Article

IIS configuration error leads to increased threat, Microsoft says

SearchSecurity.com Staff

Microsoft said an Internet Information Services (IIS) parsing extension issue,which could lead to a vulnerable system, is not a flaw that can be patched, but an IIS

    Requires Free Membership to View

configuration error that can be avoided by following best practices.
Microsoft IIS best practices:
IIS 6.0 security best practices: Microsoft TechNet document outlines best practices for configuring the Web server.

Microsoft updates:

Dec. - Microsoft gives Internet Explorer a major security overhaul: The final regular Microsoft update of 2009 repairs five critical vulnerabilities in IE and blocks public exploit code, which surfaced in November.

The software giant issued an update on its blog last week, giving links outlining best practices for configuring the IIS Web server. A security expert warned last week about the discovery of a parsing extension vulnerability that could be exploited to pass malicious code and ultimately gain control of the Web server. The issue was described as an error in the way IIS 6 handles semicolons in URLs.

But Microsoft's Christopher Budd explained on the company's Security Response Center blog that the issue is a IIS configuration error that could lead to a vulnerable system. The out-of-the-box, default configuration will not enable an attacker to bypass content filtering software to upload malicious code on the Microsoft Web server.

"This is not the default configuration for IIS and is contrary to all of our published best practices," Budd wrote. "Quite simply, an IIS server configured in this manner is inherently vulnerable to attack."

Budd added that users of IIS with both "write" and "execute" privileges on the same directory should review best practices and make changes to mitigate similar threats to the Web server.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: