You can change the account it starts as in the services manager, and you
can change the user account that each virtual uses. Is there something that
I am missing?
At 08:45 PM 9/25/2001 -0400, you wrote:
> > ... do you really believe that IIS is as secure as apache etc?
>
>No, I don't believe it is. The biggest security flaw with IIS (one that
>can't be patched or fixed in the current releases, I don't think) is that it
>runs within the SYSTEM security context - which is essentially equivalent to
>running as root on Unix. The reason IIS runs as SYSTEM is so that it can
>perform impersonation of other users. This is how IIS can integrate so well
>with Windows security (ACLs, user rights, etc.). Apache, even on Windows,
>can be run as a less-privileged user. So, if an IIS exploit runs before the
>impersonated user's security context kicks in, the exploit code runs as
>SYSTEM, which is a very bad thing.
>
>However, I don't recall any IIS buffer overflow exploits that can do this
>without taking advantage of one of the ISAPI extensions that most people
>don't use anyway, so if you've removed all those unused extensions, I
>suspect you're pretty safe from that kind of attack. I don't think that any
>buffer overflows are likely to turn up in the core IIS engine - if there
>were, they'd have been found by now!
>
>Dave Watts, CTO, Fig Leaf Software
>http://www.figleaf.com/
>voice: (202) 797-5496
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Your ad could be here. Monies from ads go to support these lists and provide more
resources for the community. http://www.fusionauthority.com/ads.cfm
Archives: http://www.mail-archive.com/cf-community@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
