How to change iis setup directory

How to change iis setup directory

am 09.11.2007 05:42:56 von zhulonghui

How to change iis default setup directory ?(note : is not change webpage
directory in iis )

because that is best way to increase iis security.

Re: How to change iis setup directory

am 09.11.2007 10:33:43 von David Wang

On Nov 8, 8:42 pm, "zhulonghui" wrote:
> How to change iis default setup directory ?(note : is not change webpage
> directory in iis )
>
> because that is best way to increase iis security.


You cannot change IIS default setup directory.

Why do you think changing IIS setup directory is best way to increase
IIS security?

Security through Obfuscation is a fallacy. It does not improve
security at all.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Re: How to change iis setup directory

am 09.11.2007 13:48:00 von Rick Barber

I will add that we have been running IIS since 1996 and have never had a
successful web server attack. We have had some web application attacks, but
all of those have been due to other reasons such as users having weak
passwords (like 'password'), not properly validating data (such as an input
form being directly referenced into a WHERE clause of a SELECT statement),
and so forth. In all of those cases, the attacker was only able to
compromise that single application and not any of the other sites on the
server. One of the biggest causes of web server attacks is poor systems
administration. If permissions are not properly setup and sites are not
running as a restricted user, then there will be attacks on the web server.

--
Rick Barber

http://www.orcsweb.com
Managed Complex Hosting
#1 in Service and Support

"David Wang" wrote in message
news:1194600823.334930.212220@z24g2000prh.googlegroups.com.. .
> On Nov 8, 8:42 pm, "zhulonghui" wrote:
>> How to change iis default setup directory ?(note : is not change webpage
>> directory in iis )
>>
>> because that is best way to increase iis security.
>
>
> You cannot change IIS default setup directory.
>
> Why do you think changing IIS setup directory is best way to increase
> IIS security?
>
> Security through Obfuscation is a fallacy. It does not improve
> security at all.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>

Re: How to change iis setup directory

am 10.11.2007 07:52:48 von Roger Abell

I have to agree with your comments and add that my experience
with IIS since v3 is the same, and that is without it being behind
a firewall !

"Rick Barber" wrote in message
news:OdPL96sIIHA.4880@TK2MSFTNGP03.phx.gbl...
>I will add that we have been running IIS since 1996 and have never had a
>successful web server attack. We have had some web application attacks,
>but all of those have been due to other reasons such as users having weak
>passwords (like 'password'), not properly validating data (such as an input
>form being directly referenced into a WHERE clause of a SELECT statement),
>and so forth. In all of those cases, the attacker was only able to
>compromise that single application and not any of the other sites on the
>server. One of the biggest causes of web server attacks is poor systems
>administration. If permissions are not properly setup and sites are not
>running as a restricted user, then there will be attacks on the web server.
>
> --
> Rick Barber
>
> http://www.orcsweb.com
> Managed Complex Hosting
> #1 in Service and Support
>
> "David Wang" wrote in message
> news:1194600823.334930.212220@z24g2000prh.googlegroups.com.. .
>> On Nov 8, 8:42 pm, "zhulonghui" wrote:
>>> How to change iis default setup directory ?(note : is not change webpage
>>> directory in iis )
>>>
>>> because that is best way to increase iis security.
>>
>>
>> You cannot change IIS default setup directory.
>>
>> Why do you think changing IIS setup directory is best way to increase
>> IIS security?
>>
>> Security through Obfuscation is a fallacy. It does not improve
>> security at all.
>>
>>
>> //David
>> http://w3-4u.blogspot.com
>> http://blogs.msdn.com/David.Wang
>> //
>>
>
>

Re: How to change iis setup directory

am 10.11.2007 07:56:09 von Roger Abell

There is no need to change the default location.
If you select the parts of IIS to be installed
you end up with very little in inetpub.
All of it can be moved to desired location after
the install completes, meaning that inetpub is
then no longer used for anything.
Changing the location of webs may help secure
the OS install if you allow untrusted user content
publishing to web applications and/or allow ..
parent paths, but that help is just an extra layer
of protection which really would not come into play
if the OS and IIS is otherwise sanely configured
and secured.

Roger

"zhulonghui" wrote in message
news:1B9E33B8-8E0B-42AC-B79E-2C15C24FCE2C@microsoft.com...
> How to change iis default setup directory ?(note : is not change webpage
> directory in iis )
>
> because that is best way to increase iis security.