.NET Framework is installed in IIS and it uses its Default Installation ie. everything is in inetpub/wwwroot.
Everyone worth their 2 cents will tell you that an experienced web administrator will change the default folder name of inetpub/wwwroot as the basic DOS attack is launched from there.
If the web server has its wwwroot name changed to something else other than default, asp.net will NOT work with the Default .NET Framework installation and because asp.net is designed to work with classic asp, we are not supposed to change the asp.net default configuration from the IIS MMC. We are supposed to do it with the XML-based machine.config file
Does anyone know how to change it so the ASP.NET will work on aspx pages in a web folder changed from inetpub/wwwroot ?I'm not much an admin but couldn't you just create a website in a directory other than wwwroot and delete the default all through IIS?
you should be able to create a virtual directory for your app anywhere you want... Unless I dont quite understand what you are asking.:confused:
True Cander, ASP.NET will work on any Website and any virtual directory.
"Everyone worth their 2 cents will tell you that an experienced web administrator will change the default folder name of inetpub/wwwroot as the basic DOS attack is launched from there."
SoftwareMaker, what you're saying doesn't make any sence at all. What has the name of your website or the mapping of that website to a physical location on the filesystem to do with a DOS attack, nothing !
Ok, let me explain.
A basic DOS attack comes from fooling the Server to execute a command on the server...eg.cmd.exe...(execute your command here)
In IIS 4 without any patches, an attack can be sent to the server from the browser address bar to run a command in the server, Of course, any commands have to be valid and run from a valid directory. In IIS 4, the server could not parse apart certain strings...a long story...(fool the // with %20 or so on). So technically if you can get to the root of the directory, bingo you can execute the cmd.exe command With IIS, the root is always inetpub/wwwroot
Experienced administrators with enterprises changes all the default settings of the default folder. (of couse enterprises dont use IIS for their server) to escape this form of attack. Of course, the new server software is better now BUT still ppl do change the default name of the webroot juz to be safe...
Ask around and you will see most of them do.
SoftwareMaker from the sounds of it, the method of your defense only goes to the level that you nest your home directory in. On top of it, I think that any web admin "worth their 2 cents" would actually apply any patches the second they're available.
Yep..you're right Shawn.
Anyways seems ppl take offense at my statement abt the 2cents worth...Its just a figure of speech. It is not meant to offend anyone.
A basic DOS attack comes from fooling the Server to execute a command on the server...eg.cmd.exe...(execute your command here)
SoftwareMaker, that's not true !!
What you're talking about is a know buffer overflow bug in IIS. A DOS attack is a totally different thing.
DOS attacks occur when a system is flooded with traffic to the point that it is unable to process legitimate service requests.
OK gijsj
you're right...
I have managed to solve the problem of this thread.
Thanks everyone
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment