iis security:

What log fields are you seeing the username/password show up?

I'm not aware of IIS intentionally trying to log username/password. But, if
you happen to pass this info around in a loggable field and then instruct
IIS to log it, I fail to see how this is an IIS issue. Either stop logging
the fields, or move your username/password collection to be more secure.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
[quoted text, click to view]
I'm using an asp page to collect logon informations (user name and password)
to gain access into my system. When I was looking through the IIS log, I've
noticed that it recorded the user name and password in the log. This
happens using IIS 5.0 Windows 2000. When I use II 6.0 on Windows 2003, I
don't see this problem. Upgrading to IIS 6.0 at this point isn't an option
for me and swtiching over to the existing IIS 6.0 is too far in the future.
Is there a patch or configuration I can apply/use to prevent the log from
logging the user name and password, at least not in clear text?

On Wed, 30 Jun 2004 13:45:01 -0700, Kazama718
[quoted text, click to view]

Are you using a POST on a form or are you using a Query string to pass
the login/password? If it's on the query string, it's part of the URL
and gets logged.