|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Frontpage and permissions - EVERYONE GROUP.
From: .sozni (sozni
USA.NET)Date: Fri Mar 03 2000 - 17:28:41 CST
- Next message: David LeBlanc: "Re: Frontpage and permissions - EVERYONE GROUP. (Daniel Docenkal 's Message to the list)"
- Previous message: Daniel Dočekal: "Re: Frontpage and permissions - EVERYONE GROUP. (Daniel Docenkal 's Message to the list)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Maybe for the sake of those thousands of web admins who have vulnerable
FrontPage servers I will explain exactly what it means to have a FrontPage web
with EVERYONE permissions.
The fact is that the permissions are not set for all the files in a web site.
Instead, the permissions to the web site are determined by the permissions to
two files: admin.dll (or exe) and author.dll (or exe).
As one could imagine, permissions to post to admin.dll gives one permissions
to administer the web site. Permissions to post to author.dll gives on
permissions to author a website. Either one of these permissions not set
properly exposes you FrontPage web, the server it is on, and possibly your
entire network at risk.
There are several common problems with FrontPage webs:
1. FrontPage by default has no security set on those files and therefore
anyone can administer the web site;
2. Often people will install FrontPage and not use it but not realize that
the existence of those files still makes their website vulnerable. In other
words, you need to secure (or delete) your front page web binaries whether you
use FrontPage or not.
3. There are quite a few Microsoft products that may sneak in those files
under a different title. You must know your website well and be able to
recognize new files;
4. And finally, as was mentioned before, since some operating systems like
win9x do not have such things as ACL's, then there is absolutely no way to
secure a FrontPage web on that OS.
5. Many people don't realize that by installing FrontPage on their personal
computer they are also making theirselves vulnerably to anyone on the
internet.
The basic thing to remember is that if you open your website in FrontPage and
are not asked for a password, then no one else in the world is going to be
asked a password either.
And one other thing to note is that there are several ways to open a FrontPage
web besides the FrontPage explorer, namely MS Office 2000, webfolders, ADO,
etc.
And once your main web site is secure, don't forget about all those subwebs!
.sozni
____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
- Next message: David LeBlanc: "Re: Frontpage and permissions - EVERYONE GROUP. (Daniel Docenkal 's Message to the list)"
- Previous message: Daniel Dočekal: "Re: Frontpage and permissions - EVERYONE GROUP. (Daniel Docenkal 's Message to the list)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]