Security hole in Windows servers? - Windows NT

This is a discussion on Security hole in Windows servers? - Windows NT ; I always use UNIX servers and have never seen this problem before, so I am at a loss as to whether it is a setup problem, or a general security hole in MS web servers. I installed some cgi on ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Security hole in Windows servers?

  1. Security hole in Windows servers?

    I always use UNIX servers and have never seen this problem before, so I
    am at a loss as to whether it is a setup problem, or a general security
    hole in MS web servers.

    I installed some cgi on a client's website. The website is running a
    Windows server. After installing and getting it running I discovered a
    huge security hole in the system. I can go to the cgi-bin directory,
    and any of the directories off the cgi-bin directory and download any
    file there that does not end with .pl or .cgi. So the configuration
    file, cgi passwords, and files that are not suppose to be accessible
    which are placed in the cgi-bin for that reason, can all be easily
    downloaded.

    Is this a general problem with MS servers, or does the web hosting
    company they are using have the system configured wrong? If it is set up
    wrong, what can I tell the hosting company? If it is a general MS
    platform security problem, is there a workaround? I haven't a clue as I
    have never done anything on a Windows server before.

    Marshall


  2. Re: Security hole in Windows servers?

    On Thu, 07 Aug 2003 11:18:56 -0400, Marshall Dudley
    wrote:

    >I installed some cgi on a client's website. The website is running a
    >Windows server. After installing and getting it running I discovered a
    >huge security hole in the system. I can go to the cgi-bin directory,
    >and any of the directories off the cgi-bin directory and download any
    >file there that does not end with .pl or .cgi. So the configuration
    >file, cgi passwords, and files that are not suppose to be accessible
    >which are placed in the cgi-bin for that reason, can all be easily
    >downloaded.


    In the Unix world, CGI-BIN has a meaning and a set of security
    settings allowing execute but no download, etc. In the Windows world,
    there's no meaning at all and CGI-BIN is just another folder. You
    need to configure whatever access you wish for that folder. It may
    not be in your power to change the permissions, but your ISP certainly
    can. While I'd put the files into a separate folder and set
    permissions there, you can set permissions on a file basis as well.
    You can configure security within IIS and at the OS level, and should
    use a combination to achieve your desired outcome.

    Jeff

+ Reply to Thread