\xyzweb account, and that account has full privileges on serverB > > Cheers > Ken > > > "gdknox" <gdk***@discussions.microsoft.com> wrote in message > news:0848C043-E0CE-4913-92B6-905CE66FB6E2@microsoft.com... > > Here is the situation: > > > > Two servers: ServerA is a IIS6 server > > ServerB is a application server with a DB > > > > ServerA sits in public IP space, ServerB is in private with an access list > > on a router allowing the two to communicate. > > > > > > ServerA is using a domain user account say “xyzweb†for the IIS Anonymous > > user and has no elevated rights on this server. > > > > ServerB has this same domain account “xyzweb†in its local admin group. > > > > > > When joe-public accesses ServerA the anon account “xyzweb†accesses data > > records from ServerB. Now this access is being done with com objects or > > something of the sort. > > > > Knowing all of this and knowing that as far as the application vendor, > > this > > is the only way it will work….lets discuss risks: > > > > Any comments are most appreciated. > > Hi,
In general there aren't any "known" vulnerabilities in Windows, IIS or probably your application that haven't been patched. But that said, there are always vulnerabilities coming up. Or alternatively someone may be able to guess a password, or something might be misconfigured, or someone who has internal access (e.g. an employee) might take advantage of their knowledge, or whatever. As the purchaser, you're entitled to ask "why" the application needs to be configured this way. Generally an application that needs to connect to a database might need "datareader" and "datawriter" permissions to the actual database (and execute permissions on stored procedures). Possibly it might even need DBO (database owner) permissions on a single database. but unless the vendor can explain why the application needs Administrator privileges, your answer should be that your security policy calls for least privilege, and the vendor should tell you what the actual privileges required of the application are. Cheers Ken Show quoteHide quote "gdknox" <gdk***@discussions.microsoft.com> wrote in message news:74E0EDF2-F3DD-44AB-9FA4-EE242B531269@microsoft.com... > Ken.. > > Thank you for your comment. Can you direct me to where I can obtain > further > information, examples of exploitation? Horror stories and etc? > > This is definately not my idea of a secure transaction enviroment, but I > am > losing the battle with the vendor, who says that this is the "only" way > their > application will run. > > > > "Ken Schaefer" wrote: > >> Well the most obvious risk is that IIS knows the password for the xyzweb >> account. If someone can get IIS to execute arbitrary code (e.g. by >> uploading >> some of their own webpages) then IIS can connect to serverB using the >> domain\xyzweb account, and that account has full privileges on serverB >> >> Cheers >> Ken >> >> >> "gdknox" <gdk***@discussions.microsoft.com> wrote in message >> news:0848C043-E0CE-4913-92B6-905CE66FB6E2@microsoft.com... >> > Here is the situation: >> > >> > Two servers: ServerA is a IIS6 server >> > ServerB is a application server with a DB >> > >> > ServerA sits in public IP space, ServerB is in private with an access >> > list >> > on a router allowing the two to communicate. >> > >> > >> > ServerA is using a domain user account say “xyzweb†for the IIS >> > Anonymous >> > user and has no elevated rights on this server. >> > >> > ServerB has this same domain account “xyzweb†in its local admin group. >> > >> > >> > When joe-public accesses ServerA the anon account “xyzweb†accesses >> > data >> > records from ServerB. Now this access is being done with com objects >> > or >> > something of the sort. >> > >> > Knowing all of this and knowing that as far as the application vendor, >> > this >> > is the only way it will work….lets discuss risks: >> > >> > Any comments are most appreciated. >> >> 
Other interesting topics
Certificate Mapping - Debugging
iis 6 ssl redirect initial login encrypted? Unable to access site with FQDN Restricting access from my site to other sites web site access OK by IP but not by name IIS requiring Client "Machine" Certificate... possible? Client certificates securing a browseable IIS directory Using "A share located on another computer" AND Authenticated acce one client certificate able to access two websites |
|||||||||||||||||||||||
