> I would argue that this is not a good way to go about
> securing your Web Server. Permissions should be set
> appropriately to prevent unauthorized access to system
> files, regardless of whether or not they come from a
> traversal attack or some other method.
While your argument is correct from a technical (and perhaps ideal)
perspective, the hard fact is that most NT sysadmins won't do this to the
degree necessary. Hell, most won't remove unnecessary ISAPI mappings! So,
from a realistic perspective, I'd argue that segregating content into
separate partitions is the kind of easy thing that sysadmins will do, and
therefore should be encouraged. Proper use of ACLs should also be
encouraged, but it's harder to do correctly, and less likely to get done at
all.
Also, an unfortunate fact about IIS is that it runs essentially as root, and
you can't change that. Therefore, unless you're willing to remove SYSTEM
permissions everywhere, if IIS is compromised by a buffer overflow which
executes code, that code may execute as root. At that point, for most
people, ACLs won't matter too much. If I recall correctly, eEye came out
with a sample IIS exploit which would essentially run a root shell to pull a
file from a public server via FTP. It would be trivial, with the exploit
source, to modify the exploit so that, rather than pulling a file, it pushes
files to remote servers.
Good security requires a layered approach. You don't want to put all your
eggs in one basket, and you want to make things as difficult as possible for
an attacker at each step. In this vein, using separate partitions certainly
can't hurt anything, and may prevent a successful attack.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
------------------------------------------------------------------------------
To unsubscribe, send a message to [EMAIL PROTECTED] with
'unsubscribe' in the body or visit the list page at www.houseoffusion.com
