Date: Mon, 18 Jan 1999 11:58:06 -0800
From: Adam Berns <adamb@UBET.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: IIS4.0 and Visual Interdev

Using Visual Interdev 6.0, I can connect to an IIS 4.0 Server without
being asked for any security passwords.

The server is running IIS4.0, with Service Pack 4, with the following
patches:

The enhanced Security Configuration manager, with the hisecdc4
configuration
Front Page Server Extension, with it configuring the <root web> security
The ASP.dll Patch (q177036 kb article)
The msiisp1i386 Patch (q148188 kb article)
The ctrfix (q185349 kb article)
The IISUPDI Patch (q192224 kb article)
The nprpc Patch (q195733 kb article)
The ftpfix Patch (q189262 kb article)
The iis4-datafix (q188806 kb article)

The persimmons on the root web directory are as follows:

Drive:\webroot
    Administrators: Full
    Interactive: List
    Network:  RX
    System: Full

Drive:\webroot\public_html (root web)
    Administrators: None
    Interactive: List
    Internet Guest Account:  RX

I have encountered multiple sites using IIS4 that I can attach to with
visual Interdev 6.0 and make changes to their websites.  This does not
even show up in the even log as a logon session.

The site in question is not the one listed in my signature below.


~~~~~~~~~~~~~
Adam Berns
Systems Administrator
Silicon Gaming, Inc.
adamb@ubet.com
http://www.silicongaming.com
650-798-7813 desk
650-798-8223 fax
415-307-8746 cell

-----------------------------------------------------------------------

Date: Tue, 19 Jan 1999 13:08:38 -0500
From: Christopher Timmons <ctimmons@NORTELNETWORKS.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: IIS4.0 and Visual Interdev

The problem most likely is that he has applied pre-SP4 hotfixes which do not
contain the newset code... only the following post-SP4 have been released:

clik-fix (Q195540.TXT)
nprpc-fix (Q195733.TXT)
sms-fix (Q196270.TXT)
tcpip-fix (Q195725.TXT)

One of them (roll-up) has been removed and will be reposted later

As for IIS4:

ftp-fix (Q189262.TXT)
IIS4-datafix (Q188806.TXT)
infget-fix (Q192296.TXT)
sfn-fix (Q179148.TXT)
ctr-fix (Q185349.TXT & Q188832.TXT)


So, the problem is someone NOT reading the Knowledge Base notes that go with
the fixes.  Here are your cuplrits:

> The msiisp1i386 Patch (q148188 kb article)
> The ASP.dll Patch (q177036 kb article)

These are both PRE-SP4 and PRE-NT4 Option Pack

~
Christopher Timmons        Ph:  763-6620
Security Technology,  Nortel Networks

With special thanks for this fix to:

----------
Patrick Timmons (MCSE+I - MCT)
Integrator Systems
http://www.int-sys.com