Executable Directories in IIS 4
Reported August 31, 1998 by Internet Security Systems

VERSIONS AFFECTED

  • Internet Information Server 4.0

DESCRIPTION

As delivered by ISS:

-----BEGIN PGP SIGNED MESSAGE-----

ISS Security Advisory August 31, 1998

Executable Directories in IIS 4.0

Synopsis:

If a non-administrative user can place executable code into a web site directory which allows file execution, the user may be able to run applications which could compromise the web server.

Recommended Action:

Administrators should verify access permissions on all virtual HTTP server directories that are marked executable. See below for recommended permissions.

All security patches that protect against local attacks should be applied to HTTP servers due to the possibility of the server executing code locally. See http://www.microsoft.com/security for details.

Description:

The following directories are marked executable by default on an install of IIS 4.0:

/W3SVC/1/ROOT/msadc
/W3SVC/1/ROOT/News
/W3SVC/1/ROOT/Mail
/W3SVC/1/ROOT/cgi-bin
/W3SVC/1/ROOT/SCRIPTS
/W3SVC/1/ROOT/IISADMPWD
/W3SVC/1/ROOT/_vti_bin
/W3SVC/1/ROOT/_vti_bin/_vti_adm
/W3SVC/1/ROOT/_vti_bin/_vti_aut

In a default install, the physical drive mappings will be:

msadc c:\program files\common\system\msadc
News c:\InetPub\News
Mail c:\InetPub\Mail
cgi-bin c:\InetPub\wwwroot\cgi-bin
SCRIPTS c:\InetPub\scripts
IISADMPWD C:\WINNT\System32\inetsrv\iisadmpwd
_vti_bin Not present by default - installed with FrontPage extensions

Access to the physical directories can be obtained through drive sharing, remote command shells (e.g., rcmd, telnet, remote.exe), HTTP PUT commands, or FrontPage. None of these methods are available in a default install, but are often added by administrators. The default NTFS permissions are overly permissive, and allow change control (RWXD) to the Everyone group by default, with the exception of msadc which is full control to Everyone.

Due to the sensitive nature of these directories, it is recommended that NTFS access permissions should be:

Administrators, LocalSystem: Full Control
Everyone: Special Access(X)

Administrators should closely examine all pathways to access the filesystem, and be aware of all web directories that allow file execution. In addition, if a user is allowed to administer their own site, they may have permission to set a directory to executable. A system administrator should permit only allowed file types to be copied onto a production web site.

In addition, ISS highly recommends the security settings detailed in Chapter 8 of the IIS Resource Kit (Microsoft Press). We would like to thank Michael Howard and Jason Garms of Microsoft for their input.

- --------

Copyright (c) 1998 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission.

Disclaimer

The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user"s own risk.

X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as well as on MIT"s PGP key server and PGP.com"s key server. X-Force Vulnerability and Threat Database: http://www.iss.net/xforce Please send suggestions, updates, and comments to: X-Force <xforce@iss.net> of Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE-----

Version: 2.6.3a

Charset: noconv

iQCVAwUBNeryDDRfJiV99eG9AQGYRwP7BCn4cv/LRCNEY+mjGtTqBLrzX/HSzyy/
HvmnlwadiYbdp3bHY7TyM0XaqaRY3uIr9RIixaqSPsYLwBZ9pjRhIP+EecpF9oPc
mlzJC0DL5f+L/uiL08+DtcRfZQImyNRNkQvTNSzxO4DflwxndEmHizgA6lf49QhX
kT+3kigGCAE=
=vxrQ

-----END PGP SIGNATURE-----

To learn more about NT Security concerns, subscribe to NTSD

Credits
- Originally reported by Ken Williams
- Posted on The NT Shop on August 31, 1998