Plesk Default installation Vulnerabilities

[renis]

I don't understand what you expest from a control panel... to be a Bank???

Control Panel is an automated system for hosting. The only thing (for security) that is responsible, is creating different users with different permissions for INETPUB folder. That's all.

If everything was done by Plesk, what has to do a system administrator then????

1. ASP.NET
YOU must edit and put right permissions. ASP.NET is not a Plesk product. The same works for Merak

2. Don't use AwStats. They kill the server even without vulnerabilities.

3. Install a firewall and close ports u don't use

4. Every OS is vulnerable. But using system acount can't be considered e vulnerability. If you want, just create different accounts for every service. You can't expect Windows to do that, because are most of third party softwares that choose to use system as service account. If you don't want that. just change it.

5. Tools like IISLockDown exist from 5 years now. Even free

6. If an attacker has enough access to install Serv-u, why he just dont take control of the system directly, but fist install serv-u and then take control...

Come on...
You want a software that will be able to do what you have in your mind, without pushing a key over keyboard... or better what will will have in yout mind in the future

 

[jerry2]

Hm, anbody know how can I fix this remview.php script? I got freaked out, install it on one client site as he can also and he can have access to all the files on my Windows through web interface. Come on! This is not a securoty flaw, this is too huge risk to run a web server at all :-(

There must be something to fix this so script browsers couldn't go outside of his folder isn't it?

Jerry

 

[Improv]

Originally posted by jerry2
There must be something to fix this so script browsers couldn't go outside of his folder isn't it?

Jerry [/B]

Jerry,

What you need to look at is the security context which the script runs under. In this case it is of the IUSR family which receives Guests permission which intern has User permissions. What you will also find is that plesk have setup the group psacln. The psacln group contains all the IUSR, IWAM and FTP logins.

So what you need to do is explictly deny access to this group where you don't wish this group to have access. As with all security permissions a deny overides permit. Therefore a deny for the psacln group will override a permit for the BUILTIN\users.

Also have a look at for some IIS tips.

http://searchwindowssecurity.techtarget.com/tip/1,289483,sid45_gci997908,00.html

I hope this helps ...

Michael

 

[Improv]

Originally posted by renis
I don't understand what you expest from a control panel... to be a Bank???

Renis,

While I agree with the principle of the admin being responsible for the security of his/her environment I also believe the Plesk team could do more to lock the environment down much like our friends at MS should do more of.

Originally posted by renis
5. Tools like IISLockDown exist from 5 years now. Even free
[/B]

Yes, except for those running IIS 6. MS clearly indicate that the LockDown Tool and URLScan are unnecessary.

Originally posted by renis
Come on...
You want a software that will be able to do what you have in your mind, without pushing a key over keyboard... or better what will will have in yout mind in the future [/B]

It would be nice to live in some utopian world where I could push a button and the whole environment would spring to life. Unfortunatley we both know that isn't true and I believe most of the people on this forum also know that. What I do expect is that most companies would learn from the caneing that MS has received over security and increase the priority of security.

Cheers Michael

 

[renis]

I agree with you Improv

What is really frustrating is looking at persons, who have no idea of server administration, and want to run a hosting business. Evidently they expect everything ready made from OS or Hosting Control Panel.
Unfortunately most of them use windows as OS, maybe because they find it more user friendly. This is primary reason why windows looks like more vulnerable then *nix in security. Give to linux a more nice gui and you will be surprised from horror stories you will listen over hosting forums. (like with windows now)

I think that every OS have bugs and holes. Is important for a server admin to update and secure his box as much as possible. You can not expect from Swsoft to fix Microsoft or RedHat bugs.

For me was not a problem even not using a control panel. I did that for more then 2 years with Windows 2000 without any problem. Primary reason for a control panel was accounting. Second was speed. But this does not mean that human server admin is obsolete...

 

[knocx]

Renis;

default plesk-win ACL structure and deployment is wrong and not suits to shared hosting enviroment. it is easily exploitable.

When you correct these settings as they had to be then plesk wont work with the new ACL config.

Also .NET is another security issue for win. that you have to manually configure each client after assigning .NET service which is an overhead.

I believe swsoft is still not familiar that windows is vulnerable to anything. this is because its structure is not win native. i.e PLESK should stop using cmd.exe



> What is really frustrating is looking at persons, who have no idea of server administration

if you are questioning my administrative skills, then i have to say that

i am a RHCE , CEH , CISSP , CCNP and JNSCP-FW

and heres the deal Mr Guru;

why dont you just create an account on your rock hard win server with php , .NET , perl ..etc(whatever you give to your clients) and send it to me?