|
Home > Archive > IIS Server Security > April 2005 > FSO exploit
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
|
| Hi,
My server was hacked over this weekend using the FSO exploit. It is sad that
by uploading one simple asp file to one website in a server, hacker can
access the whole machine, both drive C and drive D. Well I should have played
around with the IUSR permissions not allowing it to access drive C where web
files are not kept; however most sites hosted on my server require both read
and write access, giving the hacker the privilage to do anything he/she wants.
I thought of unregistering the FSO component but many sites use the
Dictionary object wich woul dalso be disabled. I am really stuck and cannot
find a solution.
Has anyone come up with a solution? I have limited hackers access to many
areas by disabling IUSR access; however many folders still need IUSR to write
to them. Also this asp file can see inside access databases too; which is
frightening.
| |
| Ken Schaefer 2005-04-20, 2:59 am |
| You need to create a custom Anonymous User account for each website. That
account should have Read/Write permissions for that individual website
*only*, and not any other website. That way a customer can write content to
their own website, but can't write any content to any other website -or-
read any content from any other site. Additionally you can restrict that
account's permissions to other parts of the system as well
Cheers
Ken
--
Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com
"Savas" <Savas@discussions.microsoft.com> wrote in message
news:FBD46A3D-E1C0-498C-8FA9-35194391BFE1@microsoft.com...
: Hi,
:
: My server was hacked over this weekend using the FSO exploit. It is sad
that
: by uploading one simple asp file to one website in a server, hacker can
: access the whole machine, both drive C and drive D. Well I should have
played
: around with the IUSR permissions not allowing it to access drive C where
web
: files are not kept; however most sites hosted on my server require both
read
: and write access, giving the hacker the privilage to do anything he/she
wants.
:
: I thought of unregistering the FSO component but many sites use the
: Dictionary object wich woul dalso be disabled. I am really stuck and
cannot
: find a solution.
:
: Has anyone come up with a solution? I have limited hackers access to many
: areas by disabling IUSR access; however many folders still need IUSR to
write
: to them. Also this asp file can see inside access databases too; which is
: frightening.
| |
|
| Thanks for the information. One thing that I do not understand. if I do not
give write access to the general IUSR how can site visitors use pages that
require writing to folder?
I mean where do I put this user information so browser can access that
website with read/write access? I hope I made my question clear.
"Ken Schaefer" wrote:
> You need to create a custom Anonymous User account for each website. That
> account should have Read/Write permissions for that individual website
> *only*, and not any other website. That way a customer can write content to
> their own website, but can't write any content to any other website -or-
> read any content from any other site. Additionally you can restrict that
> account's permissions to other parts of the system as well
>
> Cheers
> Ken
>
> --
> Blog: www.adopenstatic.com/cs/blogs/ken/
> Web: www.adopenstatic.com
>
>
>
> "Savas" <Savas@discussions.microsoft.com> wrote in message
> news:FBD46A3D-E1C0-498C-8FA9-35194391BFE1@microsoft.com...
> : Hi,
> :
> : My server was hacked over this weekend using the FSO exploit. It is sad
> that
> : by uploading one simple asp file to one website in a server, hacker can
> : access the whole machine, both drive C and drive D. Well I should have
> played
> : around with the IUSR permissions not allowing it to access drive C where
> web
> : files are not kept; however most sites hosted on my server require both
> read
> : and write access, giving the hacker the privilage to do anything he/she
> wants.
> :
> : I thought of unregistering the FSO component but many sites use the
> : Dictionary object wich woul dalso be disabled. I am really stuck and
> cannot
> : find a solution.
> :
> : Has anyone come up with a solution? I have limited hackers access to many
> : areas by disabling IUSR access; however many folders still need IUSR to
> write
> : to them. Also this asp file can see inside access databases too; which is
> : frightening.
>
>
>
| |
| Ken Schaefer 2005-04-20, 2:59 am |
| Open IIS Manager, right-click on a website and choose Properties. On the
Security tab click the "Edit" button under Anonymous Authentication. There
you can supply a custom account to be used for Anonymous Access for that
website.
Then, after setting a custom account for each website (so, each website has
it's own account), you need to set appropriate ACLs on the web content for
each website.
You can automate all of this with a bit of scripting. adsutil.vbs can be
used to configure the IIS stuff and xcacls can be used to configure the NTFS
permissions.
I'm pretty sure Microsoft has some hosting stuff on their website for
hosting companies to configure shared hosting securely.
Cheers
Ken
--
Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com
"Savas" <Savas@discussions.microsoft.com> wrote in message
news:E055976E-5C9E-4D6E-8904-62F2D9610110@microsoft.com...
: Thanks for the information. One thing that I do not understand. if I do
not
: give write access to the general IUSR how can site visitors use pages that
: require writing to folder?
:
: I mean where do I put this user information so browser can access that
: website with read/write access? I hope I made my question clear.
:
: "Ken Schaefer" wrote:
:
: > You need to create a custom Anonymous User account for each website.
That
: > account should have Read/Write permissions for that individual website
: > *only*, and not any other website. That way a customer can write content
to
: > their own website, but can't write any content to any other website -or-
: > read any content from any other site. Additionally you can restrict that
: > account's permissions to other parts of the system as well
: >
: > Cheers
: > Ken
: >
: > --
: > Blog: www.adopenstatic.com/cs/blogs/ken/
: > Web: www.adopenstatic.com
: >
: >
: >
: > "Savas" <Savas@discussions.microsoft.com> wrote in message
: > news:FBD46A3D-E1C0-498C-8FA9-35194391BFE1@microsoft.com...
: > : Hi,
: > :
: > : My server was hacked over this weekend using the FSO exploit. It is
sad
: > that
: > : by uploading one simple asp file to one website in a server, hacker
can
: > : access the whole machine, both drive C and drive D. Well I should have
: > played
: > : around with the IUSR permissions not allowing it to access drive C
where
: > web
: > : files are not kept; however most sites hosted on my server require
both
: > read
: > : and write access, giving the hacker the privilage to do anything
he/she
: > wants.
: > :
: > : I thought of unregistering the FSO component but many sites use the
: > : Dictionary object wich woul dalso be disabled. I am really stuck and
: > cannot
: > : find a solution.
: > :
: > : Has anyone come up with a solution? I have limited hackers access to
many
: > : areas by disabling IUSR access; however many folders still need IUSR
to
: > write
: > : to them. Also this asp file can see inside access databases too; which
is
: > : frightening.
: >
: >
: >
|
|
|
|
|