IIS Web Server Security Question

[dandino]

Hello everyone

I have just setup Win XP and would like to use IIS web server to host a web site. I am using Win XP together with my old OS Win Me and so have stayed with the FAT32 file system. However I have heard that there are a lot of security flaws assosiated with IIS web server and therefore need a little advise before I begin using it.
What I'd really like to know is can I create an extra extended NTFS partition soley for use with the IIS web server for added security?

To be a little clearer: If I am currently running Win XP on a FAT32 partition is it also possible for Win XP to run programs (IIS web server for example) on another logical drive on a NTFS extended partition?

Any help greatly appreciated
dandino

[mjc]

Yes, it should be able to run apps from both files systems....

[Paul Komski]

Since IIS "comes with the OS", I may be wrong but, won't you have to either change to NFTS on that partition of have a separate NFTS partition with another OS running IIS on it??

[Ghost_Hacker]

Yes, placing the "web root" on another partition is the recommended way to install IIS. (you'll get the option where to place the web root during the install, you can also place your web sites files on other partitions even after you have installed IIS.) The location of the web root or your web sites files can be a security risk, so the web root should always be on a seperate NTFS partition and NEVER on the "c" drive or wherever the Operating systems system files are located. If you do place your web sites files or the web root on the same partition as your system files make sure to patch your server to the latest updates and to turn off any "directory browsing" features in IIS.


Good Luck

[dandino]

Thanks the lot for your advice Ghost_Hacker, you certainly seem to know your stuff.

I feel a little insecure about asbout using IIS now. Are there any other web server's that you know of that might offer a little more security and also run on Win XP? I know the Apache server is good but as far as I know it's a Unix server - or is there a windows version?

Thanks again
dandino

[Ghost_Hacker]

Yes, there is a Windows version of Apache. The Windows version isn't as secure as the Unix version so be sure to watch for updates to the software as security holes for Apache are sometimes found. Still unlike IIS the default Apache configuration is pretty secure.



Go here to get it and be sure to read the info at the site:


Apache

[dandino]

Thanks Ghost_Hacker, I'll download and try it, sounds a little more secure than ISS

dandino

[Paul Komski]

Ghost
(1) Understand about siting the web root folder and site(s) and moving it/them onto NFTS ... but ... does it make any difference, security wise, if IIS itself is installed with the OS on a FAT or NFTS partition?

(2) I am presuming that if access is made into a website folder on FAT that it is easier to then break in elsewhere on that partition by using techniques like buffer overflow.

(3) In other words, is the main (or only) security risk from outsiders accessing the folders/files on the website(s) created or can they get access in other ways through the web server itself or is this always isolated from the web. I hope this makes sense.

[Ghost_Hacker]

Understand about siting the web root folder and site(s) and moving it/them onto NFTS ... but ... does it make any difference, security wise, if IIS itself is installed with the OS on a FAT or NFTS partition?


Yes, as the system files on a FAT partition have no security at all. ( you can't control who can write, read or execute files) Running any NT/2000/XP server on a FAT partition should always be seen as a no-no.Unless security is of no concern.


I am presuming that if access is made into a website folder on FAT that it is easier to then break in elsewhere on that partition by using techniques like buffer overflow.


Buffer overflows have nothing to do with where a file is located. Overflows have to do with memory and how it's accessed by an application. By "overflowing" a stack a processor can be made to execute the code within the "overflowed" area. (not the most techincal of answers but it'll do. )

It is very easy, using just your web browser, in a unpatched default IIS installation to gain access to the drive the webroot or website files are on. If those files are setting on the same partition as your system files (and ,god forbid, in a FAT partition too) then the "hacker" would have easy access to the files needed in order to control your system. (another tip: On an NT box that will run IIS you should install NT into a folder other than "winnt". 99% of all "directory traversal" exploits will look for a "winnt/system32" folder. This simply step alone will secure you againest every script kiddie tool that uses "directory tranversal". )


In other words, is the main (or only) security risk from outsiders accessing the folders/files on the website(s) created or can they get access in other ways through the web server itself or is this always isolated from the web. I hope this makes sense.


IIS provides many ways for hackers to take control of your system because ,by default ,it turns on every little service it can provide.

Script mappings, directory transversal, sample and data access files installed by default all can be used to gain access to the system. Many can be used simply by typing the right command into Internet Explorer.
If you need to install any web server (more so with IIS) take a look thur the internet for any "Securing" how-tos.


Hope this helps

[Paul Komski]

Sure is a great help in understanding. Your replies are always so clear and instructive - so thanks a lot.

I have a standalone setup and just have IIS set up for testing purposes - but I'm all the time trying to learn new stuff. I think with my slow dialup even a hacker might get browned off waiting!

BTW is the change from using bold to green text specially for Irish Users!

What I would love to get my head around are the connection "ports". Are these easily understood (in simple terms) or any good links about them - I've never got very far from searching Google in this respect.

[Ghost_Hacker]

BTW is the change from using bold to green text specially for Irish Users!

Jaysus! I never thought of it that way. But I can see where you might bleedin think so mate.



For an understanding of ports, you might try these links (from easy to more technical) It's hard to find good info on how ports work. So you might want to try to find some books or if you have a certain question on how something works ,just post back and I'll see if I can explain it.


How stuff works....ports

Daryl's TCP primer


TCP Ports

[Paul Komski]

Thanks again. I'll do some homework and post back if (that is when) I get stuck!