IIS lockdown is setup and all the updates are up to dates using MBSA. I guest I'm just gonna have to tell him too bad. And present these reasons to my boss.
thanks guys. ----- Original Message ----- From: "* KAPIL *" <[EMAIL PROTECTED]> To: "'Kenzo'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, February 07, 2003 6:13 PM Subject: RE: permission > I don't think it's a good idea to give any sort of access to the root. > Your website shouldn't be on the system volume anyway. If you need to > test some sort of program/code that requires access to all of C:....then > that's just bad programming. Why can't he test with access to a folder > that's specially created for testing? ...or test on a development box > that's not open to the public. In reality, if you're not a huge company, > don't have many enemies, have a low traffic site and take other > precautions to secure the network, you're fairly safe....still not a > good idea though. I would also recommend downloading and running The IIS > Lockdown Tool and the Microsoft Baseline Security Analyzer....both > available for free from Microsoft. > > ------------------------- > Stand Up For Free Speech > http://www.eff.org > > -----Original Message----- > From: Kenzo [mailto:[EMAIL PROTECTED]] > Sent: Friday, February 07, 2003 1:47 PM > To: [EMAIL PROTECTED] > Subject: permission > > > OK, I need some input from you guys on this. > Our webmaster seems to think that giving the guest internet user read > access to the C drive is OK as long as you don't set IIS to list content > and other stuff that I don't understand, since I don't know anything > about running a website. I told him that by doing so, most subfolders > will also take that permission, so if someone that knows what they're > doing could compromise that account, they would have read access to > almost the whole C drive. the box is a win2k server with IIS5. I > believe he wants to do this for some error checking for a C or java > program. The program suppose to check to make sure that the drive has > enought space before it starts writing or copying things and for that it > needs read access to the C drive. To me, even thought I don't know > anything about programing and webhosting, it doesn't look right from the > security point of view. > > Please give me some input on this if it's OK or not and why, so that I > can tell him yes it's OK or NO it's not OK because of this and that. > > Thanks. >
