[3278] in WWW Security List Archive
Re: NT WWW server Security Holes
daemon@ATHENA.MIT.EDU (David W. Morris)
Thu Oct 17 05:43:16 1996
Date: Thu, 17 Oct 1996 00:14:01 -0700 (PDT)
From: "David W. Morris" <dwm@xpasc.com>
To: Lincoln Stein <lstein@genome.wi.mit.edu>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <9610161336.AA05851@oreo>
Errors-To: owner-www-security@ns2.rutgers.edu
On Wed, 16 Oct 1996, Lincoln Stein wrote:
> Frank,
>
> The main concern with NT from my point of view is that there isn't yet
> much accumulated community wisdom on how to secure NT, and the NT
Yep!
> installation guides are not particularly helpful for sketching out the
> big picture. To give one example, most Web servers are installed as a
> "System" service rather than being given an ordinarily user account to
> run under. When I asked the Windows server newsgroups whether this
The partial answer is that it depends ... services can be installed
either way on NT. A server should be installed as a service otherwise
it can't be started when the system boots but rather would be started
as an ordinary application when the installing user logs in ... and
given that user is likely an admin there is still a problem.
There have been three or four articles in the Windows Developer Journal
over the earlier months of this year talking about how to write
NT services ... and they sketched out the various pros/cons.
The perspective wasn't security, but I person knowledgable about
security issues could learn a lot.
I would give exact cites but the mags are in another location. If there
is interest I can post tomorrow.
Dave Morris
