| Groups | Blog | Home |
iis security : 2003 Web Server Security Flaw
on a Locked-down windows 2003 Web Server used only to host web sites, yet I can not figure out how to un-install, or at least cripple, them. How do I do that? Thanks, Robert
Thanks for reply.
From experience (not all forums are responsive), I posted the same question to microsoft.public.windows.server.security and got a long series of non-answers, reflexive defenses of Microsoft, and the simple answer buried deep in the answer. Please see that long **** if you are curious about the philosophy debate. Long & Short of the responses: 1. Media Player, Netmeeting and Outlook Express are required installs for Web Server and can not be disabled/uninstalled without breaking OS. 2. Their exe & dlls can not be attack points for hackers who exploit the on-going parade of buffer-over runs. 3. Win 2003 is great [with that I REALLY agree!] [quoted text, click to view] "Bernard" <qbernard@hotmail.com.discuss> wrote in message news:Ofg5JobzDHA.2528@TK2MSFTNGP09.phx.gbl... > You might want to rephrase you question. > and what is the flaw with the web server ? > > the app you mentioned can be blocked either via > permission or gpo restriction I believed. > > -- > Regards, > Bernard Cheah > http://support.microsoft.com/ > Please respond to newsgroups only ... > > > > "Robert Waite" <bob2dev@tampabay.rr.com> ???? > news:u1EQYzUzDHA.560@TK2MSFTNGP11.phx.gbl... > > Media Player, Netmeeting and possibly Outlook Express have no business > being > > on a Locked-down windows 2003 Web Server used only to host web sites, yet > I > > can not figure out how to un-install, or at least cripple, them. > > > > How do I do that? > > > > Thanks, > > Robert > > > > > >
[quoted text, click to view] "Jeff Cochran" <jcochran.nospam@naplesgov.com> wrote in message news:3ff93b57.608328620@msnews.microsoft.com... > Not exactly. They may exhibit some client exploits, but in the cases > I've seen you'd have to either browse to a web site or download email > or a file to exploit any holes. Since you wouldn't normally do any of > this on your web server, you're sort of safe. I think you've just come up with a good slogan for the next ad campaign: "Windows 2003: You're sort of safe." Or, "Windows 2003: Don't browse the web or check your email." Are we supposed to feel OK that our enterprise server farm is "sort of safe?" If these products such as OE are so unsafe, we should also be upset about them being mandatory and unremovable in workstations as well as server products, where "just don't check your email or browse the web" or "just use Group Policy" isn't a very workable option. A truly secure OS would give you a way to disable unneeded components. [quoted text, click to view] > Also, you can disable file associations with these programs so even > clicking on a file on a web site won't launch them. Especially > Netmeeting, where remote desktop is disabled by default anyway. A software company that is serious about committing security over marketing and market share, they would have done so years ago with these and many other file associations.
You might want to rephrase you question.
and what is the flaw with the web server ? the app you mentioned can be blocked either via permission or gpo restriction I believed. -- Regards, Bernard Cheah http://support.microsoft.com/ Please respond to newsgroups only ... "Robert Waite" <bob2dev@tampabay.rr.com> ???? news:u1EQYzUzDHA.560@TK2MSFTNGP11.phx.gbl... [quoted text, click to view] > Media Player, Netmeeting and possibly Outlook Express have no business being > on a Locked-down windows 2003 Web Server used only to host web sites, yet I > can not figure out how to un-install, or at least cripple, them. > > How do I do that? > > Thanks, > Robert > >
Ok. I read that thread. Everyone got some points there.
To one point, your question on 'removing' those unecessary program make sense. as you don't need it at all. However on the attacking point of exe / dll, if attacker already 'enter' your system via other channel with or without these program, they still 'got' you. As for the reason why is there ? I'm sure there's some reason behind, but I would love to be able to remove these program if you really don't need it. finally, your subject do sounds abit confusing and indicate that there's some flaws with IIS6.0. -- Regards, Bernard Cheah http://support.microsoft.com/ Please respond to newsgroups only ... "Robert Waite" <bob2dev@tampabay.rr.com> ???? news:OH#Ce9czDHA.1740@TK2MSFTNGP12.phx.gbl... [quoted text, click to view] > Thanks for reply. > > From experience (not all forums are responsive), I posted the same question > to microsoft.public.windows.server.security > and got a long series of non-answers, reflexive defenses of Microsoft, and > the simple > answer buried deep in the answer. Please see that long **** if you are > curious about > the philosophy debate. > > Long & Short of the responses: > 1. Media Player, Netmeeting and Outlook Express are required installs for > Web Server > and can not be disabled/uninstalled without breaking OS. > 2. Their exe & dlls can not be attack points for hackers who exploit the > on-going parade > of buffer-over runs. > 3. Win 2003 is great [with that I REALLY agree!] > > > > "Bernard" <qbernard@hotmail.com.discuss> wrote in message > news:Ofg5JobzDHA.2528@TK2MSFTNGP09.phx.gbl... > > You might want to rephrase you question. > > and what is the flaw with the web server ? > > > > the app you mentioned can be blocked either via > > permission or gpo restriction I believed. > > > > -- > > Regards, > > Bernard Cheah > > http://support.microsoft.com/ > > Please respond to newsgroups only ... > > > > > > > > "Robert Waite" <bob2dev@tampabay.rr.com> ???? > > news:u1EQYzUzDHA.560@TK2MSFTNGP11.phx.gbl... > > > Media Player, Netmeeting and possibly Outlook Express have no business > > being > > > on a Locked-down windows 2003 Web Server used only to host web sites, > yet > > I > > > can not figure out how to un-install, or at least cripple, them. > > > > > > How do I do that? > > > > > > Thanks, > > > Robert > > > > > > > > > > > >
On Mon, 29 Dec 2003 00:50:42 -0500, "Robert Waite"
[quoted text, click to view] <bob2dev@tampabay.rr.com> wrote: >Thanks for reply. > >From experience (not all forums are responsive), I posted the same question >to microsoft.public.windows.server.security >and got a long series of non-answers, reflexive defenses of Microsoft, and >the simple >answer buried deep in the answer. Please see that long **** if you are >curious about >the philosophy debate. > >Long & Short of the responses: >1. Media Player, Netmeeting and Outlook Express are required installs for >Web Server > and can not be disabled/uninstalled without breaking OS. For outlook Express, a variation on this may work: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q263837 We've removed Netmeeting on XP systems using: RunDll32 advpack.dll,LaunchINFSection C:\WINNT\inf\msnetmtg.inf,NetMtg.Remove Haven't ever tried this on Server 2003. Windows Media Player needs to be patched, but I don't know any way to completely remove it. [quoted text, click to view] >2. Their exe & dlls can not be attack points for hackers who exploit the >on-going parade > of buffer-over runs. Not exactly. They may exhibit some client exploits, but in the cases I've seen you'd have to either browse to a web site or download email or a file to exploit any holes. Since you wouldn't normally do any of this on your web server, you're sort of safe. Also, you can disable file associations with these programs so even clicking on a file on a web site won't launch them. Especially Netmeeting, where remote desktop is disabled by default anyway. [quoted text, click to view] >3. Win 2003 is great [with that I REALLY agree!] It is, but it's a *server* and you shouldn't be vulnerable to client attacks as long as you're not using it as a client. At any rate, there really *should* be a lockdown option or removal option for these utilities on a server. Unused functions should always be disabled. Jeff [quoted text, click to view] >"Bernard" <qbernard@hotmail.com.discuss> wrote in message
>news:Ofg5JobzDHA.2528@TK2MSFTNGP09.phx.gbl... >> You might want to rephrase you question. >> and what is the flaw with the web server ? >> >> the app you mentioned can be blocked either via >> permission or gpo restriction I believed. >> >> -- >> Regards, >> Bernard Cheah >> http://support.microsoft.com/ >> Please respond to newsgroups only ... >> >> >> >> "Robert Waite" <bob2dev@tampabay.rr.com> ???? >> news:u1EQYzUzDHA.560@TK2MSFTNGP11.phx.gbl... >> > Media Player, Netmeeting and possibly Outlook Express have no business >> being >> > on a Locked-down windows 2003 Web Server used only to host web sites, >yet >> I >> > can not figure out how to un-install, or at least cripple, them. >> > >> > How do I do that? >> > >> > Thanks, >> > Robert >> > >> > >> >> >
On Mon, 29 Dec 2003 10:46:32 -0500, "Karl Levinson [x y] mvp"
[quoted text, click to view] <levinson_k@despammed.com> wrote: > >"Jeff Cochran" <jcochran.nospam@naplesgov.com> wrote in message >news:3ff93b57.608328620@msnews.microsoft.com... > >> Not exactly. They may exhibit some client exploits, but in the cases >> I've seen you'd have to either browse to a web site or download email >> or a file to exploit any holes. Since you wouldn't normally do any of >> this on your web server, you're sort of safe. > >I think you've just come up with a good slogan for the next ad campaign: >"Windows 2003: You're sort of safe." Or, "Windows 2003: Don't browse the >web or check your email." Are we supposed to feel OK that our enterprise >server farm is "sort of safe?" Well, I could argue that *all* systems can only qualify as "sort of safe" since by the very nature of providing access to them we have opened a potential hole. [quoted text, click to view] >If these products such as OE are so unsafe, we should also be upset about >them being mandatory and unremovable in workstations as well as server >products, where "just don't check your email or browse the web" or "just use >Group Policy" isn't a very workable option. A truly secure OS would give >you a way to disable unneeded components. No arguments here. But the caveat to this is that the Windows OS is so tightly integrated with these functions that they can't be separated effectively. Windows isn't a modular operating system. [quoted text, click to view] >> Also, you can disable file associations with these programs so even >> clicking on a file on a web site won't launch them. Especially >> Netmeeting, where remote desktop is disabled by default anyway. > >A software company that is serious about committing security over marketing >and market share, they would have done so years ago with these and many >other file associations. It's not the file associations that are the problem, it's the flaws in the software associated with them. If we extend the file associations being disabled argument, we'd have to ensure that no executable can be launched by other than manual means. While good in a security sense, it sacrifices usability. Same argument about secure passwords. A 24 character random string makes a pretty secure password, but ine it can't be remembered it would have to be written down, opening a new potential exploit hackers would probably call the "looking under the keyboard" exploit. You can never be truly secure. You can only be "secure enough". And what constitutes "secure enough" will vary by organization and even system.
Thanks to Jeff and Karl for useful and throughly professional replies!
Robert Waite [quoted text, click to view] "Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message news:uVQHpKizDHA.2388@TK2MSFTNGP09.phx.gbl... > > "Jeff Cochran" <jcochran.nospam@naplesgov.com> wrote in message > news:3ff93b57.608328620@msnews.microsoft.com... > > > Not exactly. They may exhibit some client exploits, but in the cases > > I've seen you'd have to either browse to a web site or download email > > or a file to exploit any holes. Since you wouldn't normally do any of > > this on your web server, you're sort of safe. > > I think you've just come up with a good slogan for the next ad campaign: > "Windows 2003: You're sort of safe." Or, "Windows 2003: Don't browse the > web or check your email." Are we supposed to feel OK that our enterprise > server farm is "sort of safe?" > > If these products such as OE are so unsafe, we should also be upset about > them being mandatory and unremovable in workstations as well as server > products, where "just don't check your email or browse the web" or "just use > Group Policy" isn't a very workable option. A truly secure OS would give > you a way to disable unneeded components. > > > > Also, you can disable file associations with these programs so even > > clicking on a file on a web site won't launch them. Especially > > Netmeeting, where remote desktop is disabled by default anyway. > > A software company that is serious about committing security over marketing > and market share, they would have done so years ago with these and many > other file associations. > > >
On Mon, 29 Dec 2003 19:13:07 -0500, "Robert Waite"
[quoted text, click to view] <bob2dev@tampabay.rr.com> wrote: >Thanks to Jeff and Karl for useful and throughly professional replies! Hey there, don't go accusing me of being useful now... Jeff [quoted text, click to view] >Robert Waite
> >"Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message >news:uVQHpKizDHA.2388@TK2MSFTNGP09.phx.gbl... >> >> "Jeff Cochran" <jcochran.nospam@naplesgov.com> wrote in message >> news:3ff93b57.608328620@msnews.microsoft.com... >> >> > Not exactly. They may exhibit some client exploits, but in the cases >> > I've seen you'd have to either browse to a web site or download email >> > or a file to exploit any holes. Since you wouldn't normally do any of >> > this on your web server, you're sort of safe. >> >> I think you've just come up with a good slogan for the next ad campaign: >> "Windows 2003: You're sort of safe." Or, "Windows 2003: Don't browse >the >> web or check your email." Are we supposed to feel OK that our enterprise >> server farm is "sort of safe?" >> >> If these products such as OE are so unsafe, we should also be upset about >> them being mandatory and unremovable in workstations as well as server >> products, where "just don't check your email or browse the web" or "just >use >> Group Policy" isn't a very workable option. A truly secure OS would give >> you a way to disable unneeded components. >> >> >> > Also, you can disable file associations with these programs so even >> > clicking on a file on a web site won't launch them. Especially >> > Netmeeting, where remote desktop is disabled by default anyway. >> >> A software company that is serious about committing security over >marketing >> and market share, they would have done so years ago with these and many >> other file associations. >> >> >> >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |