Hosting Provided By

IIS 4 Security

From: anyluser <anyluser(at)yahoo.com>
Date: Tue Dec 10 2002 - 16:52:50 EST

A friend and I are having a (friendly) debate and I was wondering the SecBasics crowd thought.

The Hypothetical Situation: A publicly available yet password protected web site is hosted using IIS 4 w/o SSL. It is completly unpatched and yet there are no sites or pages that can be accessed w/o a valid username and password. IOW, no anon access, ever.

My Premise: It is reasonably secure right up until a brute force attack or eaves dropping yields a valid username/pass. If there are no URLs that don't require username and pass then a malformed URL will be challened just as thoroughly, relegating exposure.

His Argument: It can still be hacked b/c the username and password can be bypassed even w/o a directed effort towards discovering valid auth info (brute force). Note: He thinks it's possible but in practice doesnt know how to do it or if it can indeed be done.

The only thing I could imagine happening is that someone telnets into port 80 and passes a URL in that way, but I didnt tell him that :) Since I dont know how to do that yet (I'm about to google it) I can't test it.

So what do yall think? How secure is a pw protected site from attack w/o a valid username and password?

Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com Received on Wed Dec 11 11:16:45 2002

This message: [ Message body ]
Next message: A. Bluecoat: "ISM Permissions?"
Previous message: Ogle Ron (Rennes): "FW: /Rpc virtual directory in IIS - How did it get there?"
Next in thread: Mike Coppins: "Re: IIS 4 Security"
Reply: Mike Coppins: "Re: IIS 4 Security"
Reply: Henry Sieff: "RE: IIS 4 Security"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:25 EDT