|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
FSO exploitHi,
My server was hacked over this weekend using the FSO exploit. It is sad that by uploading one simple asp file to one website in a server, hacker can access the whole machine, both drive C and drive D. Well I should have played around with the IUSR permissions not allowing it to access drive C where web files are not kept; however most sites hosted on my server require both read and write access, giving the hacker the privilage to do anything he/she wants. I thought of unregistering the FSO component but many sites use the Dictionary object wich woul dalso be disabled. I am really stuck and cannot find a solution. Has anyone come up with a solution? I have limited hackers access to many areas by disabling IUSR access; however many folders still need IUSR to write to them. Also this asp file can see inside access databases too; which is frightening. You need to create a custom Anonymous User account for each website. That
account should have Read/Write permissions for that individual website *only*, and not any other website. That way a customer can write content to their own website, but can't write any content to any other website -or- read any content from any other site. Additionally you can restrict that account's permissions to other parts of the system as well Cheers Ken Show quoteHide quote "Savas" <Sa***@discussions.microsoft.com> wrote in message news:FBD46A3D-E1C0-498C-8FA9-35194391BFE1@microsoft.com... : Hi, : : My server was hacked over this weekend using the FSO exploit. It is sad that : by uploading one simple asp file to one website in a server, hacker can : access the whole machine, both drive C and drive D. Well I should have played : around with the IUSR permissions not allowing it to access drive C where web : files are not kept; however most sites hosted on my server require both read : and write access, giving the hacker the privilage to do anything he/she wants. : : I thought of unregistering the FSO component but many sites use the : Dictionary object wich woul dalso be disabled. I am really stuck and cannot : find a solution. : : Has anyone come up with a solution? I have limited hackers access to many : areas by disabling IUSR access; however many folders still need IUSR to write : to them. Also this asp file can see inside access databases too; which is : frightening. Thanks for the information. One thing that I do not understand. if I do not
give write access to the general IUSR how can site visitors use pages that require writing to folder? I mean where do I put this user information so browser can access that website with read/write access? I hope I made my question clear. Show quoteHide quote "Ken Schaefer" wrote: > You need to create a custom Anonymous User account for each website. That > account should have Read/Write permissions for that individual website > *only*, and not any other website. That way a customer can write content to > their own website, but can't write any content to any other website -or- > read any content from any other site. Additionally you can restrict that > account's permissions to other parts of the system as well > > Cheers > Ken > > -- > Blog: www.adopenstatic.com/cs/blogs/ken/ > Web: www.adopenstatic.com > > > > "Savas" <Sa***@discussions.microsoft.com> wrote in message > news:FBD46A3D-E1C0-498C-8FA9-35194391BFE1@microsoft.com... > : Hi, > : > : My server was hacked over this weekend using the FSO exploit. It is sad > that > : by uploading one simple asp file to one website in a server, hacker can > : access the whole machine, both drive C and drive D. Well I should have > played > : around with the IUSR permissions not allowing it to access drive C where > web > : files are not kept; however most sites hosted on my server require both > read > : and write access, giving the hacker the privilage to do anything he/she > wants. > : > : I thought of unregistering the FSO component but many sites use the > : Dictionary object wich woul dalso be disabled. I am really stuck and > cannot > : find a solution. > : > : Has anyone come up with a solution? I have limited hackers access to many > : areas by disabling IUSR access; however many folders still need IUSR to > write > : to them. Also this asp file can see inside access databases too; which is > : frightening. > > > Open IIS Manager, right-click on a website and choose Properties. On the
Security tab click the "Edit" button under Anonymous Authentication. There you can supply a custom account to be used for Anonymous Access for that website. Then, after setting a custom account for each website (so, each website has it's own account), you need to set appropriate ACLs on the web content for each website. You can automate all of this with a bit of scripting. adsutil.vbs can be used to configure the IIS stuff and xcacls can be used to configure the NTFS permissions. I'm pretty sure Microsoft has some hosting stuff on their website for hosting companies to configure shared hosting securely. Cheers Ken Show quoteHide quote "Savas" <Sa***@discussions.microsoft.com> wrote in message news:E055976E-5C9E-4D6E-8904-62F2D9610110@microsoft.com... : Thanks for the information. One thing that I do not understand. if I do not : give write access to the general IUSR how can site visitors use pages that : require writing to folder? : : I mean where do I put this user information so browser can access that : website with read/write access? I hope I made my question clear. : : "Ken Schaefer" wrote: : : > You need to create a custom Anonymous User account for each website. That : > account should have Read/Write permissions for that individual website : > *only*, and not any other website. That way a customer can write content to : > their own website, but can't write any content to any other website -or- : > read any content from any other site. Additionally you can restrict that : > account's permissions to other parts of the system as well : > : > Cheers : > Ken : > : > -- : > Blog: www.adopenstatic.com/cs/blogs/ken/ : > Web: www.adopenstatic.com : > : > : > : > "Savas" <Sa***@discussions.microsoft.com> wrote in message : > news:FBD46A3D-E1C0-498C-8FA9-35194391BFE1@microsoft.com... : > : Hi, : > : : > : My server was hacked over this weekend using the FSO exploit. It is sad : > that : > : by uploading one simple asp file to one website in a server, hacker can : > : access the whole machine, both drive C and drive D. Well I should have : > played : > : around with the IUSR permissions not allowing it to access drive C where : > web : > : files are not kept; however most sites hosted on my server require both : > read : > : and write access, giving the hacker the privilage to do anything he/she : > wants. : > : : > : I thought of unregistering the FSO component but many sites use the : > : Dictionary object wich woul dalso be disabled. I am really stuck and : > cannot : > : find a solution. : > : : > : Has anyone come up with a solution? I have limited hackers access to many : > : areas by disabling IUSR access; however many folders still need IUSR to : > write : > : to them. Also this asp file can see inside access databases too; which is : > : frightening. : > : > : > 
Other interesting topics
UrlScan.dll Terminating
IIS folder structure and security. IIS Challenge for Password. WinXP authenticates differently than Win2k. Need to block Web Spider software like Teleport pro SelfSSL Utility - Not working? Re: Does Http.sys block all mobile device requests? Failure posting files to iis6.0 using ssl client authentication IIS6, WIN2k3SP1 and integrated authentication URLScan as an attack vector? Security concern in event viewer |
|||||||||||||||||||||||
