But my friend, that too will fail. System File protection will continue placing cmd.exe where it belongs.
The only correct fix is to address the gaping hole of ACLs in the system directory by explicitly denying access for the IIS created accounts. ------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -----Original Message----- > From: James Winzenz > Sent: Wednesday, November 13, 2002 9:42 AM > To: NT 2000 Discussions > Subject: RE: Securing Webserver was RE: Active Directory > Password Policy G rief. > > > It may have been for IIS 4.0, but certainly isn't listed in > Microsoft's > recommended steps for securing IIS 5.0 (at least, not that I > saw). That > being said, to change the location for cmd.exe, you need to > go into the > environmental variables (properties of my computer, advanced, > environmental > variables button). Under system variables, edit ComSpec (cmd.exe) and > change it to to the new location. > > James Winzenz, MCSE, A+ > Associate Systems Administrator > InovisTM, formerly Harbinger and Extricity > > > -----Original Message----- > From: Depp, Dennis M. [mailto:deppdm@;ornl.gov] > Sent: Wednesday, November 13, 2002 9:34 AM > To: NT 2000 Discussions > Subject: RE: Securing Webserver was RE: Active Directory > Password Policy G > rief. > > > Actually in securing NT 4.0, Microsoft recommended either > moving these files > to a different location or setting more restrictive ACLs on > these files. > There was a hack for IIS called directory traversal. In this > attack, the > attacker utilizes the default location for webroot and the > default location > for the system files to traverse up the directory to c:\ and > then back to > cmd.exe. This can be done with no privledge elevation. If cmd.exe is > moved, or if the IUSR account doe not have execute > priveleges, the attacker > is not able to exploit the directory traversal vulnerability. > This is just > one example of a known vulnerability. The next vulnerability may also > utilize the known locations of certain tools. If the tools > are moved, the > attack is blocked. While I would not rely only on moving > these tools, it is > still a valid and effective defense. > > Dennis Depp > > -----Original Message----- > From: James Winzenz [mailto:james.winzenz@;inovis.com] > Sent: Wednesday, November 13, 2002 9:03 AM > To: NT 2000 Discussions > Subject: RE: Securing Webserver was RE: Active Directory > Password Policy G > rief. > > > Honestly, if you have to worry about changing the locations > of tools that > hackers might use, then you have a more serious problem. Do > you think that > changing the location of cmd.exe is going to keep a hacker > (who has already > gotten in to your network) from finding it? Get real. Take a > look at some > of these articles for securing IIS instead of playing around > with system > tool locations: > > http://www.microsoft.com/technet/treeview/default.asp?url=/tec > hnet/prodt > echn > ol/iis/deploy/depovg/securiis.asp > > http://www.microsoft.com/technet/treeview/default.asp?url=/Tec > hNet/prodt > echn > ol/iis/tips/iis5chk.asp > > A simple search on google for "securing IIS" gave a plethora > of answers, > these were both among the top ten. I am sure that there are > many others, > some of which may even do a better job of helping you to secure your > webserver. But at least this is a start. > > James Winzenz, MCSE, A+ > Associate Systems Administrator > InovisTM, formerly Harbinger and Extricity > > > -----Original Message----- > From: Emmanuel Adebayo [mailto:emmanuel.adebayo@;humanelectric.com] > Sent: Wednesday, November 13, 2002 8:44 AM > To: NT 2000 Discussions > Subject: RE: Active Directory Password Policy Grief. > > > > I am installing the system as a webserver and would like to > remove all the > tools that hackers uses from default location and place them > else where then > set the path in the environment. > > Thanks. > > -----Original Message----- > From: James Winzenz [mailto:james.winzenz@;inovis.com] > Sent: 13 November 2002 13:41 > To: NT 2000 Discussions > Subject: RE: Active Directory Password Policy Grief. > > > 1. don't hijack threads > 2. why? > > James Winzenz, MCSE, A+ > Associate Systems Administrator > InovisTM, formerly Harbinger and Extricity > > > -----Original Message----- > From: Emmanuel Adebayo [mailto:emmanuel.adebayo@;humanelectric.com] > Sent: Wednesday, November 13, 2002 8:34 AM > To: NT 2000 Discussions > Subject: RE: Active Directory Password Policy Grief. > > > Dear all, > > I tried to move cmd.exe from system32 folder in Winnt > directory (Windows > 2000 Server), after the move, I still find a copy of the > file in System32. > > Any help? > > Regards > Emmanuel > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
