iis security

[Jeff123df2 0]

I was wondering if you could help me with my iis security.

im running windows 2000 server (not as a domain controller)

 

I created an account for my brother as a local user in computer management called "joe"

 

Im running an ftp server and in the properties under the security accounts tab i unchecked "Allow Anonymous Connections"

 

Inside my ftp home directory, i created a directory called "joe"

 

so now when he logs in with username "joe" and his password, he is sent to the directory "joe"

 

I noticed i was also able to login using my administrative account.

 

is there a way to allow users to login to the ftp but not administrator remotely like this?

 

also i was wondering is this bad practice for an iis ftp server?

[clutch 1]

I'm not sure what you are looking to accomplish. Did you want to have custom directories for multiple users? If so, check this out:

 

http://www.iisanswers.com/Top10FAQ/t10-FTPuersfolder.htm

[Jeff123df2 0]

cool ya, your right

 

 

at the bottom of the page for the link you gave me, it said:

 

"WARNING. Password sent to the FTP service are sent in absolute cleartext. SSL can't be used and you can't use NTFS authentication. No good solution exists for this problem using native Microsoft FTP server. "

 

I'm worried about security in doing this. I have the same setup that they explained on that page.

 

Would it be possible for someone to compromise my administrative password by having this type of setup?

[clutch 1]

If you have questions regarding the specifics of those options, either check out that site, the online help, or check out this link regarding setup of the FTP service. It has a better description of the option, and it will not require an incredibly long reply from me.

[Jeff123df2 0]

thanks clutch.

 

i read that page and that answered it for me

thanks

[Jeff123df2 0]

hello, im sorry to bother you again but something new just came up that i need help with.

 

 

I was reviewing my iis logs, and seeing stuff like this:

 

2002-03-05 07:55:29 206.14.221.202 - 192.168.1.115 80 GET /scripts/root.exe /c+dir 404 -

2002-03-05 07:55:30 206.14.221.202 - 192.168.1.115 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -

2002-03-05 07:55:31 206.14.221.202 - 192.168.1.115 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -

2002-03-05 07:55:31 206.14.221.202 - 192.168.1.115 80 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe /c+dir 404 -

2002-03-05 07:55:31 206.14.221.202 - 192.168.1.115 80 GET /scripts/..Á../winnt/system32/cmd.exe /c+dir 404 -

 

 

this just started happening. Is this bad? im not sure what exactly is going on in this log, could you help me out please?

thanks in advance

[clutch 1]

 

Those are attempts by Code Red/CRII infected servers to infect your machine. Since you are generating 404 errors (*very* good response, as this indicates the server is patched and/or locked down normally) you will be fine. This is the kind of thing that the URLScan and IISLockdown tool protect against.

[Jeff123df2 0]

ahhh

 

thanks again clutch

[Jeff123df2 0]

Hi, i have another question

 

im a little paranoid now after seeing this.

 

i took your advice and installed iis lockdown, which now has url scan.

 

i have a question about what im seeing here in a previous log file:

 

2002-03-10 11:47:00 61.174.224.203 - 192.168.1.115 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -

 

 

--this looks bad because now after installing urlscan and iislockdown i see:

 

2002-03-17 04:46:03 138.190.248.206 - 192.168.1.115 80 GET /<Rejected-By-UrlScan> ~/default.ida 404 -

 

maybe this isn't a bad thing, what is default.ida? Is this bad that people were able to access it in the past?

[clutch 1]

The "default.ida" (ida/idq in general) is a file that's used for querying against Index Server, which is the built-in search/scavenging engine for IIS. As for the "200" reply, I am not sure if it means that it just found the file, or if it not only found the file but successfully initiated the overflow. On the first pass of Code Red, all you had to do was reboot the server and the worm would be gone (of course another attack would re-infect it, so your best bet was to disconnect the server, reboot, and then patch the server before you could reconnect it again). However with CRII that changed; the worm could now bring in payload and leave a back door open on the box. So, I don't have any idea what may have happened to your box, but it *is* possible it might have been compromised. Check out Technet and do a search on the removal of Code Red as MS released a tool to help with this process.

 

Also, for future reference here is a list of HTTP reply codes:

 

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q173971

[Jeff123df2 0]

i just made another new discovery about this, im not as worried about this anymore:

 

 

2002-03-18 12:14:01 192.168.1.1 - 192.168.1.115 80 GET /<Rejected-By-UrlScan> ~/default.ida 404

 

192.168.1.1 is me, why would i try to infect myself.

 

im guessing but,

i think i might know what it is though, becuase i put the check box in the iis configuration "index this resource"

maybe thats what it is and nothing at all to worry about.

[clutch 1]

What machine is 192.168.1.1 on your LAN? That's "normally" reserved for a router/NAT device, and that entry would indicate that the request was coming from that device. Now, it is possible that a workstation can be infected since many workstations have IIS installed by default (sometimes referred to as "Peer Web Services") and can be infected in the same manner as a regular server. Also, the workstation can be infected by an email carrying the worm, making said workstation into a drone that will scan for servers in the same manner as the IIS boxes, while also forwarding the worm to other addresses in the address book. This behavior was done in CRII, which was also designed to attack local subnets thus making it infect machines faster since many poorly administrated machines tend to be on the same subnet (such as broadband networks like cable and DSL). The three options that I could think of for that entry on the info I currently have are:

 

1. It's a GET statement from a HTML editor (or some webfolder) at that IP that was trying to access a document.

 

2. That IP was forwarding an illegal request (it's a router, ICS/RRAS server, etc) and IIS perceived it as a request from that local IP.

 

3. That's a local machine on your network that is infected, and is actively scanning your local subnet for vulnerable hosts.

 

You might want to investigate this a bit further, and make sure that you have the newest anti-virus definitions on all the systems.

[Jeff123df2 0]

i do have the latest virus defenitions.

latest patches

 

 

it is my router/nat ip which it see's. I purposely connected remotely using my (external address) so it see's the router/nat's internal ip. Any server you host will see this ip address because of this way that i connected to the server.

 

no other machines running iis.

 

also im not a target to anyone, just host the site on port 80 which makes me a target to viruses in that sense.

 

my point in saying it is that there is no worries anymore because my workstation is secure (i know this for sure) and didnt that was nothing. Like i said probubly just the feature i checked in iis

"index this resource"

 

ill do a little more research though, uncheck that box and see if it ever happens again. Ill let you know what i find if you want.

 

thanks for your advice