FW: PWS and IIS and W2K Pro

Schmehl, Paul pauls at utdallas.edu
Fri Aug 10 17:49:17 GMT 2001

Here's the answer to Gary's question.

Paul Schmehl pauls at utdallas.edu
Supervisor, Support Services
University of Texas at Dallas
AVIEN Founding Member

> -----Original Message-----
> From: Russ [mailto:Russ.Cooper at RC.ON.CA] 
> Sent: Friday, August 10, 2001 12:23 PM
> Subject: PWS and IIS and W2K Pro
> There's a common misconception floating around that Windows 
> 2000 Professional cannot be participating in the Code Red 
> issue. This is flat out wrong!
> Its believed that PWS (Personal Web Server) on W2K 
> Professional is somehow *not* IIS 5.0 (Internet Information 
> Services 5.0). This is flat out wrong!
> Let me try and lay this one to rest. PWS on W2K **IS** IIS 
> 5.0. The difference between these two "products" is not in 
> the code that they operate, or the features they support, its 
> strictly within the Management Interface.
> PWM, or Personal Web Manager, is an executable which provides 
> limited control over the web server. Internet Services 
> Manager is the full-blown MMC snap-in which provides all 
> control over the web server.
> Either can be used on a W2K Professional Box which has 
> installed IIS (or PWS). They can be found on such a box in 
> the following locations;
> Personal Web Manager
> %SystemRoot%\system32\inetsrv\pws.exe
> Internet Services Manager
> %SystemRoot%\System32\Inetsrv\iis.msc
> See;

or your Windows 2000 Professional documentation for a fuller

Neither PWS or IIS are installed by default on a W2K Professional
**CLEAN INSTALL**. If a Windows NT 4.0 Workstation box with Personal Web
Server installed is upgraded to Windows 2000 Professional, then by
default IIS 5.0 will be installed.

When IIS is on a W2K Professional box, by default, it has .ida and .idq
script mappings in place and IDQ.DLL is there too. So, if they aren't
patched, or the MMC Snap-in isn't used to remove the mappings (you can't
remove the mappings through PWM), then the box can be infected and will
participate in Code Red attacks.

IIS is also installed by default on W2K Professional boxes if you
install Visual Studio's Visual Interdev. Its used to test/create web

So, please stop trying to put out your internal infections by relying on
your belief in what machines are running web servers. This is clearly
not working for many companies, the root of the problem partially being
mistaken beliefs like the one above. I strongly suspect that anyone who
runs an HTTP scan against their entire network space (using something
like NetCat) is going to find at least one unexpected web server. More
often than not people are finding hundreds of them.

Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

Version: PGP Personal Privacy 6.5.2


More information about the unisog mailing list