DATE: COMMAND SOURCE: AUTHOR: IIS SYSTEMS AFFECTED Win NT PROBLEM The following information came from Chris Borneman. When securing your site based on membership (who you are, not where you are located), IIS turns to NTFS and the security access associated with the file. For instance, in IIS you have the ability to say "Allow Anonymous". This is used in conjuction with the "Anonymous Logon". The reason is simple, and files that can be accessed by the account specified in "Anonymous Logon" can be accessed by any Web user hitting your site. If the "Anonymous Logon", usually IUSR_machine_name, cannot access the file, IIS sends back an "access denied, please give your credentials" allowing either Basic Authentication (clear text), and/or Windows NT Challenge/Response. If the credentials match the access to the file in question, the file is sent. Try this for yourself. Create a directory under your wwwroot and use the NT Explorer to revoke rights on that directory and any subdirectory and only allow the SYSTEM and your specific account access (make sure it isn't the IUSR_machine_name account. Place an htm file in that directory, then access from Internet Explorer. You'll be asked to give your user name and password (assuming you allow Basic Authentication and turn off Windows NT Challenge/Response). However, if you do the same for a script, IIS still _executes_ it and sends back the results. This isn't an issue of "Read" vs. "Execute". The script isn't readable. The directory I'm dealing with has "Read" off and "Execute" on. However, the script also shouldn't be accessible or ran until I provide my credentials, and that is the SECURITY HOLE. Netscape's Server does this _correctly_, so why not Microsoft? Try the following in a command prompt DOS box: TYPE C:\AUTOEXEC.BAT.. Windows NT types out the file C:\AUTOEXEC.BAT, even though C:\AUTOEXEC.BAT.. was requested and it doesn't exist. This is why IIS failed, due to an OS bug that Microsoft gladly skated around and blamed IIS. IIS is supposed to access _every_ file within the thread context of either anonymous, or the specific Web user. IIS does this for all non-script files. However, it does not for script files. EXPLOIT SOLUTION Well, someone mentioned leaving IIS and go to Netscape server.