hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : FSO exploit for windows server 2003
Reply

Forum Jump

FSO exploit for windows server 2003

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 07-12-2003, 06:37 PM
lover lover is offline
Junior Guru Wannabe
 
Join Date: Jun 2003
Posts: 50

FSO exploit for windows server 2003


Hi all;
My web site users can reach all server data includin root directory and drivers because of file system object.
How can i prevent this security bug?



Sponsored Links
  #2  
Old 07-13-2003, 01:54 AM
admin0 admin0 is offline
Web Hosting Master
 
Join Date: Dec 2001
Location: Europe
Posts: 755
you can try removing the EVERYONE permission from the hard-drives and allow only SYSTEM and ADMINISTRATORS full access.

Hope this helps.

__________________
███
███ CloudStack Consultancy/Setup
███
███ fulltime sysadmin since 1997!

  #3  
Old 07-13-2003, 02:56 PM
my_forum_id my_forum_id is offline
Aspiring Evangelist
 
Join Date: Oct 2002
Posts: 353
DON'T DO THAT !

It will stop both ASP and ASP.NET from working as both need access to certain directories.

Spend some time reading through usenet and MS site and find out which files and folders your users DO need access to, make sure they can see those (read only) and shut them out of the others.

There's something that should worry you more . . . .

Your users can probably also see each others files which is an unforgivable lapse in security and could lead to big problems for you and your users.

You should be running each site with it's own IUSR_ user AND you need to enforce impersonation in your machine.config file to stop them reading each others file via the user used for .NET - otherwise they will have free access to each others files including databases which could hold CC details etc.

You also need to set machineonly in your machine.config file to stop a user overriding it in their own web.config file.

This is a huge topic and can't be explained in a post - you have a lot of homework to do I'm afraid

Sponsored Links
  #4  
Old 07-14-2003, 02:54 AM
admin0 admin0 is offline
Web Hosting Master
 
Join Date: Dec 2001
Location: Europe
Posts: 755
The above guide that I post is what I am doing in my servers running Hosting Controller, and both asp and asp.net are working fine. One is windows 2000 server and another one is windows 2003 server

strange.. all my users are able to use asp and asp.net.

You can check security article at hostingcontroller.com


__________________
███
███ CloudStack Consultancy/Setup
███
███ fulltime sysadmin since 1997!

  #5  
Old 07-14-2003, 07:08 AM
lover lover is offline
Junior Guru Wannabe
 
Join Date: Jun 2003
Posts: 50
other ways

Thank you for answers;
Every site is usind their own anaon account which is default in windows 2003.
But there is not EVERYONE permission on folder security settings? Should i add EVERYONE and deny permissions?
Well istere any spesific source web site to learn about it.
Or any way to uninstall fso for some web sites?
Every web site has their own anonimous account but still they can reach even my hard drive

  #6  
Old 07-14-2003, 10:17 AM
admin0 admin0 is offline
Web Hosting Master
 
Join Date: Dec 2001
Location: Europe
Posts: 755

warning
: Be careful and understand properly what you are doing before doing it. I am not responsible if anything happens to your system after following the guide below. Better make a note of the settings that was before and what you did



http://hostingcontroller.com/english...Article44.html

r> applicable to both windows 2000 and windows 2003.

Hope this helps.

__________________
███
███ CloudStack Consultancy/Setup
███
███ fulltime sysadmin since 1997!

  #7  
Old 07-14-2003, 08:44 PM
lover lover is offline
Junior Guru Wannabe
 
Join Date: Jun 2003
Posts: 50
This helped

Thank a lot this helped me:
But i have still one little question:
I have edited permissions in the web root folder now users can not access this folder, i have also edited c: drive and users can not reach it aswell
Users can not reach c:
users can not react web root
But the problem is users can reach c:/program files or c:/windows
Do i have to edit permissions on ALL folders? is it logical?
is there any easier way to isolate them ?

  #8  
Old 07-16-2003, 10:40 AM
sbloyd sbloyd is offline
Junior Guru Wannabe
 
Join Date: Dec 2002
Posts: 85
Re: This helped

Quote:
Originally posted by lover
Thank a lot this helped me:
But i have still one little question:
I have edited permissions in the web root folder now users can not access this folder, i have also edited c: drive and users can not reach it aswell
Users can not reach c:
users can not react web root
But the problem is users can reach c:/program files or c:/windows
Do i have to edit permissions on ALL folders? is it logical?
is there any easier way to isolate them ?
\

Remove 'everyone' from all directories on your system. You only need system, administrator group, local, network... under 'windows' and 'program files' under your system drive. If you're the administator, give yourself full control everywhere. iusr_ permissions should be already be setup properly so leave it alone. iusr_ should have write access only under temp directories and the sites directories. If you want more security, give iusr_ write access to database and FSO work directories only for the site.

You should use a utility that displays a report of all ntfs permissions for all files and directories so you can tighten loose permissions. Make a backup before you play with permissions or write down what permissions you have changed so that you can change it back if it breaks something.

__________________
Sami
--------
http://www.cheapesthosting.com - Affordable Hosting since 1998

Reply

Related posts from TheWhir.com
Title Type Date Posted


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?