IIS Security 101
description
Transcript of IIS Security 101
IIS Security 101
Jeni Li for WNUG/CCCApril 1, 2004
Please be polite This file is being shared on the Web in raw
PowerPoint format. I put a lot of time into creating and
commenting this file. For permission to share it outside of ASU,
or to use it in presentations, please contact me first.
Thanks!
Who am I Web geek at ASU Polytechnic campus Tri-campus veteran Author of IIS item for 2002/3 SANS Top 20 Local mentor for SANS Board member of InfraGard and HTCIA Member of MCC IA Advisory Board Member of Infosec Academy Advisory Board Somewhat of an Apache bigot
What we’ll cover this morning Common types of attacks against Web
servers A layered (host-based) defense against
those attacks Three tools used to secure IIS What’s different about IIS 6
Common types of attacks Directory traversal
– GET /scripts/../../winnt/system32/cmd.exe /c+dir– GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir
Examples– Code Blue, Nimda– Socket80
Effects– Unauthorized file access– Execution of arbitrary commands
Common types of attacks Buffer overflows
– Long requests with machine code embedded Example
– WebDAV ntdll.dll exploit Effects
– Denial of service– Execution of arbitrary code
Common types of attacks Preprocessor exploits
– Requests for .idq, .printer, et cetera– Requests with unusual HTTP verbs; e.g., PUT
Examples– Code Red, Code Red II
Effects– Denial of service– Execution of arbitrary commands
Common types of attacks Application exploits
– Requests for executables you’re not using Examples
– newdsn.exe, ism.dll– Sample applications– Anything in /iisadmin or /MSADC
Effects– Denial of service– Unauthorized file access– Execution of arbitrary commands
Layers of defense Harden the OS
– Use Gold Standard or similar templates– Eliminate unnecessary services– Set appropriate file space permissions– Patch, patch, patch
Layers of defense Strip down the Web service
– Move document root and Web log directories– Eliminate unnecessary mappings– Eliminate sample applications– Disable WebDAV unless it’s an absolute
requirement
Layers of defense Restrict file and URL access
– Deny Web user access to certain system files– Set document directory permissions according to
the principle of least privilege– Disallow known bad extensions (or, if you can,
only allow known good ones)– Resolve URLs completely, then filter them
Layers of defense Hide in plain sight
– Bind the Web service to the FQDN– Eliminate the Server header– Modify or eliminate the content-location
header– Conceal the existence of preprocessed
content
Layers of defense Keep an eye on it
– Spikes in disk usage– Unusual or unexpected network traffic– Interesting log entries– Audit the right stuff
Sound like a lot of work???
Three wonderful tools Security Configuration & Analysis snap-in IIS Lockdown Wizard URLScan filter ... plus a little bit of manual labor
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.QuickTime™ and a
TIFF (Uncompressed) decompressorare needed to see this picture.
SCAT snap-in Configure security-related settings according to
predefined templates (no regedit required!)
Good templates available from NSA, NIST, and Center for Internet Security (www.cisecurity.org)
Review/approve/deny changes before applying Can create/modify your own templates Note: Group policy
Using SCAT
Using SCAT
Using SCAT
Using SCAT
Using SCAT
Using SCAT
Using SCAT
Using SCAT
Using SCAT
Using SCAT
Using SCAT
ASU’s login warning banner
Back to using SCAT
Using SCAT
IIS Lockdown Wizard www.microsoft.com/technet/security/tools/locktool.mspx Role-based configuration Enable/disable/remove inetinfo services Remove sample applications Enable/disable built-in ISAPI mappings Set restrictive permissions on system files
– e.g., cmd.exe, tftp.exe– includes dllcache directory
Install URLScan
Using IIS Lockdown
Using IIS Lockdown
Using IIS Lockdown
Using IIS Lockdown
Using IIS Lockdown
Using IIS Lockdown
URLScan c:\winnt\system32\inetsrv\urlscan\urlscan.ini Extensions to allow/disallow HTTP verbs to allow/disallow URL character patterns to disallow Resolve Unicoded URLs Modify or remove the Server header
Manual labor: Bind to FQDN
Conceal interactive content
Eliminate revealing headers
OK, so what about IIS 6? Performance Security Upgrade issues Gotchas
Performance!! Delivers files 90% faster than IIS 5 Built-in HTTP compression faster, better Application isolation faster Application pool recycling Cleaner separation of user, kernel modes
IIS 6 Architecture
Worker Process
Web app
W3 Core
Recycle
time!
Worker Process
Web app
W3 Core
kernel
user
HTTP.SYSHTTP.SYS
Worker Process
Web app
W3 Core
Worker Process
Web app
W3 Core
Web Admin Service
Worker Process
Web app
W3 Core
W3WP.exe
(slide swiped from Dean Farrington)
Security Not installed by default
– And install can be disabled via Group Policy Runs without SYSTEM context, hallelujah!
– Restricted NetworkService user Clean default install - static HTML only IIS_WPG group for application pool userids URL authorization
– Role-based user access to URLs, not just files and directories
Some other new features Total .NET domination Authentication
– .NET Passport authentication– Advanced Digest authentication
Cryptography– SSL 3 support– Support for third-party CryptoAPI providers
Upgrade issues New permissions settings may affect
applications that write to Web space
No Lockdown Wizard pre-upgrade ==> Web service disabled on upgrade
Anecdotes indicating lots of trouble
Gotchas Windows 2003 Web Edition
– Stripped-down, single-function server e.g., can’t be a DC, CA, or VPN gateway
– Supports a limited amount of RAM (2GB)– Does not include Internet Connection Filtering
Gotchas Remote administration
– Multiple vulnerabilities already– Not enabled by default, thank goodness
inetinfo.exe is still there– ftp, smtp, nntp– IIS 5 isolation mode– Runs with SYSTEM context– May be enabled by default on upgrades
IIS 5 isolation mode
Questions??