r 09, 2001 6:16 PM
Subject: RE: Location of web root
> You couldn't use posix because you would have removed all reference to
POSIX
> when locking down IIS
>
> -Original Message-
> From: Rj Subramanian [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, November 08, 2001 7:50
x box anyway! :)
-Original Message-
From: Rj Subramanian [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 08, 2001 6:50 PM
To: [EMAIL PROTECTED]
Subject: RE: Location of web root
Hey all,
Directory traversals are one thing, but can anybody think of any reason why
an attacker couldn'
You couldn't use posix because you would have removed all reference to POSIX
when locking down IIS
-Original Message-
From: Rj Subramanian [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 08, 2001 7:50 PM
To: [EMAIL PROTECTED]
Subject: RE: Location of web root
Hey all,
Dire
50 AM
To: [EMAIL PROTECTED]
Subject: RE: Location of web root
Hey all,
Directory traversals are one thing, but can anybody think of any reason why
an attacker couldn't use the posix subsystem to navigate to whichever
drive\partition\directory he or she wanted to test?
Rj Subramanian
All the recommendations on moving the web root to another drive are
valid and correct. In fact, as Stefan Osterlitz points out, changing
the default names and locations for as much of the system hierarchy as
possible will enhance security.
In particular, if the utmost security is necessary, I re
ailto:[EMAIL PROTECTED]]
Sent: Tuesday, November 06, 2001 4:46 AM
To: [EMAIL PROTECTED]
Subject: RE: Location of web root
The first major points about placing the wwwroot in a non-standard location
is for the Directory Traversal exploit as you've brought up already. Many
exploits will either rely o
On Fri, 2001-11-02 at 00:36, Daymon McCartney wrote:
> I'm trying to articulate the reasons why it's better to place the root of a
> website on a separate partition, or at least in a separate directory from
> the application which uses IIS as a front-end...
I'm new around here, so maybe I'm off
The best reason is that directory traversal (unicode) attacks don't
work. This is the method that CR used to put in the "backdoor". It moved
cmd.exe from c:\winnt\system32 to c:\inetpub\wwwroot\scripts and renamed
it to root.exe . This would not be possible if it were on a separate
drive or partit
al Message-
From: Mike Joffe [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, November 06, 2001 2:01 AM
To: '[EMAIL PROTECTED]'
Subject: RE: Location of web root
Daymon,
Paranoia in the wake of Nimda and Code Red is hardly a bad thing, and I'd
look at this question primarily from a security po
> Unfortunately, everyone thinks I'm crazy and cannot see the
> impact that the
> placement of the root folder may have. What sort of concrete
> evidence is
> out there for me to use to support my case? ...Or am I just being
too
> paranoid about the placement of the root folder?!?
Most attacks
My two cents: no comment on hardening, but if the OS is on C: and the
web pages are on D: AND D: is a physically separate disk, you get at
least a 10-20% performance increase simply because OS operations and web
access are on two separate drives.
-Original Message-
From: Daymon McCartne
11 matches
Mail list logo