[3275] in WWW Security List Archive
Re: NT WWW server Security Holes
daemon@ATHENA.MIT.EDU (Frank Knobbe)
Thu Oct 17 02:30:02 1996
From: "Frank Knobbe" <FKnobbe@ix.netcom.com>
To: Lincoln Stein <lstein@genome.wi.mit.edu>,
John Allen <JOHNAL@attachmate.com>, www-security@ns2.rutgers.edu
Date: Wed, 16 Oct 1996 22:49:33 -0600
Reply-to: FKnobbe@ix.netcom.com
CC: John Allen <JOHNAL@attachmate.com>, www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
-----BEGIN PGP SIGNED MESSAGE-----
On 16 Oct 96 at 9:36, Lincoln Stein wrote about: Re: NT WWW server
Security Holes
> The main concern with NT from my point of view is that there isn't
> yet much accumulated community wisdom on how to secure NT, and the
> NT installation guides are not particularly helpful for sketching
> out the big picture. To give one example, most Web servers are
> installed as a "System" service rather than being given an
> ordinarily user account to run under. When I asked the Windows
> server newsgroups whether this was equivalent to giving the server
> root privileges on a Unix server, I was met by a deafening silence
> -- nobody seemed to know.
This is a valid point. Most info about security around NT comes from
gurus and hackers, usually voiced in mail lists. Next are security
companies and people, whose NT security has been broken in the past.
Who I miss on this list is Microsoft. They could and should
participate a little bit more by providing better information about
NT security in 1) manuals, 2) workshops (online or in real world), 3)
web page about security. BTW: root is guess is more like the
administrator on NT. The NT system account has a lot of rights, BUT
you can remove rights for files and directories, printers and
registry, and by doing that render the sys accnt a little more
harmless.
> As far as holes go, there is a history of significant holes in
> NT-based servers. The major one is a hole that allows remote users
> to execute NT commands by requesting .BAT CGI scripts. It affected:
> - Microsoft Internet Information Server version 1.0 (now fixed)
> - O'Reilly WebSite versions up to 1.0e (now fixed)
> - Netscape Secure Commerce Server (not yet fixed to my knowledge)
> - Netscape Server (not yet fixed to my knowledge)
This is true. But you have the same security hole with other OS's
(Osses? :). Sure you don't find a BAT file on a Unix server, rather a
PL file.
You can tighten the access through CGI pretty good with file and
directory rights.
> The moral is that no OS is secure from unanticipated bugs. Even
> Macintosh-based Web servers have security problems (for example,
> WebSTAR's default configuration allows anyone on the Internet to
> retrieve the server's access log file!)
That is correct. But if the manufacturer of the server software would
be a little bit more informative about security concerns and
configuration, that would help a lot. It is not enough to appear in
the Appendix, or in two sentences on page 123.
Most of the manufacturers, that you listed, give their 10 words to
security. I maybe wrong on this since I have not read every manual. I
know that Microsofts manual for IIS had some info about security, but
in my eyes not elaborated enough.
IIS install the http server under a different user account, the
others I don't think do. EMWAC, Netscape, SAIC I know for sure are
installed under the System account. They should either force you to
choose an user account during the installation or write instructions
on how to do so in the readme file and/or manual.
Wrapping this up, let me add another point to your first sentence. NT
is just starting to spread, and...wow...it's spreading fast. Unix has
been around for much much longer (what? 200 years? :) Of course
people have more experience on Unix that on NT, so they also know
more about the security holes that are present.
The idea about 'security' does not seem to be too widely spread.
Sure, experienced sys admins know about it. But newcomers and the
private individual, that is proudly setting up his own web server,
don't have a clue. More general education about security needs to be
taught in technical schools and other technical training courses.
Regards,
Frank Knobbe
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMmWsvcZP3ocmY5AlAQF79AP/VXMNZVxb3ZBXNTOidzN/3NvLC5KQ0KJG
+La9GpZBt7iH+NxSmXvK6zgZoqp6OgeRGJwzJgYrZ0JPOX0FF8YAY9YT16XaRJ8V
GqfasriuvqffAfr5u6mxJM2URZxGTWBagFvAk2LCJUKqfEgh0dJvMCWqXSPAQVnB
qOkn5eDtsdQ=
=+bGB
-----END PGP SIGNATURE-----
--
http://www.netcom.com/~fknobbe
--
WARNING: ANYONE SENDING UNREQUESTED ADVERTISEMENT WILL BE
ADDED TO A FILTER LIST, WHICH WILL AUTOMATICALLY DELETE
EVERY MAIL FROM THE SENDER. THIS WILL INTERRUPT FURTHER
CORRESPONDENCE. PLEASE REFRAIN FROM SENDING JUNK E-MAIL.
