[3260] in WWW Security List Archive
Re: NT WWW server Security Holes
daemon@ATHENA.MIT.EDU (Lincoln Stein)
Wed Oct 16 12:06:06 1996
Date: Wed, 16 Oct 1996 09:36:23 -0400
From: Lincoln Stein <lstein@genome.wi.mit.edu>
To: FKnobbe@ix.netcom.com
Cc: John Allen <JOHNAL@attachmate.com>, www-security@ns2.rutgers.edu
In-Reply-To: <199610152148.OAA11174@dfw-ix1.ix.netcom.com>
Errors-To: owner-www-security@ns2.rutgers.edu
Frank,
The main concern with NT from my point of view is that there isn't yet
much accumulated community wisdom on how to secure NT, and the NT
installation guides are not particularly helpful for sketching out the
big picture. To give one example, most Web servers are installed as a
"System" service rather than being given an ordinarily user account to
run under. When I asked the Windows server newsgroups whether this
was equivalent to giving the server root privileges on a Unix server,
I was met by a deafening silence -- nobody seemed to know.
As far as holes go, there is a history of significant holes in
NT-based servers. The major one is a hole that allows remote users to
execute NT commands by requesting .BAT CGI scripts. It affected:
- Microsoft Internet Information Server version 1.0 (now fixed)
- O'Reilly WebSite versions up to 1.0e (now fixed)
- Netscape Secure Commerce Server (not yet fixed to my knowledge)
- Netscape Server (not yet fixed to my knowledge)
The moral is that no OS is secure from unanticipated bugs. Even
Macintosh-based Web servers have security problems (for example,
WebSTAR's default configuration allows anyone on the Internet to
retrieve the server's access log file!)
Lincoln
Frank Knobbe writes:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> On 15 Oct 96 at 9:16, John Allen wrote about: NT WWW server Security
> Holes
>
> > A client of mine recently made the comment to me that NT was a more
> > secure Web server than UNIX because it was a newer operating system
> > and hackers haven't found any big holes in it yet. Since I have
> > never been a fan of "Security through Ignorance", I though I would
> > ask the list if there are any known security holes with NT as far as
> > WWW servers go. I do know that the Registry is accessible remotely,
> > but is that a default setting? Is there any resources on the 'Net
> > that points out potential security holes? Is there any known
> > equivilents to the NSCA/phf hole in NT??
>
> A few links to WWW and/or NT related security topics are:
>
> <A HREF="http://www.iss.net/">Internet Security Systems, Inc.Home Page - ISS</A>
> <A HREF="http://www.somarsoft.com/security.htm">Somarsoft - Windows
> NTSecurity Issues</A>
> <A HREF="http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html">The WWW Security FAQ</A>
> <A HREF="http://www.sandcastle-ltd.com/security.html">Security & Firewalls</A>
>
> Hope that helps,
> Frank
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
>
> iQCVAwUBMmQGkMZP3ocmY5AlAQEvKQQAydWASCGK4zJso2X1QfqBH79LMflH1q2q
> SssssW1nJU5PbHa+YMcv7mDPLgqX8FF1MZzkrb+A81ekvzG9M4TJ2BS6bnSvtQne
> uLExsJtblguGdLfwj2UBYOSfnzwk60rIbY6dw4XDzq1mu3olY9npJIq6lqQdPnif
> WW3hzM1slBk=
> =fTvt
> -----END PGP SIGNATURE-----
>
> --
> http://www.netcom.com/~fknobbe
> --
> WARNING: ANYONE SENDING UNREQUESTED ADVERTISEMENT WILL BE
> ADDED TO A FILTER LIST, WHICH WILL AUTOMATICALLY DELETE
> EVERY MAIL FROM THE SENDER. THIS WILL INTERRUPT FURTHER
> CORRESPONDENCE. PLEASE REFRAIN FROM SENDING JUNK E-MAIL.
--
Lincoln D. Stein, MD, PhD WI/MIT Center for Genome Research
lstein@genome.wi.mit.edu Bldg 300, One Kendall Square
http://www.genome.wi.mit.edu/~lstein/ Cambridge, MA 02139
