Security Guide for ISPs Providing Windows-based Shared Hosting Services”
London, 13 June 2003
Security company DDPlus (www.ddplus.net) has released a security guide containing a solution for long-standing security problems faced by ISPs currently providing Windows-based shared hosting services.
Shared hosting environments using Microsoft Windows 2000 with IIS 5.0 and FrontPage Server Extensions 2002 (FPSE2002) have several critical vulnerabilities that, if not eliminated, will allow any authenticated user to:
. browse the folders of all websites hosted in that server
. see the content of all files from all websites hosted in that server
. remotely execute commands in that server
These are very serious vulnerabilities and when present violate the confidentiality and integrity of all hosted websites.
DDPlus research confirmed that these vulnerabilities are widespread in ISPs that use Windows 2000 Servers with IIS 5.0 and FPSE2002 (or Sharepoint Team Services) to host hundreds of websites (Corporate Companies and Governments that maintain their own Windows 2000 web servers should also be vulnerable).
DDPlus is a UK based security company that has actively worked on several security projects involving IIS 5.0 and Sharepoint Team Services. After careful research and extensive testing DDPlus found solutions for the mentioned security vulnerabilities.
The guide aims to help ISPs and IIS administrators by providing technical solutions, methodologies and a STEP-BY-STEP explanation on how to build secure IIS 5.0 servers.
DDPlus decided to publish the guide because there is currently no public technical document published by Microsoft that explains how to securely deploy IIS 5.0 servers in a Shared Hosting environment. Microsoft has confirmed to DDPlus the existence of these problems in Windows 2000 servers and, that it will soon publish a white paper on “securing shared hosting in Windows 2003 server”
Since the guide contains code that allows the exploitation of the security vulnerabilities, DDPlus is being very cautious about controlling its distribution, and initially only intends to provide the guide to named security contacts within ISPs and a limited number of companies that manage IIS 5.0 servers within their organization.
To request a copy of the guide, send an email to security.guide@ddplus.co.uk containing the following information: Name, Company, Position, Email and reason for requesting the security guide.