IIS Security 101

Jeni Li for WNUG/CCCApril 1, 2004

Please be polite This file is being shared on the Web in raw

PowerPoint format. I put a lot of time into creating and

commenting this file. For permission to share it outside of ASU,

or to use it in presentations, please contact me first.

Thanks!

Who am I Web geek at ASU Polytechnic campus Tri-campus veteran Author of IIS item for 2002/3 SANS Top 20 Local mentor for SANS Board member of InfraGard and HTCIA Member of MCC IA Advisory Board Member of Infosec Academy Advisory Board Somewhat of an Apache bigot

What we’ll cover this morning Common types of attacks against Web

servers A layered (host-based) defense against

those attacks Three tools used to secure IIS What’s different about IIS 6

Common types of attacks Directory traversal

– GET /scripts/../../winnt/system32/cmd.exe /c+dir– GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir

Examples– Code Blue, Nimda– Socket80

Effects– Unauthorized file access– Execution of arbitrary commands

Common types of attacks Buffer overflows

– Long requests with machine code embedded Example

– WebDAV ntdll.dll exploit Effects

– Denial of service– Execution of arbitrary code

Common types of attacks Preprocessor exploits

– Requests for .idq, .printer, et cetera– Requests with unusual HTTP verbs; e.g., PUT

Examples– Code Red, Code Red II

Effects– Denial of service– Execution of arbitrary commands

Common types of attacks Application exploits

– Requests for executables you’re not using Examples

– newdsn.exe, ism.dll– Sample applications– Anything in /iisadmin or /MSADC

Effects– Denial of service– Unauthorized file access– Execution of arbitrary commands

Layers of defense Harden the OS

– Use Gold Standard or similar templates– Eliminate unnecessary services– Set appropriate file space permissions– Patch, patch, patch

Layers of defense Strip down the Web service

– Move document root and Web log directories– Eliminate unnecessary mappings– Eliminate sample applications– Disable WebDAV unless it’s an absolute

requirement

Layers of defense Restrict file and URL access

– Deny Web user access to certain system files– Set document directory permissions according to

the principle of least privilege– Disallow known bad extensions (or, if you can,

only allow known good ones)– Resolve URLs completely, then filter them

Layers of defense Hide in plain sight

– Bind the Web service to the FQDN– Eliminate the Server header– Modify or eliminate the content-location

header– Conceal the existence of preprocessed

content

Layers of defense Keep an eye on it

– Spikes in disk usage– Unusual or unexpected network traffic– Interesting log entries– Audit the right stuff

Sound like a lot of work???

Three wonderful tools Security Configuration & Analysis snap-in IIS Lockdown Wizard URLScan filter ... plus a little bit of manual labor

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.QuickTime™ and a

TIFF (Uncompressed) decompressorare needed to see this picture.

SCAT snap-in Configure security-related settings according to

predefined templates (no regedit required!)

Good templates available from NSA, NIST, and Center for Internet Security (www.cisecurity.org)

Review/approve/deny changes before applying Can create/modify your own templates Note: Group policy

Using SCAT

Using SCAT

Using SCAT

Using SCAT

Using SCAT

Using SCAT

Using SCAT

Using SCAT

Using SCAT

Using SCAT

Using SCAT

ASU’s login warning banner

Back to using SCAT

Using SCAT

IIS Lockdown Wizard www.microsoft.com/technet/security/tools/locktool.mspx Role-based configuration Enable/disable/remove inetinfo services Remove sample applications Enable/disable built-in ISAPI mappings Set restrictive permissions on system files

– e.g., cmd.exe, tftp.exe– includes dllcache directory

Install URLScan

Using IIS Lockdown

Using IIS Lockdown

Using IIS Lockdown

Using IIS Lockdown

Using IIS Lockdown

Using IIS Lockdown

URLScan c:\winnt\system32\inetsrv\urlscan\urlscan.ini Extensions to allow/disallow HTTP verbs to allow/disallow URL character patterns to disallow Resolve Unicoded URLs Modify or remove the Server header

Manual labor: Bind to FQDN

Conceal interactive content

Eliminate revealing headers

OK, so what about IIS 6? Performance Security Upgrade issues Gotchas

Performance!! Delivers files 90% faster than IIS 5 Built-in HTTP compression faster, better Application isolation faster Application pool recycling Cleaner separation of user, kernel modes

IIS 6 Architecture

Worker Process

Web app

W3 Core

Recycle

time!

Worker Process

Web app

W3 Core

kernel

user

HTTP.SYSHTTP.SYS

Worker Process

Web app

W3 Core

Worker Process

Web app

W3 Core

Web Admin Service

Worker Process

Web app

W3 Core

W3WP.exe

(slide swiped from Dean Farrington)

Security Not installed by default

– And install can be disabled via Group Policy Runs without SYSTEM context, hallelujah!

– Restricted NetworkService user Clean default install - static HTML only IIS_WPG group for application pool userids URL authorization

– Role-based user access to URLs, not just files and directories

Some other new features Total .NET domination Authentication

– .NET Passport authentication– Advanced Digest authentication

Cryptography– SSL 3 support– Support for third-party CryptoAPI providers

Upgrade issues New permissions settings may affect

applications that write to Web space

No Lockdown Wizard pre-upgrade ==> Web service disabled on upgrade

Anecdotes indicating lots of trouble

Gotchas Windows 2003 Web Edition

– Stripped-down, single-function server e.g., can’t be a DC, CA, or VPN gateway

– Supports a limited amount of RAM (2GB)– Does not include Internet Connection Filtering

Gotchas Remote administration

– Multiple vulnerabilities already– Not enabled by default, thank goodness

inetinfo.exe is still there– ftp, smtp, nntp– IIS 5 isolation mode– Runs with SYSTEM context– May be enabled by default on upgrades

IIS 5 isolation mode

Questions??

jeni.li@asu.edu