: Chunshen Li [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 7:48 AM
To: CF-Talk
Subject: Challenge/Response and IIS Security
A client informed me that his site (on NT class OS and IIS web server) now
required Network password to logon.
I suspected it's NT Challenge/Response and IIS Security
-Original Message-
From: Chunshen Li [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 7:48 AM
To: CF-Talk
Subject: Challenge/Response and IIS Security
A client informed me that his site (on NT class OS and IIS web server) now
required Network password to logon.
I suspected it's NT
to the default site. That site is usually the IIS
Administration site and is Locked down.
Rick
-Original Message-
From: Chunshen Li [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 8:46 AM
To: CF-Talk
Subject: Re: Challenge/Response and IIS Security
Sorry, could you elaborate a bit
A client informed me that his site (on NT class OS and IIS web server) now required Network password to logon.
I suspected it's NT Challenge/Response and IIS Security problem with his new setup.
Did quick research to confirm my suspicion, seems that my suspicion is valid, it seems at least two
password to logon.
I suspected it's NT Challenge/Response and IIS Security problem with
his new setup.
Did quick research to confirm my suspicion, seems that my suspicion is
valid, it seems at least two situations would result in the
above-mentioned problem:
1) Anonymous Access with an NT
OK. I'm with you.Now, as my original posting indicated the IUSR_{machineOrHostName} NT user account needs to be enabled, by default,
this user belongs to Web Anonymous Users group (which I guess created by IIS during installation or the like).Question, how do you find out which directories/folders
is usually
the IIS
Administration site and is Locked down.
Rick
-Original Message-
From: Chunshen Li [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 8:46 AM
To: CF-Talk
Subject: Re: Challenge/Response and IIS Security
Sorry, could you elaborate a bit?
new
NT
: Thursday, May 13, 2004 10:33 AM
To: CF-Talk
Subject: Re: Challenge/Response and IIS Security
Ahe, under default web site right under web site, the options show as
you described, the setting on my box is same as what you said, now,
question, if my client's box has some entry/TEXT for the Host
, 2004 10:33 AM
To: CF-Talk
Subject: Re: Challenge/Response and IIS Security
Ahe, under default web site right under web site, the options show as
you described, the setting on my box is same as what you said, now,
question, if my client's box has some entry/TEXT for the Host Header Name,
in other
Ahe, under default web site right under web site, the
options show as you described, the setting on my box is same
as what you said, now, question, if my client's box has some
entry/TEXT for the Host Header Name, in other words, not
blank, then, it would require NT logon?
It does not
Forgot to add in case you wonder, I understand the
IWAM_{machineOrHostName} NT user account is required to
be enabled to start the IIS server, it's related but that
relevant to the problem at hand.
The IWAM_MACHINENAME account is only required for running out-of-process
applications.
A client informed me that his site (on NT class OS and IIS
web server) now required Network password to logon.
I suspected it's NT Challenge/Response and IIS Security
problem with his new setup.
Did quick research to confirm my suspicion, seems that my
suspicion is valid, it seems
Good info.Sorry I forgot to mention about the cf server version, it's 5.0.Now, as I asked, how to determine IUSR_MACHINENAME account's privilege to web root doc directory and subdirectories?
Under IIS, for a particular directory (folder), the two most probable options are:
1) All Tasks
a)
Now, as I asked, how to determine IUSR_MACHINENAME account's
privilege to web root doc directory and subdirectories?
Under IIS, for a particular directory (folder), the two most
probable options are:
1) All Tasks
a) permissions wizard
(what's heck is the design! just tell me what who can
Now, as I asked, how to determine IUSR_MACHINENAME account's
You will have to check the filesystem using Windows Explorer or the command
line.
Yes, I did, as my other posting indicated, IUSR_MACHINENAME account does not show up in the Users/groups list under Security, however, my site is
Yes, I did, as my other posting indicated, IUSR_MACHINENAME
account does not show up in the Users/groups list under
Security, however, my site is accessible by outside users,
so, I guessed, IUSR_MACHINENAME may be associated implicitly
by Microsoft, also, how about an unknown...account,
Oops, sorry I forgot to mention I'm checking on my XP prof box,
for XP prof there are no such user/group as of Everyone and Authenticated Users while your info could be helpful if my client's box uses this naming convention.Microsoft loves to play tricks on people :)
Again thanks.
The
Oops, sorry I forgot to mention I'm checking on my XP prof
box, for XP prof there are no such user/group as of
Everyone and Authenticated Users while your info could be
helpful if my client's box uses this naming convention.
Microsoft loves to play tricks on people :)
I don't have an XP
Shoot, excuse me for the lang, I was so absent-minded, missed the key word, contextual in your last posting, OK, what's the nuance between EVERYONE and ANONYMOUS LOGON from a site access perspective?
Man! you're very very detail-oriented, a great quality, I'd say.
Don
I don't have an XP box
Shoot, excuse me for the lang, I was so absent-minded, missed
the key word, contextual in your last posting, OK, what's
the nuance between EVERYONE and ANONYMOUS LOGON from a site
access perspective?
The difference between them, from the perspective of setting filesystem
permissions, is
I would strongly recommend avoiding the use of Everyone when setting
filesystem permissions, though. Use Authenticated Users instead. The
IUSR_MACHINENAME account is also a member of that group.
Excellent.I read about not to use EVERYONE account, however, I forgot (can't focus well these days,
Now, how would you determine if some of the users from the
list may be fakeID/backdoor user account? One way, I guess
might be, get mandatory or system default user account list
for NT/XP/given win OS and then separate them from the rest,
then examine the remaining?better approach?
I
What is the disadvantage of using the native IIS directory security
functionality over using a cf-based login?
Candace K. Cottrell, Web Developer
The Children's Medical Center
One Children's Plaza
Dayton, OH 45404
937-641-4293
http://www.childrensdayton.org
[EMAIL PROTECTED]
I am pretty sure that there are Netscape issues with IIS/NT security based
systems.
-Original Message-
From: Candace Cottrell [mailto:[EMAIL PROTECTED]]
Sent: 24 September 2002 14:54
To: CF-Talk
Subject: IIS Security
What is the disadvantage of using the native IIS directory security
: IIS Security
What is the disadvantage of using the native IIS directory security
functionality over using a cf-based login?
Candace K. Cottrell, Web Developer
The Children's Medical Center
One Children's Plaza
Dayton, OH 45404
937-641-4293
http://www.childrensdayton.org
[EMAIL PROTECTED
Candace Cottrell wrote:
What is the disadvantage of using the native IIS directory security
functionality over using a cf-based login?
you don't have so much control over the interface ( ie browser login
dialogs ) and it generally more flexible via cf logins with error
handling.. ie you
Robertson-Ravo, Neil (REC) wrote:
I am pretty sure that there are Netscape issues with IIS/NT security based
systems.
only with NTLM/kerbos auth, use basic security... NTLM is not secure
anyway coz it's flawed (crackable) ... if you are worried about
passwords in clear text then use ssl
z
I'm thinking I should just try to figure out this LDAP thing.
That way I dont have to give all these folks 50-11 usernames and
passwords.
We are on Novell, and this is an intranet setting :)
Candace K. Cottrell, Web Developer
The Children's Medical Center
One Children's Plaza
Dayton, OH
Why not give them an interface to assign their own Unique CF run UserID/PW,
with a master admin function that allows one person to add, modify and
delete them if needed? In one scenario we set this up for a client and
because it was an Intranet, each individual had to sign up themselves
there!
Good luck!
Jason
CFDynamics.com
-Original Message-
From: Robertson-Ravo, Neil (REC)
[mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 24, 2002 7:57 AM
To: CF-Talk
Subject: RE: IIS Security
I am pretty sure that there are Netscape issues with IIS/NT
security based
Hi list, I wonder if this issue is published already:
KPMG has recently published for IIS on Win-NT/2000 the following:
If a domain like this is hit: (Example !!)
http://www.cfserveraufnt.de/nul..dbm
there is a fault-message returned:
Error Diagnostic Information
The template
cf-talk wrote:
Hi list, I wonder if this issue is published already:
KPMG has recently published for IIS on Win-NT/2000 the following:
Yes, it is published already. For the full info:
http://online.securityfocus.com/archive/1/268263
Here a solution of KPMG is released
Actually, it is the
Unfortunately RDS on CF 5 isn't working anymore after this
workaround.
You can fix that very easily - that's a CF 5 install bug. When you install
CF 5, it creates two directories in your web root: CFIDE and Main. However,
it's supposed to create Main within CFIDE. Just move Main into CFIDE,
For what it's worth, does anyone have a really thorough checklist and how
to for tuning and securing IIS 5?
-Brad
-Original Message-
From: Lee Fuller [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 27, 2001 6:15 PM
To: CF-Talk
Subject: RE: New IIS security tool
I can't get the silly
Here's one source (of many):
http://nsa1.www.conxion.com/win2k/download.htm
HTH, George
-Original Message-
From: Brad Roberts [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 28, 2001 10:07 AM
To: CF-Talk
Subject: RE: New IIS security tool
For what it's worth, does anyone
:[EMAIL PROTECTED]]
Sent: Tuesday, August 28, 2001 10:07 AM
To: CF-Talk
Subject: RE: New IIS security tool
For what it's worth, does anyone have a really thorough checklist and how
to for tuning and securing IIS 5?
-Brad
-Original Message-
From: Lee Fuller [mailto:[EMAIL PROTECTED]]
Sent
For what it's worth, does anyone have a really thorough
checklist and how to for tuning and securing IIS 5?
Yes. Microsoft does (at least for securing - tuning is covered in the IIS
Resource Kit).
Secure Internet Information Services 5 Checklist:
Has anyone tried this new IIS tool?
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/locktool.asp
I will try it on a development server first, but wanted to see if anyone
has had good or bad experiences.
From NTBugtraq...reprinted without permission, so sue me.
I'm not exactly sure why I'm supposed to be elated, maybe its the fact
it has an Undo feature. Call it sour grapes, but this thing falls
short of what I offered as a prototype several weeks ago (in some ways)
while being far superior in
Has anyone tried this new IIS tool?
http://www.microsoft.com/technet/treeview/default.asp?url=/tec
hnet/itsolutions/security/tools/locktool.asp
I will try it on a development server first, but wanted to
see if anyone has had good or bad experiences.
I haven't tried it, since it doesn't
-Original Message-
From: Jon Hall [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 27, 2001 2:11 PM
To: CF-Talk
Subject: Re: New IIS security tool
From NTBugtraq...reprinted without permission, so sue me.
I'm not exactly sure why I'm supposed to be elated, maybe its
the fact it has
It seems fairly clear that the subject line of this thread needed
changing.
Can anyone show the .htr vulnerability on a server other than IIS?
Pan
--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To
: [EMAIL PROTECTED]
- Original Message -
From: pan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, August 04, 2000 10:23 AM
Subject: IIS security problem -- not Allaire security problem - anyone know
solution?
It seems fairly clear that the subject line of this thread needed
43 matches
Mail list logo