RE: [Hardhats-members] VistA Web

[David Sommers]

Well Nancy - you were most likely hit with CodeRed.

[anti-flame war hat on]

I like to think that I'm the ambassador for all OSes - I've used them
all and my three favorites are Windows, OS X, and Linux right now.
(Although I'm installing FreeBSD on second box in the background right
now.)

Back in the early days of both IIS and Apache - it was easy to install
the system with no patches and get hacked - pure and simple.  Now - we
know what "least priveledges" means, how to NAT/firewall, etc.

The problem with Windows and IIS is most users install it by default
(which isn't the case for XP or 2003 anymore).  Your standard Windows
user is about 5 cans short of a 6 pack and has no idea what IIS even
stands for.

Many of you are linux geeks and you know how to protect your Apache -
here are some hints for your IIS on 2000 and XP.  (2003 ships with a
secure base configuration)

First and foremost, IIS Lockdown.  This one does A LOT - so read the
instructions carefully.
http://www.microsoft.com/technet/security/tools/locktool.mspx

URL Scan is an optional component of IIS Lockdown.  It restricts the
information being posted via IIS.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/
html/secmod114.asp

Patterns and Practices: Securing your Web Server
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/
html/secmod89.asp

NSA Security Configuration Guides
http://www.nsa.gov/snac/
For IIS:
http://www.nsa.gov/snac/downloads_miis.cfm?MenuID=scg10.3.1.4

And don't knock IIS too much; Apache has its problems too.  Patch it -
secure it - check it.

There's not that many great single source guidelines for Apache.  You'll
find some information with the NSA (since they did all the SELinux stuff
too) and some with Apache.
http://httpd.apache.org/docs-2.0/misc/security_tips.html
http://www.nsa.gov/selinux/index.cfm

Put your pitch forks down... I'm just being fair.  If you take a few
minutes to make sure your setup is solid, you can make it work great
like eWeek did for their OpenHack competition.  The contest was to hack
either the Apache/Oracle/Java or IIS/SQL/.NET setup.  They both stood up
well (the Oracle stack was hacked but it was due to the application
itself being vulnerable and not the underlying software).  Note - most
systems are hacked through non-OS software such as Web Apps or simply by
lack of proper administration (bad setup, not patched, etc).
http://www.eweek.com/article2/0,1759,741388,00.asp

/David.

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nancy
Anthracite
Sent: Friday, April 22, 2005 5:27 PM
To: hardhats-members@lists.sourceforge.net
Subject: Re: [Hardhats-members] VistA Web

Time for a web search for a work-around ... meanwhile, those with XP Pro
have 
IIS as an option for their installation.  Can they least try it or does
it 
take something more than that, I wonder?  

Anyone who uses IIS, be careful. It is a popular target.  A few years
back I 
was using it to debug some code for a web site that was going to run on
an 
IIS server.  I got hit successfully with my first virus when I was using
it.  
My screen blanked and a message came up, "You have been hacked by
Chinese."  
I shut it down and reformatted the disk.  After that, I didn't start it
when 
my machine was connected to the Internet. 

On Friday 22 April 2005 04:54 pm, Mark Street wrote:
> It looks to me like it is pretty much Windoze 2003 specific.  Too
bad....
>
> Software Requirements.... from the installation document.
>
> Windows Server 2003 Enterprise, configured with the role of
Application
> Server Internet Information Services (IIS) 6.0 (installed by default
as
> part of the Application Server role)
> Microsoft Visual J#.NET 2003 runtime component
> .NET Framework 1.1 (part of the Windows Server 2003 operating system
> default installation)
> FTP services and an FTP folder (to be used as a staging location for
> updates to VistAWeb)
> SMTP Virtual Server
> .NET Framework 1.1 is installed by default on Windows 2003 systems.
> Services packs and updates to all three components are available
through
> Microsoft Windows update (http://windowsupdate.microsoft.com).
> Web Extension Services set to allow ASP.NET extensions (see Figure 2)
>
> On Friday 22 April 2005 11:49, Nancy Anthracite wrote:
> > Well, then I guess we will have to just figure out how to do that -
> > tunnel it or whatever.  We have only begun to fight!
> >
> > Actually, since the Hui project folks gave me that nice bound copy
of the
> > documentation, I think they have it going, but I think they said it
uses
> > an IIS server, which means we will have to see about Apache and all
of
> > that, too.  It may be written with VB Script or something.  I really
> > haven't looked at it at all since I have been working on getting the
> > CPRS/Wine problem licked - which we are finally making some progress
on,
> > I think/hope.

-- 
Nancy Anthracite


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Hardhats-members mailing list
Hardhats-members@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/hardhats-members


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Hardhats-members mailing list
Hardhats-members@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/hardhats-members