Results 1 to 8 of 8
  1. #1
    Join Date
    Jun 2003
    Posts
    50

    FSO exploit for windows server 2003

    Hi all;
    My web site users can reach all server data includin root directory and drivers because of file system object.
    How can i prevent this security bug?

  2. #2
    Join Date
    Dec 2001
    Location
    Netherlands
    Posts
    849
    you can try removing the EVERYONE permission from the hard-drives and allow only SYSTEM and ADMINISTRATORS full access.

    Hope this helps.
    .
    # experienced Cloud/OpenStack Architect
    #
    # Feel free to PM me for any info or help to build your cloud.

  3. #3
    Join Date
    Oct 2002
    Posts
    353
    DON'T DO THAT !

    It will stop both ASP and ASP.NET from working as both need access to certain directories.

    Spend some time reading through usenet and MS site and find out which files and folders your users DO need access to, make sure they can see those (read only) and shut them out of the others.

    There's something that should worry you more . . . .

    Your users can probably also see each others files which is an unforgivable lapse in security and could lead to big problems for you and your users.

    You should be running each site with it's own IUSR_ user AND you need to enforce impersonation in your machine.config file to stop them reading each others file via the user used for .NET - otherwise they will have free access to each others files including databases which could hold CC details etc.

    You also need to set machineonly in your machine.config file to stop a user overriding it in their own web.config file.

    This is a huge topic and can't be explained in a post - you have a lot of homework to do I'm afraid

  4. #4
    Join Date
    Dec 2001
    Location
    Netherlands
    Posts
    849
    The above guide that I post is what I am doing in my servers running Hosting Controller, and both asp and asp.net are working fine. One is windows 2000 server and another one is windows 2003 server

    strange.. all my users are able to use asp and asp.net.

    You can check security article at hostingcontroller.com

    .
    # experienced Cloud/OpenStack Architect
    #
    # Feel free to PM me for any info or help to build your cloud.

  5. #5
    Join Date
    Jun 2003
    Posts
    50

    other ways

    Thank you for answers;
    Every site is usind their own anaon account which is default in windows 2003.
    But there is not EVERYONE permission on folder security settings? Should i add EVERYONE and deny permissions?
    Well istere any spesific source web site to learn about it.
    Or any way to uninstall fso for some web sites?
    Every web site has their own anonimous account but still they can reach even my hard drive

  6. #6
    Join Date
    Dec 2001
    Location
    Netherlands
    Posts
    849

    warning
    : Be careful and understand properly what you are doing before doing it. I am not responsible if anything happens to your system after following the guide below. Better make a note of the settings that was before and what you did



    http://hostingcontroller.com/english...Article44.html

    r> applicable to both windows 2000 and windows 2003.

    Hope this helps.
    .
    # experienced Cloud/OpenStack Architect
    #
    # Feel free to PM me for any info or help to build your cloud.

  7. #7
    Join Date
    Jun 2003
    Posts
    50

    This helped

    Thank a lot this helped me:
    But i have still one little question:
    I have edited permissions in the web root folder now users can not access this folder, i have also edited c: drive and users can not reach it aswell
    Users can not reach c:
    users can not react web root
    But the problem is users can reach c:/program files or c:/windows
    Do i have to edit permissions on ALL folders? is it logical?
    is there any easier way to isolate them ?

  8. #8

    Re: This helped

    Originally posted by lover
    Thank a lot this helped me:
    But i have still one little question:
    I have edited permissions in the web root folder now users can not access this folder, i have also edited c: drive and users can not reach it aswell
    Users can not reach c:
    users can not react web root
    But the problem is users can reach c:/program files or c:/windows
    Do i have to edit permissions on ALL folders? is it logical?
    is there any easier way to isolate them ?
    \

    Remove 'everyone' from all directories on your system. You only need system, administrator group, local, network... under 'windows' and 'program files' under your system drive. If you're the administator, give yourself full control everywhere. iusr_ permissions should be already be setup properly so leave it alone. iusr_ should have write access only under temp directories and the sites directories. If you want more security, give iusr_ write access to database and FSO work directories only for the site.

    You should use a utility that displays a report of all ntfs permissions for all files and directories so you can tighten loose permissions. Make a backup before you play with permissions or write down what permissions you have changed so that you can change it back if it breaks something.
    Sami
    --------
    http://www.cheapesthosting.com - Affordable Hosting since 1998

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •