| Groups | Blog | Home |
iis security : Map folder to drive letter instead of partitioning disk
I have run into a problem and I wanted to run my idea by the group to receive your feedback on it. I would like to follow the best practice of putting the system, web content and log files in different drive partitions. However, I have to do this on an existing web server with all these three on the C drive. I don't have the option to rebuild it, nor do I have Partition Magic or any similar tool. So, using separate drive partitions is not possible. Instead of partitioning my disk, if I share the Inetpub folder and then map it to a different drive letter, would I achieve the same effect (mitigation of directory traversal attacks) as if I were to use a genuine drive partition? Using a different partition for the logs would prevent a denial of service attack (by filling up the system partition) from taking place. Is this also achievable by using a mapped drive? Thanks in advance! I appreciate your help. Best regards, NK
Hmm, didn't think about the mapped drive to mitigate a part of ASP Path
Tranversal... but it seems to work for me on IIS5 from a mitigation perspective. It doesn't work for logging, though, as IIS insists on a local partition there (logging to UNC is just not a good idea). Another thought -- this is the sort of server that we'd like to recommend users consolidate using the upcoming "Virtual Server" technology. You can create a replica of this server as a virtual machine and run it on a modern-day PC (which you can upgrade as needed), and the virtual machine's HD can always grow as needed (limited by physical HD space). No Partition Magic needed. -- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "NK" <anonymous@discussions.microsoft.com> wrote in message Hello,news:082e01c3c5eb$648d63c0$a101280a@phx.gbl... I have run into a problem and I wanted to run my idea by the group to receive your feedback on it. I would like to follow the best practice of putting the system, web content and log files in different drive partitions. However, I have to do this on an existing web server with all these three on the C drive. I don't have the option to rebuild it, nor do I have Partition Magic or any similar tool. So, using separate drive partitions is not possible. Instead of partitioning my disk, if I share the Inetpub folder and then map it to a different drive letter, would I achieve the same effect (mitigation of directory traversal attacks) as if I were to use a genuine drive partition? Using a different partition for the logs would prevent a denial of service attack (by filling up the system partition) from taking place. Is this also achievable by using a mapped drive? Thanks in advance! I appreciate your help. Best regards, NK
[quoted text, click to view]
David Wang [Msft] wrote: PMJI,> Hmm, didn't think about the mapped drive to mitigate a part of ASP Path > Tranversal... but it seems to work for me on IIS5 from a mitigation > perspective. > > It doesn't work for logging, though, as IIS insists on a local partition > there (logging to UNC is just not a good idea). > > Another thought -- this is the sort of server that we'd like to recommend > users consolidate using the upcoming "Virtual Server" technology. You can > create a replica of this server as a virtual machine and run it on a > modern-day PC (which you can upgrade as needed), and the virtual machine's > HD can always grow as needed (limited by physical HD space). No Partition > Magic needed. > Additionally, in the ordinary course of events, a mapped drive sees all the space available on it's physical disk(s), and will merrily fill it up. I don't know if you can impose disk quotas on a share.
[quoted text, click to view] >-----Original Message-----
>Hello, > >I have run into a problem and I wanted to run my idea by >the group to receive your feedback on it. > >I would like to follow the best practice of putting the >system, web content and log files in different drive >partitions. However, I have to do this on an existing web >server with all these three on the C drive. I don't have >the option to rebuild it, nor do I have Partition Magic >or any similar tool. So, using separate drive partitions >is not possible. > >Instead of partitioning my disk, if I share the Inetpub >folder and then map it to a different drive letter, would >I achieve the same effect (mitigation of directory >traversal attacks) as if I were to use a genuine drive >partition? Using a different partition for the logs would >prevent a denial of service attack (by filling up the >system partition) from taking place. Is this also >achievable by using a mapped drive? > >Thanks in advance! I appreciate your help. > >Best regards, >NK > >.
I wouldn't bet the security of my company's data on such a scheme.
You could use the free FIPS utility. [Except I'm not sure whether it works on NTFS partitions, and make sure you have a backup and plenty of free disk space and defragmented for contigous free space first.] You could also just purchase additional hard drives. Depending on what kind of drives you're using, they're relatively cheap. [quoted text, click to view] "NK" <anonymous@discussions.microsoft.com> wrote in message news:082e01c3c5eb$648d63c0$a101280a@phx.gbl... > Hello, > > I have run into a problem and I wanted to run my idea by > the group to receive your feedback on it. > > I would like to follow the best practice of putting the > system, web content and log files in different drive > partitions. However, I have to do this on an existing web > server with all these three on the C drive. I don't have > the option to rebuild it, nor do I have Partition Magic > or any similar tool. So, using separate drive partitions > is not possible. > > Instead of partitioning my disk, if I share the Inetpub > folder and then map it to a different drive letter, would > I achieve the same effect (mitigation of directory > traversal attacks) as if I were to use a genuine drive > partition? Using a different partition for the logs would > prevent a denial of service attack (by filling up the > system partition) from taking place. Is this also > achievable by using a mapped drive? > > Thanks in advance! I appreciate your help. > > Best regards, > NK >
On Thu, 18 Dec 2003 20:48:49 -0800, "NK"
[quoted text, click to view] <anonymous@discussions.microsoft.com> wrote: >Hello, > >I have run into a problem and I wanted to run my idea by >the group to receive your feedback on it. > >I would like to follow the best practice of putting the >system, web content and log files in different drive >partitions. However, I have to do this on an existing web >server with all these three on the C drive. I don't have >the option to rebuild it, nor do I have Partition Magic >or any similar tool. So, using separate drive partitions >is not possible. > >Instead of partitioning my disk, if I share the Inetpub >folder and then map it to a different drive letter, would >I achieve the same effect (mitigation of directory >traversal attacks) as if I were to use a genuine drive >partition? No. [quoted text, click to view] >Using a different partition for the logs would >prevent a denial of service attack (by filling up the >system partition) from taking place. Is this also >achievable by using a mapped drive? No.
On Thu, 18 Dec 2003 23:49:30 -0800, "David Wang [Msft]"
[quoted text, click to view] <someone@online.microsoft.com> wrote: >Hmm, didn't think about the mapped drive to mitigate a part of ASP Path >Tranversal... but it seems to work for me on IIS5 from a mitigation >perspective. That depends on the transversal being attempted. While there shouldn't be any available if you use security and apply the various fixes, a transversal can start in either the mapped drive *or* the physical partition. Naturally, if it starts in the mapped drive and can't move higher in the heirarchy, it will get stopped.
Yeah, that's why I said a part of the traversal attack. Mapped drive stops
the ../ traversal starting from the mapped drive, but it's not going to stop an absolute path. And certainly, it's not going to help the "content/log files on system partition" issue at all. Bottom line, if you want to use disk partitions, use real physical disks from some source. If you cannot spare the namespace change, MOUNT the partitions on the new disk into the old partition's namespace. i.e. purchase another HD, create two partitions on it, and MOUNT those partitions onto the C:\inetpub\wwwroot directory (after copying all that content to the partition) as well as the LogFiles directory. Voila. You've just segregated web content/log from System partition without changing any existing configuration -- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Jeff Cochran" <jcochran.nospam@naplesgov.com> wrote in message news:3fe90c98.778226580@msnews.microsoft.com... On Thu, 18 Dec 2003 23:49:30 -0800, "David Wang [Msft]" <someone@online.microsoft.com> wrote: >Hmm, didn't think about the mapped drive to mitigate a part of ASP Path >Tranversal... but it seems to work for me on IIS5 from a mitigation >perspective. That depends on the transversal being attempted. While there shouldn't be any available if you use security and apply the various fixes, a transversal can start in either the mapped drive *or* the physical partition. Naturally, if it starts in the mapped drive and can't move higher in the heirarchy, it will get stopped. Jeff
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |