On Thu, 5 Dec 1996, Joseph L. Moll wrote:
> We have noticed a little problem with IIS 2.0 and were wondering if the
> problem also exists in IIS 3.0.
IIS 3.0 and 2.0 are essentially the same product. You can download a number
of components (such as Active Server Pages, Index Server, etc.) that
enhance the capability of IIS 2.0 -- thus making it 3.0.
> It seems that anyone can browse the any files in the cgi-bin directory on
> the server. For example, browse this on your IIS web host:
Always associate files that are meant to be executed to be executed. If
*.cgi files are meant to be executable, then by all means make that file
type association. That way, when a user requests a *.cgi file by name, the
server will try to execute the script instead of sending it back.
Also, _always_ turn off directory browsing. Why make it any easier for
anyone to snoop around. Accidents happen and you could leave a file in a
publically accessible directory without knowing it.
> IIS 2.0 in conjunction with M$ Internet Exploder passes the end users
> domain and username to the IIS for access. Get's logged in the log file
> as DOMAIN\USERNAME.
Read up on the security chapter in the IIS documentation, please. That's a
feature. If you don't want it, turn it off.
Patrick Lee <pat @