|
Home > Archive > IIS Server Security > March 2005 > Requisites for a very unsafe IIS5!
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Requisites for a very unsafe IIS5!
|
|
| John Leerentveld 2005-03-08, 5:51 pm |
| Hi,
for an ethical hacking training I need to have a IIS configuration that's
very unsecure, so I can test
and show the vulnerability.
What should I do? Install Windows 20000 out-of-the-box without any
SP's/patches?
John
| |
| Miha Pihler [MVP] 2005-03-08, 5:51 pm |
| Hi John,
If you really want to teach users something, then have a fully patched up
computer; then show them vulnerabilities...
I don't see much point in showing off 4 or more years old holes that were
patched up long time ago.
--
Mike
Microsoft MVP - Windows Security
"John Leerentveld" <john.leerentveld@carthago-ict.nl> wrote in message
news:1110291647.265077@ram.introweb.nl...
> Hi,
> for an ethical hacking training I need to have a IIS configuration that's
> very unsecure, so I can test
> and show the vulnerability.
> What should I do? Install Windows 20000 out-of-the-box without any
> SP's/patches?
>
> John
>
| |
| Jason Brown [MSFT] 2005-03-08, 8:47 pm |
| Unless of course that's the point of the presentation - ongoing improvement,
the importance of patching your boxes, keeping naked installs offline,
slipstreaming patches into fresh installs to mitigate the danger from new
installs etc...
otherwise agreed. I'd also be looking at vulnerabilities in the the
application layer such as SQL injection, Session hijacking, cross-site
scripting, packet sniffing and so on - they're more common than unpatched
IIS boxes by far, and easier to demo exploits on.
--
Jason Brown
Microsoft GTSC, IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:ewoPPHAJFHA.3076@tk2msftngp13.phx.gbl...
> Hi John,
>
> If you really want to teach users something, then have a fully patched up
> computer; then show them vulnerabilities...
>
> I don't see much point in showing off 4 or more years old holes that were
> patched up long time ago.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "John Leerentveld" <john.leerentveld@carthago-ict.nl> wrote in message
> news:1110291647.265077@ram.introweb.nl...
>
>
| |
| Jeff Cochran 2005-03-09, 5:57 pm |
| On Tue, 8 Mar 2005 15:18:19 +0100, "John Leerentveld"
<john.leerentveld@carthago-ict.nl> wrote:
>for an ethical hacking training I need to have a IIS configuration that's
>very unsecure, so I can test
>and show the vulnerability.
>What should I do? Install Windows 20000 out-of-the-box without any
>SP's/patches?
Keep in mind that IIS security depends heavily on the security of the
underlying box and file system. Use "password" as the admin password
for example, and give all accounts full access to everything. Make
sure there are no firewall, no authentication and all the default
shares are there.
Though it makes for a pretty poor class since realistically you should
never come across such a setup.
Jeff
|
|
|
|
|