[Dshield] Re: Dshield digest, Vol 1 #193 - 14 msgs

Paul M. Puccinelli ppuccinelli at petkevich.com
Thu Aug 9 17:22:57 GMT 2001


I believe you have to manually choose it on W2K Professional.  I checked
a few machines here - Dells with factory installs- and none had IIS
running. 

-----Original Message-----
From: Josh [mailto:Josh at raintreeinc.com] 
Sent: Thursday, August 09, 2001 8:49 AM
To: dshield at dshield.org
Subject: [Dshield] Re: Dshield digest, Vol 1 #193 - 14 msgs


Date: Wed, 08 Aug 2001 16:28:03 -0500
To: dshield at dshield.org
From: "Jonathan G. Lampe" <jonathan at stdnet.com>
Subject: Re: [Dshield] Short story/Code Red question
Reply-To: dshield at dshield.org


>Now the question. I called the user to advise he was infected. He had a

>vanilla W2k machine and didn't bother to patch it since he didn't think

>IIS was on. I've read it's on by default. But, not the whole IIS 
>package, I can't believe that.... Haven't tried it myself.... What's 
>the real answer?

None of my installations of W2k Pro had IIS installed unless I
specifically installed it after the original installation of the OS, but
it's been a while since I did an install, and I have the time-consuming
but beneficial habit of doing custom installations of everything I
install whenever I get the chance -- perhaps I just don't like labelling
myself as either Typical or Recommended for Most Users :-) -- so I might
have just turned it off. Anyway, if memory serves, IIS does not install
by default with w2k pro.

Josh Tolley

>On m$ w2k SERVER or ADVANCEDSERVER IIS is indeed installed by default.

>(You need to UNCHECK a box during the install to not install
>IIS.)  The good news is that IIS does not seem to install by default on

>w2k WORKSTATION, er.. PROFESSIONAL.  (Anyone know about m$ Personal Web

>Server or whatever the limited variant of IIS is?)
>
>When you install IIS you generally get an admin and a sample area by 
>default, but these are (I think) restricted to 127.0.0.1 access out of 
>the box.  (Finally?!)  Unfortunately however the wwwroot area is public

>and available to the whole world, and if you can get to that...well you

>know the rest.
>
>BTW, ALL shipping extensions (including .ida and .idq) are turned on by

>default - that's the other half of the reason that Code Red is as 
>successful as it is.  If you look back on the posts, you'll even see a 
>cautionary tale from a reader who decided to plug his IIS box into the 
>network before config'ing.  (Less than five minutes after plugging in 
>his brand new machine was attacking other boxes.)
>
>- Jonathan Lampe - Standard Networks, Inc. - 608.227.6100 - 
>jonathan at stdnet.com -

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list