RE: Apache VS IIS Securiyt model question

From: Ken Schaefer (ken@adopenstatic.com)
Date: Mon Sep 13 2004 - 23:10:14 EDT

• Next message: GMHoward: "RE: Problem with Hacme Bank Install"
• Previous message: Sam Evans: "VMWare ESX Server information"
• Next in thread: Dinis Cruz: "(Asp.Net Full Trust Vulnerabilities) RE: Apache VS IIS Security model question"
• Reply: Dinis Cruz: "(Asp.Net Full Trust Vulnerabilities) RE: Apache VS IIS Security model question"
• Maybe reply: Dinis Cruz: "RE: Apache VS IIS Securiyt model question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I'm pretty sure that Mike is talking about NTFS permissions (and Windows users and groups). Can you point us to how ASP.NET code running as fully trusted gets around that?

Cheers
Ken

 -------- Original Message --------
> From: "Dinis Cruz" <dinis@ddplus.net>
> Subject: RE: Apache VS IIS Securiyt model question
>
> Please note that these security settings will only be relevant (in IIS) in a
> Partially Trusted Website (i.e. the Asp.Net code is NOT running with Full
> Trust).
>
> If the code is running with Full Trust, then most likely those security
> permissions will be easily bypassed.
>
> Dinis Cruz
> .Net Security Consultant
> DDPlus
>
> > -----Original Message-----
> > From: mthompson [mailto:mthompson@brinkster.com]
> > Sent: 11 September 2004 01:56
> > To: webappsec@securityfocus.com; pen-test@securityfocus.com
> > Subject: Apache VS IIS Securiyt model question
> >
> > Hello,
> >
> > I am doing research and I am stuck.
> >
> > Pitch: In IIS there is the ability to set permissions on a per website
> > basis. In other words the ability to limit access to files and
> > directories based on the users credentials that the website is running
> > under. Additionally, you would in turn add this user to a group and
> > apply group permissions to an object that needed to be accessed by more
> > than one site.
> >
> > Question: Is there a similar security model for apache that would allow
> > credentials from a user to run a virtual website and access files only
> > for a specific virtual site.
> >
> > Also, does any one have a diagram of the apache process?
> >
> > Thanks,
> >
> > Mike
> >

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------

• Next message: GMHoward: "RE: Problem with Hacme Bank Install"
• Previous message: Sam Evans: "VMWare ESX Server information"
• Next in thread: Dinis Cruz: "(Asp.Net Full Trust Vulnerabilities) RE: Apache VS IIS Security model question"
• Reply: Dinis Cruz: "(Asp.Net Full Trust Vulnerabilities) RE: Apache VS IIS Security model question"
• Maybe reply: Dinis Cruz: "RE: Apache VS IIS Securiyt model question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:05 EDT