iis security: Critical Updates -- iis security

Critical Updates

avildasfriend
7/28/2004 4:06:50 PM

iis security:

On a windows 2000 server, I used the web to download and
install five critical security updates. KB839645-
Vulnerability in Windows Shell could allow remote code
execution, KB840315-Vulnerability in html help could allow
code execution,KB841873-Vulnerability in Task Scheduler
could allow code execution, KB841872-Vulnerability in
POSIX could allow code execution, and KB842526-
Vulnerability in Utility Manager could allow code
execution. Concurrent with these updates, Users were
unable to log into our internal web pages, or edit public
or internal pages. Security Properties for the directory
in question included Web Anonymous User, which only had
deny "write" checked. (I do not know the
users/permissions originally set for this directory) Once
I removed the deny write, the sites/pages were functional
again. My question is: Is there anything in the updates
that made any changes to anonymous user or ADDED anonymous
user to webroot? I read the bulletins and don't see any
reference but who knows. Blame must be placed. If not
the updates, I have to figure out who oops'd (without
authority).
Thank You

Re: Critical Updates

Bernard
7/29/2004 12:28:20 PM

I believe those changes are applied by IISLockDown / Urlscan.
If such write access is needed, it's fine to remove it. just
ensure only that folder or files able to write by your application.
not entire disk or volume.

--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/

[quoted text, click to view]