The one thing that is missing from that checklist is removing the
"Everyone" group from the security settings on your drives, and only
assign read/execute permissions to the "guests" group on the necessary
directories. I haven't pinpointed the exact directories/files that the
guests need access to. Obviously: /inetpub but also /cfusion (i think)
and /winnt
It's a little ubsurd that M$ has given the everyone group so much power.
Steve
Dave DeVol wrote:
>
> Nice List. Thanks Steve!
> ----- Original Message -----
> From: "Steve Nelson" <[EMAIL PROTECTED]>
> To: "Fusebox" <[EMAIL PROTECTED]>
> Sent: Wednesday, January 31, 2001 1:59 PM
> Subject: Re: Security Warning Update
>
> > Go through this checklist:
> > http://www.microsoft.com/technet/security/iischk.asp
> >
> > It's for IIS 4, but much of it is still insecure with IIS 5
> >
> > Steve
> >
> > "McCollough, Alan" wrote:
> > >
> > > Well, I tried the ol' +.htr trick on secretagents.com, and it's blocked.
> So
> > > much for that! Darn folks, implementing security, whadda y'all afraid of
> > > anyway???
> > >
> > > Alan McCollough
> > > Web Programmer
> > > Allaire Certified ColdFusion Developer
> > > Alaska Native Medical Center
> > >
> > > > -----Original Message-----
> > > > From: Steve Nelson [SMTP:[EMAIL PROTECTED]]
> > > > Sent: Wednesday, January 31, 2001 8:46 AM
> > > > To: Fusebox
> > > > Subject: Re: Security Warning Update
> > > >
> > > > I've been setting mine in the ODBC connection. I've seen so many
> holes
> > > > in IIS that allows you to read a cfm page, i'll never put my
> > > > username/password in the code.
> > > >
> > > > You could always setup the CF administrator so it only is accessible
> > > > from 127.0.0.1, that way someone has to be physically at the computer
> to
> > > > access the ODBC connections, AND they have to know the password to get
> > > > into the admin, and even after that, they wouldn't have direct access
> to
> > > > the password of the connection.
> > > >
> > > > I'm pretty sure that's stored in the registry, which offers another
> > > > interesting issue. Make sure you turn off the "remote registry", i
> > > > imagine there could be a security hole there.
> > > >
> > > > Steve
> > > >
> > > > Marc Funaro wrote:
> > > > >
> > > > > DaveD,
> > > > >
> > > > > Where should one set the usernames and passwords for databases -- in
> the
> > > > > ODBC connection on CF Server? I thought that was a security risk
> too...
> > > > >
> > > > > Always felt a little uninformed on this -- I welcome clarification!
> > > > >
> > > > > Thanks for the update and info!
> > > > >
> > > > > Marc
> > > > >
> > > > > -----Original Message-----
> > > > > From: daved [mailto:[EMAIL PROTECTED]]
> > > > > Sent: Tuesday, January 30, 2001 12:57 PM
> > > > > To: Fusebox
> > > > > Subject: Security Warning Update
> > > > >
> > > > > I know this security warning was posted back in May of 2000 but I
> think
> > > > it
> > > > > needs to be readdressed.
> > > > > After installing the "+.htr" patch on our NT4.0 server back in May,
> > > > > everything was good.However; in January 2001 we upgraded to Windows
> 2000
> > > > > server and IIS5. At the time I wasn't thinking of going back an
> > > > reviewing
> > > > > old patches. You'd assume these would be fixed in new releases or
> > > > service
> > > > > packs. I was wrong and the +.htr problem still exists and when
> migrating
> > > > > your server to Windows2000, you'll need to reapply the patch.
> Everyone
> > > > who
> > > > > has upgraded should check their site. I've noticed quite a few sites
> > > > that
> > > > > still have this hole.
> > > > >
> > > > > Other things I've noticed and would like to comment on:
> > > > > a.. Don't supply usernames and passwords to databases (or
> anything) in
> > > > > your code because if your code does get exposed, these will be
> available
> > > > to
> > > > > the world.
> > > > > b.. Don't rely on cfencrypt to secure your code because there are
> > > > decrypt
> > > > > utilities available.
> > > > > c.. Don't allow for "free" input into your cfqueries, validate
> user
> > > > input.
> > > > > d.. Check for referrer in action type forms. IE: I have a
> login.cfm
> > > > page
> > > > > that posts to an authenticate.cfm page. Make sure that the
> > > > authenticate.cfm
> > > > > page only takes input from your server and the login.cfm page. If
> you
> > > > don't,
> > > > > people will be able to write their own login.cfm page on another
> page
> > > > and
> > > > > post to your authenticate.cfm page.
> > > > > e.. Check that you have an IP address to send debug info to or
> someone
> > > > can
> > > > > type ?mode=debug in the URL to pick up valuable info about your
> site.
> > > > > f.. Don't end your files with anything but cfm. I've noticed
> people
> > > > ending
> > > > > their include files with things like .inc or .h. These will not get
> > > > > processed and a user who goes to it directly will see the code.
> > > > >
> > > > > Allaire has released some good stuff on this at:
> > > > > http://www.allaire.com/developer/securityzone/
> > > > >
> > > >
> > >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
