Wouldn't an attacker utilize the comspec variable to run the program in the first place?
Dave Lum - [EMAIL PROTECTED] Sr. Network Specialist - Textron Financial 503-675-5510 -----Original Message----- From: James Winzenz [mailto:james.winzenz@;inovis.com] Sent: Wednesday, November 13, 2002 06:42 AM To: NT 2000 Discussions Subject: RE: Securing Webserver was RE: Active Directory Password Policy G rief. It may have been for IIS 4.0, but certainly isn't listed in Microsoft's recommended steps for securing IIS 5.0 (at least, not that I saw). That being said, to change the location for cmd.exe, you need to go into the environmental variables (properties of my computer, advanced, environmental variables button). Under system variables, edit ComSpec (cmd.exe) and change it to to the new location. James Winzenz, MCSE, A+ Associate Systems Administrator InovisTM, formerly Harbinger and Extricity -----Original Message----- From: Depp, Dennis M. [mailto:deppdm@;ornl.gov] Sent: Wednesday, November 13, 2002 9:34 AM To: NT 2000 Discussions Subject: RE: Securing Webserver was RE: Active Directory Password Policy G rief. Actually in securing NT 4.0, Microsoft recommended either moving these files to a different location or setting more restrictive ACLs on these files. There was a hack for IIS called directory traversal. In this attack, the attacker utilizes the default location for webroot and the default location for the system files to traverse up the directory to c:\ and then back to cmd.exe. This can be done with no privledge elevation. If cmd.exe is moved, or if the IUSR account doe not have execute priveleges, the attacker is not able to exploit the directory traversal vulnerability. This is just one example of a known vulnerability. The next vulnerability may also utilize the known locations of certain tools. If the tools are moved, the attack is blocked. While I would not rely only on moving these tools, it is still a valid and effective defense. Dennis Depp ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
