HOW TO IIS -Security

Hi!! & Hello!!!

Well I have a server where I have hosted many sites on IIS 6.0. When
the users I mean the public users (anyone from anywhere) if they go to
their Start->Run-> from windows and type the IP address(for eg
\\83.485.574.22) like this it opens up the default site with full
directory view and ...with all the files and folders. write permission
..how can i stop this ??? i mean their is no security at all how can i
stop this???

regards
Phil

Re: HOW TO IIS -Security

Hi,

a) How do you know there is no security? Are you allowing anonymous access?
Have you configured NTFS permissions to restrict which users can access the
files?

b) Do you have WebDAV enabled in the Web Service Extensions list? They are
accessing the site via WebDAV by the looks of it - if you have it enabled,
you need to take additional steps to restrict who can view what. Otherwise
disable WebDAV if you don't need that functionality.

Cheers
Ken


"phil" wrote in message
news:1148532255.803316.252990@j73g2000cwa.googlegroups.com.. .
> Hi!! & Hello!!!
>
> Well I have a server where I have hosted many sites on IIS 6.0. When
> the users I mean the public users (anyone from anywhere) if they go to
> their Start->Run-> from windows and type the IP address(for eg
> \\83.485.574.22) like this it opens up the default site with full
> directory view and ...with all the files and folders. write permission
> .how can i stop this ??? i mean their is no security at all how can i
> stop this???
>
> regards
> Phil
>

Re: HOW TO IIS -Security

Hello
thanks for reply

a) How do you know there is no security?
Well, as mentioned earlier that anyone can access this domain from
anywhere with read and write permissions...

b)Are you allowing anonymous access?
Yes this is a public website

c)Do you have WebDAV enabled in the Web Service Extensions list?
Well Im new to this field so i don't know about this...well where can i
get the info on my machine whether WebDAV is enabled???

regards
Phil

Ken Schaefer wrote:
> Hi,
>
> a) How do you know there is no security? Are you allowing anonymous access?
> Have you configured NTFS permissions to restrict which users can access the
> files?
>
> b) Do you have WebDAV enabled in the Web Service Extensions list? They are
> accessing the site via WebDAV by the looks of it - if you have it enabled,
> you need to take additional steps to restrict who can view what. Otherwise
> disable WebDAV if you don't need that functionality.
>
> Cheers
> Ken
>
>
> "phil" wrote in message
> news:1148532255.803316.252990@j73g2000cwa.googlegroups.com.. .
> > Hi!! & Hello!!!
> >
> > Well I have a server where I have hosted many sites on IIS 6.0. When
> > the users I mean the public users (anyone from anywhere) if they go to
> > their Start->Run-> from windows and type the IP address(for eg
> > \\83.485.574.22) like this it opens up the default site with full
> > directory view and ...with all the files and folders. write permission
> > .how can i stop this ??? i mean their is no security at all how can i
> > stop this???
> >
> > regards
> > Phil
> >

Re: HOW TO IIS -Security

phil wrote on 24 May 2006 21:44:15 -0700:

> Hi!! & Hello!!!
>
> Well I have a server where I have hosted many sites on IIS 6.0. When
> the users I mean the public users (anyone from anywhere) if they go to
> their Start->Run-> from windows and type the IP address(for eg
> \\83.485.574.22) like this it opens up the default site with full
> directory view and ...with all the files and folders. write permission
> .how can i stop this ??? i mean their is no security at all how can i
> stop this???
>
> regards
> Phil

A connection to \\w.x.y.z isn't going through IIS - that's a UNC path.
Actually, it shouldn't show the default site at all - it should just show a
list of the available shares on the machine on that IP address. If this is
the case, you've got Windows file sharing exposed to everyone, and the guest
account enabled with full permissions - this is nothing to do with IIS, and
it means you've changed the default NTFS permissions in Windows and
connected your machine to the internet with no firewall.

Dan

Re: HOW TO IIS -Security

Hello thanks for reply
Can U please tell me how to rectify??? this problem??? I have checked
the permission on wwwroot directory but guest account and everyone
account are not given full permissions. only read is enabled??? how to
get out of this problem.???

regards
phil
Daniel Crichton wrote:
> phil wrote on 24 May 2006 21:44:15 -0700:
>
> > Hi!! & Hello!!!
> >
> > Well I have a server where I have hosted many sites on IIS 6.0. When
> > the users I mean the public users (anyone from anywhere) if they go to
> > their Start->Run-> from windows and type the IP address(for eg
> > \\83.485.574.22) like this it opens up the default site with full
> > directory view and ...with all the files and folders. write permission
> > .how can i stop this ??? i mean their is no security at all how can i
> > stop this???
> >
> > regards
> > Phil
>
> A connection to \\w.x.y.z isn't going through IIS - that's a UNC path.
> Actually, it shouldn't show the default site at all - it should just show a
> list of the available shares on the machine on that IP address. If this is
> the case, you've got Windows file sharing exposed to everyone, and the guest
> account enabled with full permissions - this is nothing to do with IIS, and
> it means you've changed the default NTFS permissions in Windows and
> connected your machine to the internet with no firewall.
>
> Dan

Re: HOW TO IIS -Security

phil wrote on 25 May 2006 02:23:39 -0700:

> Hello thanks for reply
> Can U please tell me how to rectify??? this problem??? I have checked
> the permission on wwwroot directory but guest account and everyone
> account are not given full permissions. only read is enabled??? how to
> get out of this problem.???

Well, if you really are getting Windows share connections rather than via
IIS, you need to check the NTFS permissions from Windows itself, not the IIS
manager. IIS is not being used, so your question is irrelevant in this
group. And you really need to get a firewall in place, never expose a
machine directly to the internet.

Dan

Re: HOW TO IIS -Security

Hello

Well I feel we are missing out a point here... see when i \\x.y.z.y why
should only my Default site should open there are so many other share
which i have given??? and more over i have not shared my wwwroot folder
at all. so I need some help from you.

regards
Phil
Daniel Crichton wrote:
> phil wrote on 25 May 2006 02:23:39 -0700:
>
> > Hello thanks for reply
> > Can U please tell me how to rectify??? this problem??? I have checked
> > the permission on wwwroot directory but guest account and everyone
> > account are not given full permissions. only read is enabled??? how to
> > get out of this problem.???
>
> Well, if you really are getting Windows share connections rather than via
> IIS, you need to check the NTFS permissions from Windows itself, not the IIS
> manager. IIS is not being used, so your question is irrelevant in this
> group. And you really need to get a firewall in place, never expose a
> machine directly to the internet.
>
> Dan

Re: HOW TO IIS -Security

Actually, there is one overall conclusion that can be drawn;

You are way in over your head. Unplug that machine and call a professional.
Seriously, that machine probably already compromised and helping to make the
internet a foul, spam-ridden place already.



"phil" wrote in message
news:1148556466.307189.174190@38g2000cwa.googlegroups.com...
> Hello
>
> Well I feel we are missing out a point here... see when i \\x.y.z.y why
> should only my Default site should open there are so many other share
> which i have given??? and more over i have not shared my wwwroot folder
> at all. so I need some help from you.
>
> regards
> Phil
> Daniel Crichton wrote:
>> phil wrote on 25 May 2006 02:23:39 -0700:
>>
>> > Hello thanks for reply
>> > Can U please tell me how to rectify??? this problem??? I have checked
>> > the permission on wwwroot directory but guest account and everyone
>> > account are not given full permissions. only read is enabled??? how to
>> > get out of this problem.???
>>
>> Well, if you really are getting Windows share connections rather than via
>> IIS, you need to check the NTFS permissions from Windows itself, not the
>> IIS
>> manager. IIS is not being used, so your question is irrelevant in this
>> group. And you really need to get a firewall in place, never expose a
>> machine directly to the internet.
>>
>> Dan
>

Re: HOW TO IIS -Security

"phil" wrote in message
news:1148542660.865052.202830@i40g2000cwc.googlegroups.com.. .
> Hello
> thanks for reply
>
> a) How do you know there is no security?
> Well, as mentioned earlier that anyone can access this domain from
> anywhere with read and write permissions...

How do you know they aren't sending credentials? Have you checked the
relevant IIS logfiles?



> b)Are you allowing anonymous access?
> Yes this is a public website
>
> c)Do you have WebDAV enabled in the Web Service Extensions list?
> Well Im new to this field so i don't know about this...well where can i
> get the info on my machine whether WebDAV is enabled???

Open IIS Manager. There is a node called "Web Service Extensions". Locate
WebDav. Disable it.

If you need more help on securing IIS, I co-wrote a book with Bernard Cheah
(another IIS MVP). You can order it from Amazon.com (or any other
bookstore):
http://www.amazon.com/exec/obidos/ASIN/1931836256/adopenstat i0f-20

Cheers
Ken



> regards
> Phil
>
> Ken Schaefer wrote:
>> Hi,
>>
>> a) How do you know there is no security? Are you allowing anonymous
>> access?
>> Have you configured NTFS permissions to restrict which users can access
>> the
>> files?
>>
>> b) Do you have WebDAV enabled in the Web Service Extensions list? They
>> are
>> accessing the site via WebDAV by the looks of it - if you have it
>> enabled,
>> you need to take additional steps to restrict who can view what.
>> Otherwise
>> disable WebDAV if you don't need that functionality.
>>
>> Cheers
>> Ken
>>
>>
>> "phil" wrote in message
>> news:1148532255.803316.252990@j73g2000cwa.googlegroups.com.. .
>> > Hi!! & Hello!!!
>> >
>> > Well I have a server where I have hosted many sites on IIS 6.0. When
>> > the users I mean the public users (anyone from anywhere) if they go to
>> > their Start->Run-> from windows and type the IP address(for eg
>> > \\83.485.574.22) like this it opens up the default site with full
>> > directory view and ...with all the files and folders. write permission
>> > .how can i stop this ??? i mean their is no security at all how can i
>> > stop this???
>> >
>> > regards
>> > Phil
>> >
>

Re: HOW TO IIS -Security

Hey Thanks man for the suggestion
After Disabling this it works better, if you have any suggestion..let
me know..Meanwhile if u have any online site where i learn more about
IIS security just past it across. Thanks once again

regards
Philip

Ken Schaefer wrote:
> "phil" wrote in message
> news:1148542660.865052.202830@i40g2000cwc.googlegroups.com.. .
> > Hello
> > thanks for reply
> >
> > a) How do you know there is no security?
> > Well, as mentioned earlier that anyone can access this domain from
> > anywhere with read and write permissions...
>
> How do you know they aren't sending credentials? Have you checked the
> relevant IIS logfiles?
>
>
>
> > b)Are you allowing anonymous access?
> > Yes this is a public website
> >
> > c)Do you have WebDAV enabled in the Web Service Extensions list?
> > Well Im new to this field so i don't know about this...well where can i
> > get the info on my machine whether WebDAV is enabled???
>
> Open IIS Manager. There is a node called "Web Service Extensions". Locate
> WebDav. Disable it.
>
> If you need more help on securing IIS, I co-wrote a book with Bernard Cheah
> (another IIS MVP). You can order it from Amazon.com (or any other
> bookstore):
> http://www.amazon.com/exec/obidos/ASIN/1931836256/adopenstat i0f-20
>
> Cheers
> Ken
>
>
>
> > regards
> > Phil
> >
> > Ken Schaefer wrote:
> >> Hi,
> >>
> >> a) How do you know there is no security? Are you allowing anonymous
> >> access?
> >> Have you configured NTFS permissions to restrict which users can access
> >> the
> >> files?
> >>
> >> b) Do you have WebDAV enabled in the Web Service Extensions list? They
> >> are
> >> accessing the site via WebDAV by the looks of it - if you have it
> >> enabled,
> >> you need to take additional steps to restrict who can view what.
> >> Otherwise
> >> disable WebDAV if you don't need that functionality.
> >>
> >> Cheers
> >> Ken
> >>
> >>
> >> "phil" wrote in message
> >> news:1148532255.803316.252990@j73g2000cwa.googlegroups.com.. .
> >> > Hi!! & Hello!!!
> >> >
> >> > Well I have a server where I have hosted many sites on IIS 6.0. When
> >> > the users I mean the public users (anyone from anywhere) if they go to
> >> > their Start->Run-> from windows and type the IP address(for eg
> >> > \\83.485.574.22) like this it opens up the default site with full
> >> > directory view and ...with all the files and folders. write permission
> >> > .how can i stop this ??? i mean their is no security at all how can i
> >> > stop this???
> >> >
> >> > regards
> >> > Phil
> >> >
> >

Re: HOW TO IIS -Security

You can obtain the entire IIS Resource Kit from the Microsoft website for
free.

Alternatively, there is the book I mentioned (it covers IIS security)

Otherwise, depending on your time, you can search the web for the equivalent
content. but how much is your time worth?

Cheers
Ken

"phil" wrote in message
news:1148649040.533718.101610@i40g2000cwc.googlegroups.com.. .
> Hey Thanks man for the suggestion
> After Disabling this it works better, if you have any suggestion..let
> me know..Meanwhile if u have any online site where i learn more about
> IIS security just past it across. Thanks once again
>
> regards
> Philip
>
> Ken Schaefer wrote:
>> "phil" wrote in message
>> news:1148542660.865052.202830@i40g2000cwc.googlegroups.com.. .
>> > Hello
>> > thanks for reply
>> >
>> > a) How do you know there is no security?
>> > Well, as mentioned earlier that anyone can access this domain from
>> > anywhere with read and write permissions...
>>
>> How do you know they aren't sending credentials? Have you checked the
>> relevant IIS logfiles?
>>
>>
>>
>> > b)Are you allowing anonymous access?
>> > Yes this is a public website
>> >
>> > c)Do you have WebDAV enabled in the Web Service Extensions list?
>> > Well Im new to this field so i don't know about this...well where can i
>> > get the info on my machine whether WebDAV is enabled???
>>
>> Open IIS Manager. There is a node called "Web Service Extensions". Locate
>> WebDav. Disable it.
>>
>> If you need more help on securing IIS, I co-wrote a book with Bernard
>> Cheah
>> (another IIS MVP). You can order it from Amazon.com (or any other
>> bookstore):
>> http://www.amazon.com/exec/obidos/ASIN/1931836256/adopenstat i0f-20
>>
>> Cheers
>> Ken
>>
>>
>>
>> > regards
>> > Phil
>> >
>> > Ken Schaefer wrote:
>> >> Hi,
>> >>
>> >> a) How do you know there is no security? Are you allowing anonymous
>> >> access?
>> >> Have you configured NTFS permissions to restrict which users can
>> >> access
>> >> the
>> >> files?
>> >>
>> >> b) Do you have WebDAV enabled in the Web Service Extensions list? They
>> >> are
>> >> accessing the site via WebDAV by the looks of it - if you have it
>> >> enabled,
>> >> you need to take additional steps to restrict who can view what.
>> >> Otherwise
>> >> disable WebDAV if you don't need that functionality.
>> >>
>> >> Cheers
>> >> Ken
>> >>
>> >>
>> >> "phil" wrote in message
>> >> news:1148532255.803316.252990@j73g2000cwa.googlegroups.com.. .
>> >> > Hi!! & Hello!!!
>> >> >
>> >> > Well I have a server where I have hosted many sites on IIS 6.0. When
>> >> > the users I mean the public users (anyone from anywhere) if they go
>> >> > to
>> >> > their Start->Run-> from windows and type the IP address(for eg
>> >> > \\83.485.574.22) like this it opens up the default site with full
>> >> > directory view and ...with all the files and folders. write
>> >> > permission
>> >> > .how can i stop this ??? i mean their is no security at all how can
>> >> > i
>> >> > stop this???
>> >> >
>> >> > regards
>> >> > Phil
>> >> >
>> >
>