[Dshield] More not good stuff.

Sean Graham seangra at yahoo.com
Wed Aug 29 17:21:07 GMT 2001


When I set up my server, I did the following things:

EVERYONE gets read-only access to \
EVERYONE gets deny write access to \winnt
IUSR_<machinename> gets deny to \
IUSR_<machinename> gets readonly to \inetpub (\inetpub cannot inherit)
SYSTEM gets read-only access to \inetpub\scripts (this prohibits even the 
SYSTEM account from copying a file into that directory)
EVERYONE gets granted no access to \inetpub\scripts

that tied down things quite a bit.  There are some more, but you get the 
general idea.  This way even if there was a vulerability, no damage could 
be done.

here's a decent source on how to tie things down as well:

http://www.sans.org/infosecFAQ/win2000/sec_IIS.htm

-- Sean

At 06:24 PM 8/28/2001 -0400, you wrote:
>Attached is a snap shot of a log file from an IIS machine.  I have since
>Deny all access to /winnt/system32 from the IUSR_machinename.  I checked out
>TFTP and CMD and found that they both had everyone full control and that has
>since been changed.  I am not going to sleep well tonight, dam it someone
>got into my system and I'm pissed.
>
>  <<log.txt>>
>
>Thanx, Paul


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




More information about the list mailing list