COMMAND

    IIS

SYSTEMS AFFECTED

    IIS 4.0

PROBLEM

    JWNTUG (Japan Windows NT Users Group) reported MS about a kind  of
    DoS problem  on mailroot  and ftproot  directories of  IIS.  Those
    directories   (C:\Inetpub\ftproot,\mailroot)   are   readable  and
    writable  for  everyone.   So  they  tested  following  script  as
    C:\inetpub\mailroot\fill.bat

        :fill
        copy drop\*.* pickup
        goto fill

    This script  can be  executed by  any user  and hard  disk will be
    filled  with  emails  soon  after  some  emails  come  into "drop"
    directory.   JWNTUG tested  also from  Terminal Server.   It works
    well.   In addition,  any user  can read  and write  email in drop
    folder.

    Any local  user on  an NT  Server is  normally limited  to admins,
    server ops, and account ops.  Check your "right to log on locally"
    to see how your's is set.

        :eat_space
        type foo >> bar
        goto eat_space

    Does the same thing, and can be executed in several places on  the
    hard drive.   This is  one reason  why you  should place  the user
    shares,  web  site,  and/or  print  spool on a different partition
    than  the  system  when  installing  a  server.   It also tends to
    simplify certain security measures.  This type of 'attack' is  one
    very good  reason why  ordinary users  are not  allowed to  log on
    locally  at  a  server.   The  users  who  _are_  allowed to logon
    locally could create a denial of service using many other methods,
    such as making a mistake with the registry editor.

SOLUTION

    Those permissions shouldbe tightened.   Microsoft is going to  add
    this to the IIS Security Checklist at

        http://www.microsoft.com/security/products/iis/CheckList.asp

    to make sure that customers know  that they need to do this.   The
    way  around  this  problem  in  Win2k  is  to  use  disk   quotas.
    Intelligent  use  of  Terminal  Server  means that you should take
    some care to manage the  permissions on the machine.   Running IIS
    and TS (as an app server, not to enable remote admin) on the  same
    machine  could  be  a  bit  tricky,  and isn't a configuration one
    would find easy to secure.

    Chapter  8  of  the  IIS  Resource  Kit  is an excellent source of
    security information,  and contains  a good  section on  suggested
    file system  permissions (pp  355, 356).   There are  also some KB
    articles regarding IIS and minimum permissions:

        http://support.microsoft.com/support/kb/articles/Q187/5/06.ASP

    This  one  addresses  FrontPage  permissions,  which  are a common
    source of error:

        http://support.microsoft.com/support/kb/articles/Q216/7/05.ASP

    The resource kit  also goes into  some detail regarding  FrontPage
    permissions.