Anonymous user vulnerability
Hey all? What are your thoughts with HC and HF1.4 now giving the anonymous account write access on www folder. I understand that it is required for some asp apps to run but giving write access to the entire www folder seems overkill to me, no? Peter
|
RE: Anonymous user vulnerability
2004/09/11 02:23:45
(permalink)
Anonymous user is given WRITE permission within its WWW/DB folder only and I don¬t see any security risk involved with that. :) Aziz?
|
RE: Anonymous user vulnerability
2004/09/11 12:08:02
(permalink)
Thanks Aziz, I am just thinking ahead here in and if there is a risk involved. The thought of the iusr account having write permissions on the root of the site kind of scares me, I will do more research though - if anyone has any thoughts let me know. Peter
|
RE: Anonymous user vulnerability
2004/09/11 12:56:07
(permalink)
Hi, I don¬t understand. I think that functionality is it is completely unnecessary and very dangerous. Never an anonymous user can be taken Write on WWW! http://hostingcontroller.com/english/logs/hotfixlogv61_1_4.html said: Improvements The ACL manager now allows adding/editing of web anonymous user account. The anonymous user is now automatically given READ/WRITE permission over WWW & DB folder. This ensures proper functioning of database driven websites. If any user have a execute over WWW!! Hacking Attack is 100 % possible!!! I think that if an user by means of ACL can add permits execute it has more than enough www, any user (WEBADMIN) it can destroy a server. Some convincing answer? Best regards,
|
RE: Anonymous user vulnerability
2004/09/11 13:23:40
(permalink)
Aziz, I am not a developer so I dont know but I consulted with our in-house developers, all said it was a bad idea. I did some research on the web and the consensus is that it is a bad idea. Well I was concerned about this so I took it up and called Microsoft support (yes $245 incident) and I think you want to change this feature. From MS IIS support this is a BIG no. They gave a really scary scenarios where hackers could take advantage of this. Their recommendation is to allow the IUSR account to write only where needed and on a per needed basis, not the entire web directory. Anyone have any ideas in regards? I think this is a bad idea for security, no? Peter
|
RE: Anonymous user vulnerability
2004/09/11 15:16:08
(permalink)
Hi, Please remove this serious possible big bug! Microsoft never recommended the attribute WRITE for the WWW sites! http://support.microsoft.com/kb/187506/en-us Also any WEBAMIN can be destroying the server with this feature. Thanks!
|
RE: Anonymous user vulnerability
2004/09/11 17:12:05
(permalink)
So what is the verdict HC? Will you be updating the service pack?
|
RE: Anonymous user vulnerability
2004/09/11 23:48:49
(permalink)
Thanks for the input, everyone. Before you verdict this as a vulnerability you need to understand the security structure we implement on the website. Each website is given a unique anonymous user (domain.com_web). This user is not same as IUSR_MACHINE as this has only rights on its designated folders. This policy makes it possible that when EVERYONE is removed nobody can access others data on shared server. Having this said, when we give WRITE permission to Domain.com_Web user, it means that we are allowing the site owner to write such scripts that may create files in his WWW folder ONLY and read/write database IF it is also uplodated in the WWW folder (many novice developers do this). It is important to understand this Domain.com_Web is a unique user whom we give WRITE right only on designated WWW/DB folder and technically speaking there is no way he could access other places or destroy the server. I understand that Microsoft support may have suggested not to give write permission but did you tell them the exact scenario and did you ask them how database is manpulated if we remove anonymous write access? In short, I assure you, to the best of my knowledge and experience, that WRITE permission is not a security threat for server rather it eases additional support burden from your shoulder. Thanks for listening to us.
|
RE: Anonymous user vulnerability
2004/10/11 08:18:31
(permalink)
|
RE: Anonymous user vulnerability
2004/10/11 10:42:14
(permalink)
On one of my systems HC has been giving anonymous user write permissions on www folder for as long as I can remember (which is at least a few months - heheh) My 2 cents: I would tend to agree that anon user should not have write permission on www folder by default (but it is good that ACL manager allows for configuring anon user instead of Everyone). True, MS comments on the subject does refer to the default installation of IIS, however, it is also true that according to MS Best Practices one should always apply the Principle of Least Privelege when setting ntfs permissions. Thus anon user should have write permission on www folder only when all files in that folder requires it - a rare example; moreover, it should not be inherited by subfolders. If a single file among many files in www requires write then only the file should receive it.
|
RE: Anonymous user vulnerability
2004/10/11 11:24:48
(permalink)
Hello again, I never install this Hot Fix (1.4) while appear this terrible BUG in the permissions of the WRITE. Facts: 1º) Anonymous User, in recommendation of Microsoft and all the forums of security on the web, never recommended the write permission for these users. 2º) In the structure of HC the folders are: DB, LOG, Special and WWW; I always recommend for my clients install the Database in DB folder and never in other folder. 3º) In the last month one of the farm servers was completely hacked and destroyed all the information for bad permissions (write) in the FrontPage 2002. Was an anonymous giving him permissions and climbing. Regards
|
RE: Anonymous user vulnerability
2004/10/11 13:45:38
(permalink)
That is my point exactly, webmins should decide which folders need to allow write permissions but allowing the entire www directory anon write seems to be a disaster waiting to happen. I can just see this months down the road where a worm comes out and sites with certain conditions (amongs which anon write) are affected. Then we will all be scrambling to fix. Any comments anyone?
|
RE: Anonymous user vulnerability
2004/11/11 02:09:58
(permalink)
crnunez, you are mixing WRITE permissions on website with WRITE permissions of domain.com_web user. WRITE permissions on website is indeed dangerous and if it is ON anyone can login to your website with FrontPage. For understanding of what WRITE permission on website is, please refer to http://www.microsoft.com/resources/documentation/iis/6/all/proddocs/en-us/sec_acc_settwebperm.mspx. I am not denying Micsrosoft best practices. I am just trying to explain that the anonymous user of your website is a unique user that has access on your websites ONLY. I still couldn¬t think how one can compromise server just because of write permission on WWW folder. Can you show an example on our demo server which is open to you? or this is just fear of unknown? We will not remove this unless we are convinced with example.
|
RE: Anonymous user vulnerability
2004/11/11 04:54:47
(permalink)
Hello I was mixed when reading release notes about this feature too. However, I tend to agree with HC this has (or should have) limited scope. As they wrote, specific website anon user will get write access to website folders. If server ACL is properly configured, this would mean that only that specific website folders are under moderate risk, not the server itself or other websites. Risk is someone might exploit a bug in code to gain write access to that website folers and only to them. I guess HC was trying to provide a more "relaxed" setup in order to provide advantages to all those users who deploy pre-made websites / CMS which usually might require write access to some or all folders. However, a risk that bugs could be exploited to gain write access to website folders actually exists. Of course, IUSR_server account is not involved as anonymous user for a specific website is not IUSR_server account. However, if ACL for your server are not properly configured, that server is under threat of being hacked even if anonymous user for a website only has read privileges for those folders. If that user can get outside a fair scope (for example, it could be able to read c:\) that¬s not properly configured! My take: ACL management is maybe hardest part to learn. Instead of relaxed ACL settings, HC might provide wizards for novice users to guide them in a simple way. For example, instead of allowing them to change ACL settings, a wizard could ask: --- ACL WIZARD --- Do you want to enable write access for: [ ] entire website [ ] a database folder [ ] only a specific folder Option: [ ] also set same access to child objects ----- ACL WIZARD ----- Of course, expert users should be able to set manually ACLs but this could help novice users to balance between security and flexibility. Regards.
|
RE: Anonymous user vulnerability
2004/11/11 07:34:18
(permalink)
Hello, We are very concerned for the security of the server. I am not a hacker, but a kacker has the knowledge to make magic like we all know to destroy with minimum tools. Microsoft Corporation (xxxx Engineers) It has many bug of security every time. For this reason anything is not convenient to open never anything for a hacker, we cannot let them to have the most minimum attack opportunity. The hacking attacks in the first step attempts escalate the permissions, with write is possible install any dangerous code and the next step is obtain Execute permission for complete the process... But I and all the clients will be much calmer if Hosting Controller guarantees 100% that won¬t pass anything.(I think that I am not paranoiac for the security, but in the last attack hacking, I had to pay a rebuild of the server, to big amount ($$$), +30 hours down, 16 customer loss, and much losses...) Best Regards,
|