Security Basics mailing list archives
Re: Please help ! need to check IIS volunrabilities.
From: miguel.dilaj () pharma novartis com
Date: Tue, 23 Nov 2004 08:55:25 +0000
Hi Juan, Don't worry, no one is perfect. You'll surely improve over time ;-) Now to your question. Don't throw everything but the kitchen sink to the server. Usually one or two vulnerability assessment tools are more than enough, and Nessus (if kept up to date) is fairly reliable. The questions you've to ask are different, for example (and in no particular order): 1) I'm running IIS, Apache, whatever, and Nessus reports problem XXXXX. Do I know how to verify if this problem is true or a false positive. If it's true... Do I know how to patch it? 2) How often do I update Nessus (main executable) and the NASL plugins? 3) Are my servers running any kind of web application that can be prone to other types of attacks? (Examples: password bruteforcing, SQL Injection, path/information disclosure, command execution, Java/ASP/whatever source code disclosure, etc) 4) Are there any OTHER avenues of attack other than the webservers? Other services? Other servers? Vulnerable network devices? 5) Is the configuration of the DMZ "watertight"? (In particular: connections STARTING in the DMZ must be forbidden). 6) Do a port scan to all machines/devices in the DMZ, deactivate anything that's not needed, and keep that information as your baseline 7) etc ;-) You can combine Nessus with Nikto to help *a bit* with web application testing, if you're using one or more web apps, but the art of pen-testing web applications hasn't been automated, yet ;-) Last words: start to learn and practice to BE a hacker. At least to think like one. Remember that hackers are not bad guys, it's just the bad press. Cheers, Miguel aka Nekromancer Juan B <juanbabi () yahoo com> 22/11/2004 14:56 To: security-basics () securityfocus com cc: (bcc: Miguel Dilaj/PH/Novartis) Subject: Please help ! need to check IIS volunrabilities. Hi, Im a sys admin new to security, I want to scan all the web servers we have in the DMZ for volunrabilities I check them with Retina and Nessus. What else to check? and with which tool ? I AM NOT A HACKER ! thanks !! __________________________________ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com
Current thread:
- Please help ! need to check IIS volunrabilities. Juan B (Nov 22)
- Re: Please help ! need to check IIS volunrabilities. Byron Copeland (Nov 22)
- Re: Please help ! need to check IIS volunrabilities. Kevin Carlson (Nov 22)
- <Possible follow-ups>
- Re: Please help ! need to check IIS volunrabilities. Doug Massey (Nov 22)
- RE: Please help ! need to check IIS volunrabilities. Robert Hines (Nov 23)
- RE: Please help ! need to check IIS volunrabilities. dave kleiman (Nov 23)
- Re: Please help ! need to check IIS volunrabilities. miguel . dilaj (Nov 23)
- RE: Please help ! need to check IIS volunrabilities. Beauford, Jason (Nov 23)