Tracy,

Do check the release notes with the Redist package (as mentioned by Chip
Andrews) or the SDK for info on the context that the .Net runtimes are
running as by default. I believe that in Beta 2 they are running as SYSTEM
by default but there are explicit instructions on changing this to a more
appropriate user context. I don't have my notes here at home so I apologize
for being a bit vague.

John Alderson

-----Original Message-----
From: Tracy Martin
To: focus-mssecurityfocus.com
Sent: 12/12/01 1:52 PM
Subject: Microsoft .NET, ASP.NET, and IIS - any opinions?

Greetings,

We all know that IIS has it's flaws - and that for many of these there
are
patches available (or at least workarounds). However, with the immanent
release of VisualStudio.NET and ASP.NET, I'm expecting to see installs
of
IIS and the .NET runtimes (which, if I understand it correctly,
basically
amounts to installing the full SDK - including command line compilers)
on
servers all over.

And this begs the question - has anyone who has insight into this done
any
security studies on this combination? Is the addition of .NET to IIS
going
to cause any additional security holes (over and above those already
present
in IIS itself)? And are there recommendations for closing these types of
holes if encountered?

I already know I'm going to be asked to set up such a server, and I'd
like
to get a feel for what I'm letting myself in for. I know there are
patches
available for IIS (and I've already applied them to the IIS server we
have
live right now), but I'm curious if the addition of .NET to the mix is
going
to introduce new problems (and also interested in potential solutions to
those problems while waiting for "official fixes" from Microsoft).

Any takers?

Tracy

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]