IIS 6.0 SECURITY ARCHITECTUREIIS 6.0 SECURITY ARCHITECTUREIt’s a Whole New WorldIt’s a Whole New World

Michael MuckinMichael MuckinSecurity ArchitectSecurity ArchitectMicrosoft Consulting ServicesMicrosoft Consulting Services

AgendaAgenda

Setting the StageSetting the StageIIS 6.0 Security designIIS 6.0 Security designASP.NET Security ConfigASP.NET Security ConfigScanning & ToolsScanning & ToolsHardening IIS 6.0Hardening IIS 6.0

Demos throughoutDemos throughout

Setting the StageSetting the Stage

No news that IIS is a primary targetNo news that IIS is a primary targetWhat is this “Security Push” and What is this “Security Push” and Trustworthy Computing?Trustworthy Computing?IIS 6.0 should be tangible evidence of IIS 6.0 should be tangible evidence of these initiativesthese initiatives

Vulnerability Trends Vulnerability Trends

Physical

Network

OS

Application

DataBROWSER

Logic/WebSvcsWeb Server

VVeerrttiiccaall

HorizonHorizontaltal

DecreasinDecreasing – g – Leveling Leveling outout

IncreasingIncreasing

IIS 6.0 Security DesignIIS 6.0 Security DesignProduct qualityProduct quality

Improve design, coding, and testing practices Improve design, coding, and testing practices Fewer vulnerabilities out of the box Fewer vulnerabilities out of the box

Security conscious architecture Security conscious architecture

Reduced attack surfaceReduced attack surfaceDefense in depthDefense in depth

Limit the possible damage should new Limit the possible damage should new vulnerabilities be discovered vulnerabilities be discovered

Always up-to-dateAlways up-to-dateMake it practical to keep systems up-to-date Make it practical to keep systems up-to-date with the latest software patches with the latest software patches

Product QualityProduct QualitySecurity stand-downSecurity stand-downDevelopment Development practicespractices

/GS/GSPrefix/Prefast runsPrefix/Prefast runsSingle String ClassSingle String ClassQFE and IIS core QFE and IIS core team mergedteam mergedCode review for Code review for every changeevery change

External reviews External reviews keep us honestkeep us honestRemoved legacy codeRemoved legacy codeSecurity design review Security design review for every featurefor every feature

Extensive test Extensive test infrastructureinfrastructure

External toolsExternal toolsInternal toolsInternal toolsIIS toolsIIS tools

Buffer overflow scannerBuffer overflow scannerCross-site scriptingCross-site scriptingFault injection in Fault injection in regular test runs regular test runs

Reduced Attack SurfaceReduced Attack SurfaceWindows Server 2003 disables 20+ ServicesWindows Server 2003 disables 20+ ServicesIIS is not installed on Windows Server 2003IIS is not installed on Windows Server 2003If you install IIS…If you install IIS…

IIS components IIS 5.0 clean install

IIS 6.0 clean install

Static file support enabledenabled enabledenabled

ASP enabledenabled disableddisabled

Server-side includes enabledenabled disableddisabled

Internet Data Connector enabledenabled disableddisabled

WebDAV enabledenabled disableddisabled

Index Server ISAPI enabledenabled disableddisabled

Internet Printing ISAPI enabledenabled disableddisabled

CGI enabledenabled disableddisabled

Frontpage Server Extensions

enabledenabled disableddisabled

Password Change Functionality

enabledenabled disableddisabled

SMTP enabledenabled disableddisabled

FTP enabledenabled disableddisabled

ASP.NET X disableddisabled

BITS X disableddisabled

Vulnerability DistributionVulnerability DistributionWeb-Server onlyWeb-Server onlyWeb Server Components SeverityIIS Core

ASP

Server-side includes (SSINC.DLL)

Internet Data Connector (HTTPODBC.DLL)

WebDAV (HTTPEXT.DLL)

Index Server ISAPI (WEBHITS.DLL, QUERY.DLL, IDQ.DLL

Internet Printing ISAPI (MSW3PRT.DLL

Frontpage Server Extensions (div.)

Password Change Functionality (ISM.DLL)

Defense In DepthDefense In DepthBuffer overflowsBuffer overflowsNew Low Privilege accts: New Low Privilege accts: Network ServiceNetwork Service (default) and (default) and Local ServiceLocal Service

Default Privileges:Default Privileges:SeAssignPrimaryTokenPrivilegeSeAssignPrimaryTokenPrivilegeSeSecurityPrivilegeSeSecurityPrivilegeSeSystemtimePrivilegeSeSystemtimePrivilegeSeAuditPrivilegeSeAuditPrivilegeSeChangeNotifyPrivilegeSeChangeNotifyPrivilegeSeUndockPrivilegeSeUndockPrivilege

……vs. the vs. the LocalSystemLocalSystem account – which has account – which has almost every system Privilege (21 total) almost every system Privilege (21 total)

Defense In DepthDefense In DepthCanonicalization issuesCanonicalization issues

Rigorous and restrictive parsingRigorous and restrictive parsingDefault handler is restricted to a list of known Default handler is restricted to a list of known extensionsextensions

Denial-of-service attacksDenial-of-service attacksFault-tolerant infrastructureFault-tolerant infrastructureLimitsLimits

Cross-site scripting issuesCross-site scripting issuesASP.NET data validation controlsASP.NET data validation controls

Executing command-line scriptsExecuting command-line scriptsSecure defaults: don’t allow anonymous account Secure defaults: don’t allow anonymous account to execute *.exe’sto execute *.exe’s

Site defacementsSite defacementsNo write access for anonymous account in home No write access for anonymous account in home dirdir

Secure By DefaultSecure By DefaultSecure Defaults ISecure Defaults I

No executable VDirsNo executable VDirs/SCRIPTS and /MSADC/SCRIPTS and /MSADC

Secure timeouts and limitsSecure timeouts and limits16k request limit16k request limit

Old legacy code removedOld legacy code removedISM.DLL/.HTRISM.DLL/.HTRSub-authenticationSub-authentication

Known extensionsKnown extensionsCheck if file existsCheck if file exists

XXXX

XXXX

XXXX

Secure By DefaultSecure By DefaultSecure Defaults IISecure Defaults II

Strong ACLs onStrong ACLs onLogfilesLogfilesCustom error directory Custom error directory On cache directoriesOn cache directories

Persistent ASP template cachePersistent ASP template cacheCompression cacheCompression cache

IE Shipped in Hardened State on all ServersIE Shipped in Hardened State on all ServersAdmin must add Zones/settings as desiredAdmin must add Zones/settings as desired

ASPASPASPEnableParentPath = FALSEASPEnableParentPath = FALSEHang detection Hang detection 4MB response buffer limit4MB response buffer limitInternal health detection Internal health detection

Secure By DefaultSecure By DefaultSecure Defaults IIISecure Defaults III

Restrictive URL CanonicalizationRestrictive URL CanonicalizationHostname and URL rulesHostname and URL rules

A raw byte must be URL_TOKEN, per RFC 2396 and A raw byte must be URL_TOKEN, per RFC 2396 and 27322732

Alphanumeric: A..Z a..z 0..9Alphanumeric: A..Z a..z 0..9Hex-Escaped: %xx or %uNNNNHex-Escaped: %xx or %uNNNNMark: - _ . ! ~ * ' ( )Mark: - _ . ! ~ * ' ( )Reserved: ; / ? : @ & = + $ , [ ]Reserved: ; / ? : @ & = + $ , [ ]Unwise: { } | \ ^ `Unwise: { } | \ ^ `But Not: 0x00-0x1F 0x7F " # < >But Not: 0x00-0x1F 0x7F " # < >

NTFS canonicalizationNTFS canonicalization\\?\\\?\Streams outlawedStreams outlawed

Security Conscious Security Conscious ArchitectureArchitectureCompartmentalizationCompartmentalization

Third-Party code runs only in Worker Third-Party code runs only in Worker ProcessesProcessesPowerful sandboxingPowerful sandboxingHTTP pre-request loggingHTTP pre-request logging

DLLHost.EXE

ISAPIExtensions

DLLHost.EXE

ISAPIExtensions

Rearchitecting IISRearchitecting IISA review of IIS5A review of IIS5

TCP/IPkernel

user WinSock 2.0

INETINFO.EXE

Metabase

ISAPI Filters and Extensions DLLHost.EX

E

ISAPIExtensions

INETINFO.EXE

MetabaseMetabase

ISAPI Filters and Extensions

IIS 6.0 Request ProcessingIIS 6.0 Request Processing

AdministrationAdministration& &

MonitoringMonitoring

AdministrationAdministration& &

MonitoringMonitoring

WWW ServiceWWW Service

HTTP

CacheCacheQueueQueue

Kernel modeKernel mode

User modeUser mode

XMLXMLMetabaseMetabase

InetinfoInetinfo

FTPFTPFTPFTP

NNTPNNTPNNTPNNTP

SMTPSMTPSMTPSMTP

IIS 6.0IIS 6.0

RequestRequest ResponseResponse

Application PoolsApplication Pools

……XX

Rearchitecting IISRearchitecting IISA New Architecture for IIS6A New Architecture for IIS6

GOAL: prevent apps GOAL: prevent apps from affecting system from affecting system healthhealthWeb service in Web service in INETINFO split out to INETINFO split out to do this:do this:

HTTP.SYS: kernel mode HTTP.SYS: kernel mode listener and request listener and request routerrouterWAS: config and WAS: config and process managerprocess managerW3 Core: where apps W3 Core: where apps get loadedget loaded

Multiple W3 CoresMultiple W3 Cores

WASWAS W3 CoreW3 Core

web web appapp

HTTP.SYSHTTP.SYSke

rnel

kern

el

Rearchitecting IISRearchitecting IISHTTP.SYSHTTP.SYS

What is it?What is it?Kernel-mode HTTP stack/listenerKernel-mode HTTP stack/listenerAlwaysAlways running running

Reliability FeaturesReliability FeaturesProcess routing based on URLProcess routing based on URLRequest queues: kernel-mode Request queues: kernel-mode queuingqueuing

Performance FeaturesPerformance FeaturesKernel-mode response cacheKernel-mode response cacheText-based and binary loggingText-based and binary logging

Rearchitecting IISRearchitecting IISHTTP.SYSHTTP.SYS

TCP/IPTCP/IP

HTTP.SYSHTTP.SYS

Send ResponseSend Response

ResponseResponse CacheCache

HTTP.SYS APIHTTP.SYS API

ListenerListener

Namespace MapperNamespace Mapper

HTTP EngineHTTP Engine

HTTP ParserHTTP Parser

Req

. Que

ueR

eq. Q

ueue

Req

. Que

ueR

eq. Q

ueue

Req

. Que

ueR

eq. Q

ueue

REQUESTREQUEST

Rearchitecting IISRearchitecting IISWeb Admin Service (WAS)Web Admin Service (WAS)

Application ManagerApplication ManagerManages lifetime of W3 Core(s)Manages lifetime of W3 Core(s)

Configuration ManagerConfiguration ManagerConfigures Configures HTTP.SYSHTTP.SYS

No application codeNo application codeEnsures reliabilityEnsures reliabilityEasier to identify problemsEasier to identify problems

Hosted in SVCHOST.exeHosted in SVCHOST.exe

Rearchitecting IISRearchitecting IISW3 CoreW3 Core

What is it?What is it?Main web processing DLL responsible Main web processing DLL responsible for processing web requestsfor processing web requests

Mini-web serverMini-web serverContains all web request processing Contains all web request processing functionalityfunctionalityLoads ISAPI’s – filters and extensionsLoads ISAPI’s – filters and extensions

Separates request processing from Separates request processing from rest of web serverrest of web server

Application PoolsApplication PoolsApplication Isolation in ProcessesApplication Isolation in Processes

Can create 1 or Can create 1 or more application more application poolspools

Each served by 1 or Each served by 1 or more processes.more processes.Each worker process Each worker process serves only 1 pool.serves only 1 pool.Reqs routed directly to Reqs routed directly to pool by HTTP.syspool by HTTP.sys

Isolate apps based on:Isolate apps based on:Site/CustomerSite/CustomerFunctionalityFunctionalityReliabilityReliability

Application PoolingApplication PoolingConfigurable Worker Process IDConfigurable Worker Process ID

Worker process Worker process can be started as:can be started as:

Network Service Network Service (default)(default)Local SystemLocal SystemLocal ServiceLocal ServiceConfigured IDConfigured ID

RecyclingRecyclingWhat is it and Why use it?What is it and Why use it?

What is it?What is it?Periodically restart Periodically restart applications based on:applications based on:

UptimeUptime# of requests# of requestsScheduled timeScheduled timeMemory consumptionMemory consumptionOn-demandOn-demand

Why use it?Why use it?Refresh apps to ensure Refresh apps to ensure availabilityavailabilityPrevent bad apps from Prevent bad apps from taking over the systemtaking over the system

RecyclingRecyclingOverlapping RecycleOverlapping Recycle

kernel

user

WA

SW

AS

HTTP.SYSHTTP.SYS

Old Old Worker Worker ProcessProcess

ISAPI Exts &ISAPI Exts &FiltersFilters

Web Proc. Web Proc. Core DLLCore DLL

Ready for Ready for

RecycleRecycle

New New Worker Worker ProcessProcess

ISAPI Exts &ISAPI Exts &FiltersFilters

Web Proc. Web Proc. Core DLLCore DLL

Shut downShut down

RequestRequest

startupstartupreadyready

RequestRequest

Countering DoSCountering DoSISAPI Interaction – REPORT_UNHEALTHYISAPI Interaction – REPORT_UNHEALTHY

HSE_REQ_REPORT_UNHEALTHYHSE_REQ_REPORT_UNHEALTHYGoal: allow an ISAPI to report to IIS that it needs to be Goal: allow an ISAPI to report to IIS that it needs to be recycled.recycled.

bResult = pECB->bResult = pECB-> ServerSupportFunction(ServerSupportFunction(pECB->ConnID,pECB->ConnID,HSE_REQ_REPORT_UNHEALTHY,HSE_REQ_REPORT_UNHEALTHY,psz_reason_unhealthy,psz_reason_unhealthy,NULL,NULL,NULLNULL

););

ASP Hang DetectionASP Hang DetectionUsed to detect when ASP threads block in componentsUsed to detect when ASP threads block in components

Health DetectionHealth DetectionCrash Detection & Rapid Fail Crash Detection & Rapid Fail ProtectionProtection

WAS detects process WAS detects process crash/AV’scrash/AV’sOn failureOn failure

Publish event to event Publish event to event loglogCheck “crash count”Check “crash count”If (Crash count > Max If (Crash count > Max Crashes in time limit)Crashes in time limit)

Disable app poolDisable app pool

Else start new process Else start new process

Rapid Fail ProtectionRapid Fail ProtectionOnly allow x crashes in Only allow x crashes in y minutesy minutesReturn 503’s when Return 503’s when invokedinvoked

ASP.NET Secure ConfigASP.NET Secure Config

ASP.NET Security LayersASP.NET Security LayersConfiguring ASP.NET SecurityConfiguring ASP.NET SecurityServer-side Input ValidationServer-side Input Validation

ASP.NET Security LayersASP.NET Security LayersIISIIS

AuthenticationAuthenticationURLScan (not specific to ASP.NET)URLScan (not specific to ASP.NET)Static file ACLsStatic file ACLs

ASP.NETASP.NETWeb Service ExtensionsWeb Service ExtensionsAuthorization by Role and URLAuthorization by Role and URLFile access by ASP mapped extensionsFile access by ASP mapped extensions

ASP.NET AccountsASP.NET AccountsWhen ASP.NET is enabled – a new account When ASP.NET is enabled – a new account is created: “ASPNET” – and a new Group is created: “ASPNET” – and a new Group “IIS_WPG”“IIS_WPG”Configurable in IIS Service Manager MMCConfigurable in IIS Service Manager MMCFor multiple Pools requiring complete For multiple Pools requiring complete isolation:isolation:

Create low-priv accounts for each PoolCreate low-priv accounts for each PoolAdd to IIS_WPG groupAdd to IIS_WPG groupConfig each Pool with appropriate IdentityConfig each Pool with appropriate Identity

Both ASPNET and the IUSR_xxxx accounts need Both ASPNET and the IUSR_xxxx accounts need Read and Execute (ntfs) access to ASP.NET files Read and Execute (ntfs) access to ASP.NET files (.aspx, .asmx, etc.)(.aspx, .asmx, etc.)

Careful of “code-behind” files that are being Careful of “code-behind” files that are being accessed – set ACLs appropriately – (aspx.cs, accessed – set ACLs appropriately – (aspx.cs, aspx.vb)aspx.vb)

ASP.NET Config FilesASP.NET Config FilesUnderstanding the “.Understanding the “.ConfigConfig” files” filesXML files with Web and App settingsXML files with Web and App settingsACL these files tightlyACL these files tightly

Remove “Users” and “Power Users”Remove “Users” and “Power Users”

Hierarchical application of security settingsHierarchical application of security settingsMachine.configMachine.config

Web.config (For all ASP.NET apps)Web.config (For all ASP.NET apps)App1 -> Web.config (Individual App settings)App1 -> Web.config (Individual App settings)

Resultant = inherited settingsResultant = inherited settingsSettings:Settings:

AuthN, AuthZ by Users, Roles (Domain and Forms)AuthN, AuthZ by Users, Roles (Domain and Forms)HTTP Verbs Allowed/DisallowedHTTP Verbs Allowed/DisallowedURLsURLsFile accessFile access

Don’t put Connection Strings or User/Pwds in here Don’t put Connection Strings or User/Pwds in here !!!!

Users and RolesUsers and RolesWeb.config – <system.web> tag:<authorization> <authorization>

<allow users=“Sue, Joe"/> <allow users=“Sue, Joe"/>

<deny users=”?”/> <deny users=”?”/>

</authorization> </authorization>

----------------------------------------------------------------------

<authorization><authorization>

<allow verbs=”HEAD, GET, POST”<allow verbs=”HEAD, GET, POST”

roles="Administrators"/>roles="Administrators"/>

<allow verbs=”HEAD, GET, POST” <allow verbs=”HEAD, GET, POST”

roles="Users"/>roles="Users"/>

<deny users=”?”/><deny users=”?”/>

</authorization></authorization>

NoteNote: : “?”“?” = all unauthenticated users = all unauthenticated users

More Granular ControlMore Granular ControlWeb.config – <location> tag:<location path="ListUsers.aspx"><location path="ListUsers.aspx">

<system.web><system.web>

<authentication mode="forms"><authentication mode="forms">

<forms loginUrl="AdminLogin.aspx"<forms loginUrl="AdminLogin.aspx"

protection="All"/>protection="All"/>

</authentication></authentication>

<authorization><authorization>

<allow users="admin"/><allow users="admin"/>

<deny users=”*”/><deny users=”*”/>

</authorization></authorization>

</system.web></system.web>

</location></location>

NoteNote: : “*”“*” = all users; HTTP Verbs can also = all users; HTTP Verbs can also be specified within the be specified within the <location><location> tag tag

ASP.NET Server-side ASP.NET Server-side ValidationValidationC# Example (1) – The Control C# Example (1) – The Control

<%@ Page Language="C#" %><%@ Page Language="C#" %>

<html><html><head><head> <script runat=server><script runat=server>

void ValidateBtn_OnClick(object sender, EventArgs e) void ValidateBtn_OnClick(object sender, EventArgs e) { { if (Page.IsValid) if (Page.IsValid) {{ lblOutput.Text = "Page is valid.";lblOutput.Text = "Page is valid."; }} else else {{ lblOutput.Text = "Page is not valid!";lblOutput.Text = "Page is not valid!"; }} }}

void ServerValidation (object source, ServerValidateEventArgs args)void ServerValidation (object source, ServerValidateEventArgs args) {{ try try {{

Regex r = new Regex(@"^\d{4}$"); Regex r = new Regex(@"^\d{4}$"); # Digits only – exactly 4# Digits only – exactly 4 if (!r.Match(args).Success)if (!r.Match(args).Success) throw new Exception("Invalid ID");throw new Exception("Invalid ID"); }} … … <snip> …<snip> … </script> </script>

</head></head>

ASP.NET Server-side ASP.NET Server-side ValidationValidationC# Example (2) – Hooking the ControlC# Example (2) – Hooking the Control

<form runat="server"> <form runat="server"> <h3>My CustomValidator Example</h3> <h3>My CustomValidator Example</h3>

<asp:Label id=lblOutput runat="server" <asp:Label id=lblOutput runat="server" Text=“Part Number:" Text=“Part Number:" Font-Name=“Tahoma" Font-Size="10pt" /><br> Font-Name=“Tahoma" Font-Size="10pt" /><br>

<p><p>

<asp:TextBox id="Text1" runat="server" /> <asp:TextBox id="Text1" runat="server" /> &nbsp;&nbsp;&nbsp;&nbsp;

<asp:CustomValidator id="CustomValidator1" <asp:CustomValidator id="CustomValidator1" ControlToValidate="Text1" ControlToValidate="Text1" OnServerValidate="ServerValidation" OnServerValidate="ServerValidation" Display="Static" Display="Static" ErrorMessage=“Part Number entered is wrong!" ErrorMessage=“Part Number entered is wrong!" ForeColor="green" ForeColor="green" Font-Name=“Tahoma" Font-Size="10pt" runat="server"/> Font-Name=“Tahoma" Font-Size="10pt" runat="server"/>

<p> <p>

<asp:Button id="Button1" Text="Validate" <asp:Button id="Button1" Text="Validate" OnClick="ValidateBtn_OnClick" runat="server"/> OnClick="ValidateBtn_OnClick" runat="server"/>

</form></form>

Scanning an IIS 6 Default BoxScanning an IIS 6 Default BoxScanning an ASP.NET enabled Scanning an ASP.NET enabled BoxBoxLog ParserLog ParserIISLockDown/URLScanIISLockDown/URLScanWeb ExtensionsWeb Extensions

SummarySummaryCompletely new ArchitectureCompletely new Architecture

Kernel mode request handlingKernel mode request handlingComplete Application Isolation Complete Application Isolation

Secure DefaultsSecure DefaultsAt the Code LevelAt the Code LevelDeployment – Default IIS box is only a static Deployment – Default IIS box is only a static web server – Admin must turn on what is web server – Admin must turn on what is neededneeded

IIS/ASP.NET focus on App-layer securityIIS/ASP.NET focus on App-layer securityWeb Service ExtensionsWeb Service ExtensionsURLScanURLScanASP.Net .config filesASP.Net .config filesServer-side ControlsServer-side Controls> 10,000 sites already live on IIS 6.0 > 10,000 sites already live on IIS 6.0

microsoft.com running production since RC1microsoft.com running production since RC1

Questions ???Questions ???