Date: Mon, 18 Jan 1999 11:58:06 -0800 From: Adam Berns To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: IIS4.0 and Visual Interdev Using Visual Interdev 6.0, I can connect to an IIS 4.0 Server without being asked for any security passwords. The server is running IIS4.0, with Service Pack 4, with the following patches: The enhanced Security Configuration manager, with the hisecdc4 configuration Front Page Server Extension, with it configuring the security The ASP.dll Patch (q177036 kb article) The msiisp1i386 Patch (q148188 kb article) The ctrfix (q185349 kb article) The IISUPDI Patch (q192224 kb article) The nprpc Patch (q195733 kb article) The ftpfix Patch (q189262 kb article) The iis4-datafix (q188806 kb article) The persimmons on the root web directory are as follows: Drive:\webroot Administrators: Full Interactive: List Network: RX System: Full Drive:\webroot\public_html (root web) Administrators: None Interactive: List Internet Guest Account: RX I have encountered multiple sites using IIS4 that I can attach to with visual Interdev 6.0 and make changes to their websites. This does not even show up in the even log as a logon session. The site in question is not the one listed in my signature below. ~~~~~~~~~~~~~ Adam Berns Systems Administrator Silicon Gaming, Inc. adamb@ubet.com http://www.silicongaming.com 650-798-7813 desk 650-798-8223 fax 415-307-8746 cell ----------------------------------------------------------------------- Date: Tue, 19 Jan 1999 13:08:38 -0500 From: Christopher Timmons To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: IIS4.0 and Visual Interdev The problem most likely is that he has applied pre-SP4 hotfixes which do not contain the newset code... only the following post-SP4 have been released: clik-fix (Q195540.TXT) nprpc-fix (Q195733.TXT) sms-fix (Q196270.TXT) tcpip-fix (Q195725.TXT) One of them (roll-up) has been removed and will be reposted later As for IIS4: ftp-fix (Q189262.TXT) IIS4-datafix (Q188806.TXT) infget-fix (Q192296.TXT) sfn-fix (Q179148.TXT) ctr-fix (Q185349.TXT & Q188832.TXT) So, the problem is someone NOT reading the Knowledge Base notes that go with the fixes. Here are your cuplrits: > The msiisp1i386 Patch (q148188 kb article) > The ASP.dll Patch (q177036 kb article) These are both PRE-SP4 and PRE-NT4 Option Pack ~ Christopher Timmons Ph: 763-6620 Security Technology, Nortel Networks With special thanks for this fix to: ---------- Patrick Timmons (MCSE+I - MCT) Integrator Systems http://www.int-sys.com