Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
207
Views
0
Helpful
1
Replies

CSA Rule - IIS Server and descendatns, write all files

enelson
Level 1
Level 1

‎09-24-2005 10:27 PM - edited ‎03-09-2019 12:30 PM

(This rule locks down the application by placing restrictions on file operations. If an application becomes compromised (buffer-overrun attack), this rule limits what types of files can be accessed by the application.)

My question is ...this rule DENIES aspnet_wp.exe, w3wp.exe, inetinfo.exe applications from writing to ALL files.

How can we ALLOW legitimate file operations but still block malicious activity.

This one is tough because there are many different web files that aspnet_wp.exe,w3wp.exe, inetinfo.exe etc... call upon making tuning difficult.

Everyone's thoughts are appreciated as we tune CSA.

Labels:
0 Helpful
1 Reply 1

tsteger1
Level 8
Level 8

‎09-26-2005 01:03 PM

You need to run application and behavior monitoring and understand what the applications do in order to make good exceptions.

You could then create a dynamic app class that is triggered when your applications run and create data.

You could put that app class in the exceptions list for that rule.

This should keep any other activity from being able to write files while allowing your applications to run.

Tom S

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents