A good application security assessment should probe all levels of the environment as well as the custom application itself. In this paper we will examine the relatively unknown skills of assessing the in-depth configuration of a Microsoft IIS web server remotely, and we hope that we will also show the reader how they can use two appealingly unconnected pieces of information to help to determine attack and measure the associated risk.
In studying this we will examine:
- Ways to determine what permissions have been set on virtual directories used by the application.
- What authentication options have been left enabled or disabled.
- What default application extension mappings have been left in place.
- How to gather information about the server.