1 / 38

IIS 6.0 SECURITY ARCHITECTURE It’s a Whole New World

IIS 6.0 SECURITY ARCHITECTURE It’s a Whole New World. Michael Muckin Security Architect Microsoft Consulting Services. Agenda. Setting the Stage IIS 6.0 Security design ASP.NET Security Config Scanning & Tools Hardening IIS 6.0. Demos throughout. Setting the Stage.

eshana
Download Presentation

IIS 6.0 SECURITY ARCHITECTURE It’s a Whole New World

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. IIS 6.0 SECURITY ARCHITECTUREIt’s a Whole New World Michael Muckin Security Architect Microsoft Consulting Services

  2. Agenda • Setting the Stage • IIS 6.0 Security design • ASP.NET Security Config • Scanning & Tools • Hardening IIS 6.0 Demos throughout

  3. Setting the Stage • No news that IIS is a primary target • What is this “Security Push” and Trustworthy Computing? • IIS 6.0 should be tangible evidence of these initiatives

  4. Vulnerability Trends Decreasing – Leveling out Application Vertical OS Increasing Network Physical Horizontal

  5. IIS 6.0 Security Design • Product quality • Improve design, coding, and testing practices • Fewer vulnerabilities out of the box • Security conscious architecture • Reduced attack surface • Defense in depth • Limit the possible damage should new vulnerabilities be discovered • Always up-to-date • Make it practical to keep systems up-to-date with the latest software patches

  6. Security stand-down Development practices /GS Prefix/Prefast runs Single String Class QFE and IIS core team merged Code review for every change External reviews keep us honest Removed legacy code Security design review for every feature Extensive test infrastructure External tools Internal tools IIS tools Buffer overflow scanner Cross-site scripting Fault injection in regular test runs Product Quality

  7. Reduced Attack Surface • Windows Server 2003 disables 20+ Services • IIS is not installed on Windows Server 2003 • If you install IIS…

  8. Vulnerability DistributionWeb-Server only

  9. Defense In Depth • Buffer overflows • New Low Privilege accts: Network Service (default) and Local Service • Default Privileges: • SeAssignPrimaryTokenPrivilege • SeSecurityPrivilege • SeSystemtimePrivilege • SeAuditPrivilege • SeChangeNotifyPrivilege • SeUndockPrivilege • …vs. the LocalSystem account – which has almost every system Privilege (21 total)

  10. Defense In Depth • Canonicalization issues • Rigorous and restrictive parsing • Default handler is restricted to a list of known extensions • Denial-of-service attacks • Fault-tolerant infrastructure • Limits • Cross-site scripting issues • ASP.NET data validation controls • Executing command-line scripts • Secure defaults: don’t allow anonymous account to execute *.exe’s • Site defacements • No write access for anonymous account in home dir

  11. Secure By DefaultSecure Defaults I • No executable VDirs • /SCRIPTS and /MSADC • Secure timeouts and limits • 16k request limit • Old legacy code removed • ISM.DLL/.HTR • Sub-authentication • Known extensions • Check if file exists X X X X X X

  12. Secure By DefaultSecure Defaults II • Strong ACLs on • Logfiles • Custom error directory • On cache directories • Persistent ASP template cache • Compression cache • IE Shipped in Hardened State on all Servers • Admin must add Zones/settings as desired • ASP • ASPEnableParentPath = FALSE • Hang detection • 4MB response buffer limit • Internal health detection

  13. Secure By DefaultSecure Defaults III • Restrictive URL Canonicalization • Hostname and URL rules • A raw byte must be URL_TOKEN, per RFC 2396 and 2732 • Alphanumeric: A..Z a..z 0..9 • Hex-Escaped: %xx or %uNNNN • Mark: - _ . ! ~ * ' ( ) • Reserved: ; / ? : @ & = + $ , [ ] • Unwise: { } | \ ^ ` • But Not: 0x00-0x1F 0x7F " # < > • NTFS canonicalization • \\?\ • Streams outlawed

  14. Security Conscious ArchitectureCompartmentalization • Third-Party code runs only in Worker Processes • Powerful sandboxing • HTTP pre-request logging

  15. INETINFO.EXE INETINFO.EXE ISAPI Filters and Extensions ISAPI Filters and Extensions Metabase Metabase DLLHost.EXE DLLHost.EXE DLLHost.EXE ISAPI Extensions ISAPI Extensions ISAPI Extensions Rearchitecting IISA review of IIS5 WinSock 2.0 user kernel TCP/IP

  16. X WWW Service Administration & Monitoring User mode Kernel mode Queue Cache HTTP IIS 6.0 Request Processing Inetinfo Application Pools FTP XML Metabase NNTP … SMTP IIS 6.0 Request Response

  17. W3 Core WAS web app HTTP.SYS kernel Rearchitecting IISA New Architecture for IIS6 • GOAL: prevent apps from affecting system health • Web service in INETINFO split out to do this: • HTTP.SYS: kernel mode listener and request router • WAS: config and process manager • W3 Core: where apps get loaded • Multiple W3 Cores

  18. Rearchitecting IISHTTP.SYS • What is it? • Kernel-mode HTTP stack/listener • Always running • Reliability Features • Process routing based on URL • Request queues: kernel-mode queuing • Performance Features • Kernel-mode response cache • Text-based and binary logging

  19. REQUEST Rearchitecting IISHTTP.SYS HTTP.SYS API HTTP.SYS Send Response Listener Req. Queue Req. Queue Req. Queue Namespace Mapper ResponseCache HTTP Engine HTTP Parser TCP/IP

  20. Rearchitecting IISWeb Admin Service (WAS) • Application Manager • Manages lifetime of W3 Core(s) • Configuration Manager • Configures HTTP.SYS • No application code • Ensures reliability • Easier to identify problems • Hosted in SVCHOST.exe

  21. Rearchitecting IISW3 Core • What is it? • Main web processing DLL responsible for processing web requests • Mini-web server • Contains all web request processing functionality • Loads ISAPI’s – filters and extensions • Separates request processing from rest of web server

  22. Application PoolsApplication Isolation in Processes • Can create 1 or more application pools • Each served by 1 or more processes. • Each worker process serves only 1 pool. • Reqs routed directly to pool by HTTP.sys • Isolate apps based on: • Site/Customer • Functionality • Reliability

  23. Application PoolingConfigurable Worker Process ID • Worker process can be started as: • Network Service (default) • Local System • Local Service • Configured ID

  24. RecyclingWhat is it and Why use it? • What is it? • Periodically restart applications based on: • Uptime • # of requests • Scheduled time • Memory consumption • On-demand • Why use it? • Refresh apps to ensure availability • Prevent bad apps from taking over the system

  25. startup ready Old Worker Process New Worker Process WAS Web Proc. Core DLL Web Proc. Core DLL ISAPI Exts & Filters ISAPI Exts & Filters HTTP.SYS Request Request RecyclingOverlapping Recycle Shut down Ready for Recycle user kernel

  26. Countering DoSISAPI Interaction – REPORT_UNHEALTHY • HSE_REQ_REPORT_UNHEALTHY • Goal: allow an ISAPI to report to IIS that it needs to be recycled. bResult = pECB->ServerSupportFunction( pECB->ConnID, HSE_REQ_REPORT_UNHEALTHY, psz_reason_unhealthy, NULL, NULL ); • ASP Hang Detection • Used to detect when ASP threads block in components

  27. Health DetectionCrash Detection & Rapid Fail Protection • WAS detects process crash/AV’s • On failure • Publish event to event log • Check “crash count” • If (Crash count > Max Crashes in time limit) • Disable app pool • Else start new process • Rapid Fail Protection • Only allow x crashes in y minutes • Return 503’s when invoked

  28. ASP.NET Secure Config • ASP.NET Security Layers • Configuring ASP.NET Security • Server-side Input Validation

  29. ASP.NET Security Layers • IIS • Authentication • URLScan (not specific to ASP.NET) • Static file ACLs • ASP.NET • Web Service Extensions • Authorization by Role and URL • File access by ASP mapped extensions

  30. ASP.NET Accounts • When ASP.NET is enabled – a new account is created: “ASPNET” – and a new Group “IIS_WPG” • Configurable in IIS Service Manager MMC • For multiple Pools requiring complete isolation: • Create low-priv accounts for each Pool • Add to IIS_WPG group • Config each Pool with appropriate Identity • Both ASPNET and the IUSR_xxxx accounts need Read and Execute (ntfs) access to ASP.NET files (.aspx, .asmx, etc.) • Careful of “code-behind” files that are being accessed – set ACLs appropriately – (aspx.cs, aspx.vb)

  31. ASP.NET Config Files • Understanding the “.Config” files • XML files with Web and App settings • ACL these files tightly • Remove “Users” and “Power Users” • Hierarchical application of security settings • Machine.config • Web.config (For all ASP.NET apps) • App1 -> Web.config (Individual App settings) • Resultant = inherited settings • Settings: • AuthN, AuthZ by Users, Roles (Domain and Forms) • HTTP Verbs Allowed/Disallowed • URLs • File access • Don’t put Connection Strings or User/Pwds in here !!

  32. Users and Roles Web.config – <system.web> tag: <authorization> <allow users=“Sue, Joe"/> <deny users=”?”/> </authorization> ----------------------------------- <authorization> <allow verbs=”HEAD, GET, POST” roles="Administrators"/> <allow verbs=”HEAD, GET, POST” roles="Users"/> <deny users=”?”/> </authorization> Note: “?” = all unauthenticated users

  33. More Granular Control Web.config – <location> tag: <location path="ListUsers.aspx"> <system.web> <authentication mode="forms"> <forms loginUrl="AdminLogin.aspx" protection="All"/> </authentication> <authorization> <allow users="admin"/> <deny users=”*”/> </authorization> </system.web> </location> Note: “*” = all users; HTTP Verbs can also be specified within the <location> tag

  34. ASP.NET Server-side ValidationC# Example (1) – The Control <%@ Page Language="C#" %> <html> <head> <script runat=server> void ValidateBtn_OnClick(object sender, EventArgs e) { if (Page.IsValid) { lblOutput.Text = "Page is valid."; } else { lblOutput.Text = "Page is not valid!"; } } void ServerValidation (object source, ServerValidateEventArgs args) { try { Regex r = new Regex(@"^\d{4}$"); # Digits only – exactly 4 if (!r.Match(args).Success) throw new Exception("Invalid ID"); } … <snip> … </script> </head>

  35. ASP.NET Server-side ValidationC# Example (2) – Hooking the Control <form runat="server"> <h3>My CustomValidator Example</h3> <asp:Label id=lblOutput runat="server" Text=“Part Number:" Font-Name=“Tahoma" Font-Size="10pt" /><br> <p> <asp:TextBox id="Text1" runat="server" /> &nbsp;&nbsp; <asp:CustomValidator id="CustomValidator1" ControlToValidate="Text1" OnServerValidate="ServerValidation" Display="Static" ErrorMessage=“Part Number entered is wrong!" ForeColor="green" Font-Name=“Tahoma" Font-Size="10pt" runat="server"/> <p> <asp:Button id="Button1" Text="Validate" OnClick="ValidateBtn_OnClick" runat="server"/> </form>

  36. Scanning an IIS 6 Default Box Scanning an ASP.NET enabled Box Log Parser IISLockDown/URLScan Web Extensions

  37. Summary • Completely new Architecture • Kernel mode request handling • Complete Application Isolation • Secure Defaults • At the Code Level • Deployment – Default IIS box is only a static web server – Admin must turn on what is needed • IIS/ASP.NET focus on App-layer security • Web Service Extensions • URLScan • ASP.Net .config files • Server-side Controls • > 10,000 sites already live on IIS 6.0 • microsoft.com running production since RC1

  38. Questions ???

More Related