Hacking IIS
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Hacking IIS

  1. #1

    Question Hacking IIS

    Don't neg me! This is all white hat, pro-security stuff.

    Here's the situation:

    One of our clients has a site set up within IIS, and each of their clients has a username/login and virtual directory all their own within the one site.

    Problem is, if you're logged in, all you have to do is move up a directory to see everyone else's directory, so it's not the least bit secure.

    The solution to this is to have isolation turned on. However, you can only activate isolation when creating the site; it is impossible to activate isolation after creation of the site, so supposedly the only way to resolve this blatant security hole is to delete the entire site (which is loaded with a good many of their clients's virtual directories that they FTP into), subdirectories and all, and recreate the whole thing from scratch. Yeah, not exactly practical.

    However, I've been told that there are some registry hacks that will allow you to turn on isolation post-creation. So question is: Has anyone heard of this and may be familiar with it? Is there truly a way to hack IIS so that you can set up isolation, thus disallowing users from seeing other users' directories, without having to recreate the entire dang site?

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Back up... Delete the folder structure... restore... apply the appropriate permissions to the user(s)... relax... Only use a basic backup program that doesn't back up the current ACL's...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    But M$ says no, no, don't do that, bad admin!

    After you set the FTP User Isolation mode and finish the FTP Site Creation Wizard or create the site using Iisftp.vbs, do not change the isolation setting manually.
    So it's basically saying you better not make any changes without totally deleting the site. Are they just being too stiff about it or what?

    LINK

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I'm sorry.. I thought I said delete the whole damn thing....

    I must be getting old...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Oooh ok, so you're saying backup folder structure, delete entire site, recreate site, then restore folder structure, right?

    Yeah...I caught that the first time, I was just...um...testing you...

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    OK... Maybe I wasn't clear about getting rid of the site...

    I'd actually uninstall IIS and reinstall... It only takes 5 mins to do... But it puts you back at "ground zero" so to speak...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Shadow Programmer mmelby's Avatar
    Join Date
    Jul 2002
    Location
    Ft. Myers, FL
    Posts
    291
    Maybe Im missing something but, if they are logging why can't you restrict them using NTFS rights on the users folders?

    It is not the prettiest way but I am doing this on one of my servers and it works with no problems.
    Work... Some days it's just not worth chewing through the restraints...

  8. #8
    Shadow Programmer mmelby's Avatar
    Join Date
    Jul 2002
    Location
    Ft. Myers, FL
    Posts
    291
    Maybe Im missing something but, if they are in logging why can't you restrict them using NTFS rights on the users folders?

    It is not the prettiest way but I am doing this on one of my servers and it works with no problems.
    Work... Some days it's just not worth chewing through the restraints...

  9. #9
    Maybe Im missing something but, if they are in logging why can't you restrict them using NTFS rights on the users folders?
    I was actually wondering the same thing. If that works, why does MS insist upon it being impossible to change isolation after creation? Why can't you just go in and change NTFS permissions?

  10. #10
    Shadow Programmer mmelby's Avatar
    Join Date
    Jul 2002
    Location
    Ft. Myers, FL
    Posts
    291
    I have not tried this with 2003 but I know it works with 2000. Give it a try
    Work... Some days it's just not worth chewing through the restraints...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •