[Intrusions] Would IIS auth prevent buffer overflow attacks

[Josh Tolley]

Stephen Shepherd wrote:
 > If IIS authentication were enabled on a web server
 > would it prevent buffer overflow attacks unless the
 > attacker had valid credentials.
 >
 > I would think that the web server would not process
 > the initial get request until it had successfully
 > authenticated the client??
 >
 > Just curious if this would add any protection to a www site..
 > _______________________________________________
 > Intrusions mailing list
 > Intrusions at lists.sans.org
 > http://www.dshield.org/mailman/listinfo/intrusions
 >

The short answer is that *if* you trust your authenticated users not to 
exploit a buffer overflow (whether intentionally or otherwise), you may 
be somewhat safer by turning on some form of authentication. Since in 
many cases, it's a bad idea to trust your users, and since it would 
probably only provide *some* security anyway, for buffer overflow 
protection specifically authentication probably isn't a good mechanism 
to use.

I'm not an IIS guru, but for any given web server and any given web 
application it would depend on whether whatever triggers the buffer 
overflow happens in the application before the authentication happens. 
For instance, a web server implementation would, in most cases, have to 
determine what page the attacker was browsing to before checking 
credentials, assuming it is capable of providing different 
authentication realms based on what page you were looking at. If there 
were a buffer overflow in that process, authentication wouldn't help 
you. But, if there's a buffer overflow in some web application where 
authentication is controlled before the web app is even run, then you're 
probably safe from it when you turn authentication on, again provided 
you trust your users.

--
Josh Tolley
Raintree Systems, Inc.
http://www.raintreeinc.com
Office Phone: (801) 293-3090
Corporate Office: (800) 333-1033