Hi, I followed the instructions from the Imail Release notes very carefully. I cound't find the settings how to run the administration without having the login dialog box. The problem might be, that we really separated Programs and Data as fare as possible. I'm not the .NET or ASP specie, but i'm still wondering, why the IIS anonymous user must have write permissions or as somebody said, Admin privileges. Isn't it true, that a .NET application runs under the authority of NETWORKSERVICE?
I'm not really into hacking, but what are the consequences if IIS anonymous needs write access? What can a hacker do with this? Sorry for the maybe silly question, but i can't see a way to get the control of a server using a browser. Of course, this might be look different, if a security hole is available by microsoft like we had in earlier days with IIS 5. Could Ipswitch explain, why and where these users need certain privileges covering more than described in "IMail_RelNotes.htm"? I'm also wondering, why always "full control" is needed, instead of "change". Tip: The Iadmin folder can be protected additionally with "IIS Password" from Troxo (http://www.troxo.com/). This tools emulates .htaccess we all know from linux and the tool is free of charge. -- Mit freundlichen Grüssen -------------------------------------------- Merlin Consulting Martin Schaible Bahnhofstrasse 27 CH-8702 Zollikon Phone: +41 44 391 30 00 Fax: +41 44 391 32 49 Mail: mailto:[EMAIL PROTECTED] URL: http://www.merlinconsulting.ch Support: http://support.merlinconsulting.ch GPS: N47 20.235 E8 34.226 -------------------------------------------- News - Neue Produkte: .:. NOD32 Antivirus System .:. BlueDragon .:. Kiwi Syslog Monitor .:. Paessler GmbH .:. Sawmill Loganalyzer .:. SmarterTools -------------------------------------------- -----Ursprüngliche Nachricht----- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Ted Nichols Gesendet: Montag, 25. September 2006 17:02 An: [email protected] Betreff: RE: [IMail Forum] Results after Upgrading to Imail 2006.1 Bruce is correct. Your remotely accessible web sites and/or virtual directories should never be run with administrator privileges. If the auth popup is a problem there is only one safe work around. Always login to the admin from the server itself, and connect to http://localhost/iadmin . What this does is that it tries to use the credentials of the windows (i.e. the console session you used to login to windows) user if the IIS user does not have the necessary permissions. The popup would only happen if both sets don't have the permissions needed. Remotely, the auth popup is a necessary evil. Ted Nichols Ipswitch QA -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruce Barnes Sent: Sunday, September 24, 2006 8:53 AM To: [email protected] Subject: RE: [IMail Forum] Results after Upgrading to Imail 2006.1 For security purposes, the ISS USER should NEVER have administrative privileges If you give the ISS user administrative privileges, you open your server up to being "managed" by every hacker that happens upon your system. If you are going to run Imail 2006.1, on a DEDICATED BOX, then you can use IIS for the user. If you run Imail 2006.1 on a NON-DEDICATED BOX, that is you are also running web services on the box for web pages, you need to set up a SEPARATE USER for anonymous Imail use and give that user the necessary privileges for Imail. If you use the standard IIS user AND have other websites running on the machine, then you are giving privileges to the other sites that no standard web access user should have because the IMAIL user has way too many privileges to be considered secure. SPECIAL NOTE TO THOSE RUNNING DATABASES FOR WEBSITES OTHER THAN IMAIL: If you are running BOTH IMAIL and STANDARD WEBSITES with databases, your databases are wide open to hackers because of the elevated privileges that IMAIL installs for the IIS user. If you are running any kind of SECURE DATABASES or SECURE WEBSITES, you are opening yourself up to even bigger problems. On a properly secured web server, the STANDARD IIS USER SHOULD NEVER HAVE ANYTHING MORE THAN ANONYMOUS READ-ONLY ACCESS Once again, we are still reviewing IMAIL and strongly looking to abandon the product because of the LACK of SECURITY provided by ISS when IMAIL is running on a machine that also hosts standard websites. Bruce Barnes ChicagoNetTech Inc -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ted Nichols Sent: Friday, September 22, 2006 16:22 To: [email protected] Subject: RE: [IMail Forum] Results after Upgrading to Imail 2006.1 The authentication popup happens because WMI, which is used to manage services in the admin, requires administrator privileges to manage services. If your IIS user does not have the privileges needed, the authentication popup will happen. I have not seen 0 length mailbox issue before, but will investigate. Ted Nichols Ipswitch QA -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin Schaible Sent: Friday, September 22, 2006 5:13 PM To: Ipswitch IMail Mailing List Subject: [IMail Forum] Results after Upgrading to Imail 2006.1 Hi, Today we moved a customers site from Imail 8.22 to Imail 2006.1. The Upgrade was quite relaxing. The customer has as spare server which he now uses for a few domains with about 60 Accounts. I was quite surprised to see a Quad Xeon 2.88 GHz from Compaq. Honestly, it hurts a bit to see a machine like this for a such really small Imail site. This server will have a really bored life. I have two open questions: #1 I think, Imail 2006.1 does not like mailbox files with zero bytes size. We had tons of messages in the log, complaining that the mail box couldn't be opened. After deleting the empty mail boxes, the error disappeared. Is this a bug after migration? #2 Which this power machine, the webmail runs nearly with warp 9.5, but accessing the "services", a login window popped up. I had to authentificate myself with a windows login. I know, that we had the case here and it has do to with the NTFS security settings. I searched the archives and the KB, but i couldn't find help. Any idea? -- Mit freundlichen Grüssen -------------------------------------------- Merlin Consulting Martin Schaible Bahnhofstrasse 27 CH-8702 Zollikon Phone: +41 44 391 30 00 Fax: +41 44 391 32 49 Mail: mailto:[EMAIL PROTECTED] URL: http://www.merlinconsulting.ch Support: http://support.merlinconsulting.ch GPS: N47 20.235 E8 34.226 -------------------------------------------- News - Neue Produkte: .:. NOD32 Antivirus System .:. BlueDragon .:. Kiwi Syslog Monitor .:. Paessler GmbH .:. Sawmill Loganalyzer .:. SmarterTools -------------------------------------------- To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
