1 / 51

IIS Security 101

IIS Security 101. Jeni Li for WNUG/CCC April 1, 2004. Please be polite. This file is being shared on the Web in raw PowerPoint format. I put a lot of time into creating and commenting this file.

zinna
Download Presentation

IIS Security 101

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IIS Security 101 Jeni Li for WNUG/CCC April 1, 2004

  2. Please be polite • This file is being shared on the Web in raw PowerPoint format. • I put a lot of time into creating and commenting this file. • For permission to share it outside of ASU, or to use it in presentations, please contact me first. • Thanks!

  3. Who am I • Web geek at ASU Polytechnic campus • Tri-campus veteran • Author of IIS item for 2002/3 SANS Top 20 • Local mentor for SANS • Board member of InfraGard and HTCIA • Member of MCC IA Advisory Board • Member of Infosec Academy Advisory Board • Somewhat of an Apache bigot

  4. What we’ll cover this morning • Common types of attacks against Web servers • A layered (host-based) defense against those attacks • Three tools used to secure IIS • What’s different about IIS 6

  5. Common types of attacks • Directory traversal • GET /scripts/../../winnt/system32/cmd.exe /c+dir • GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir • Examples • Code Blue, Nimda • Socket80 • Effects • Unauthorized file access • Execution of arbitrary commands

  6. Common types of attacks • Buffer overflows • Long requests with machine code embedded • Example • WebDAV ntdll.dll exploit • Effects • Denial of service • Execution of arbitrary code

  7. Common types of attacks • Preprocessor exploits • Requests for .idq, .printer, et cetera • Requests with unusual HTTP verbs; e.g., PUT • Examples • Code Red, Code Red II • Effects • Denial of service • Execution of arbitrary commands

  8. Common types of attacks • Application exploits • Requests for executables you’re not using • Examples • newdsn.exe, ism.dll • Sample applications • Anything in /iisadmin or /MSADC • Effects • Denial of service • Unauthorized file access • Execution of arbitrary commands

  9. Layers of defense • Harden the OS • Use Gold Standard or similar templates • Eliminate unnecessary services • Set appropriate file space permissions • Patch, patch, patch

  10. Layers of defense • Strip down the Web service • Move document root and Web log directories • Eliminate unnecessary mappings • Eliminate sample applications • Disable WebDAV unless it’s an absolute requirement

  11. Layers of defense • Restrict file and URL access • Deny Web user access to certain system files • Set document directory permissions according to the principle of least privilege • Disallow known bad extensions (or, if you can, only allow known good ones) • Resolve URLs completely, then filter them

  12. Layers of defense • Hide in plain sight • Bind the Web service to the FQDN • Eliminate the Server header • Modify or eliminate the content-location header • Conceal the existence of preprocessed content

  13. Layers of defense • Keep an eye on it • Spikes in disk usage • Unusual or unexpected network traffic • Interesting log entries • Audit the right stuff

  14. Sound like a lot of work???

  15. Three wonderful tools • Security Configuration & Analysis snap-in • IIS Lockdown Wizard • URLScan filter • ... plus a little bit of manual labor

  16. SCAT snap-in • Configure security-related settings according to predefined templates (no regedit required!) • Good templates available from NSA, NIST, and Center for Internet Security (www.cisecurity.org) • Review/approve/deny changes before applying • Can create/modify your own templates • Note: Group policy

  17. Using SCAT

  18. Using SCAT

  19. Using SCAT

  20. Using SCAT

  21. Using SCAT

  22. Using SCAT

  23. Using SCAT

  24. Using SCAT

  25. Using SCAT

  26. Using SCAT

  27. Using SCAT

  28. ASU’s login warning banner

  29. Back to using SCAT

  30. Using SCAT

  31. IIS Lockdown Wizard • www.microsoft.com/technet/security/tools/locktool.mspx • Role-based configuration • Enable/disable/remove inetinfo services • Remove sample applications • Enable/disable built-in ISAPI mappings • Set restrictive permissions on system files • e.g., cmd.exe, tftp.exe • includes dllcache directory • Install URLScan

  32. Using IIS Lockdown

  33. Using IIS Lockdown

  34. Using IIS Lockdown

  35. Using IIS Lockdown

  36. Using IIS Lockdown

  37. Using IIS Lockdown

  38. URLScan • c:\winnt\system32\inetsrv\urlscan\urlscan.ini • Extensions to allow/disallow • HTTP verbs to allow/disallow • URL character patterns to disallow • Resolve Unicoded URLs • Modify or remove the Server header

  39. Manual labor: Bind to FQDN

  40. Conceal interactive content

  41. Eliminate revealing headers

  42. OK, so what about IIS 6? • Performance • Security • Upgrade issues • Gotchas

  43. Performance!! • Delivers files 90% faster than IIS 5 • Built-in HTTP compression faster, better • Application isolation faster • Application pool recycling • Cleaner separation of user, kernel modes

  44. Worker Process Worker Process Worker Process Worker Process Worker Process W3 Core W3 Core W3 Core W3 Core W3 Core Web app Web app Web app Web app Web app IIS 6 Architecture W3WP.exe Web Admin Service Recycle time! user kernel HTTP.SYS (slide swiped from Dean Farrington)

  45. Security • Not installed by default • And install can be disabled via Group Policy • Runs without SYSTEM context, hallelujah! • Restricted NetworkService user • Clean default install - static HTML only • IIS_WPG group for application pool userids • URL authorization • Role-based user access to URLs, not just files and directories

  46. Some other new features • Total .NET domination • Authentication • .NET Passport authentication • Advanced Digest authentication • Cryptography • SSL 3 support • Support for third-party CryptoAPI providers

  47. Upgrade issues • New permissions settings may affect applications that write to Web space • No Lockdown Wizard pre-upgrade ==> Web service disabled on upgrade • Anecdotes indicating lots of trouble

  48. Gotchas • Windows 2003 Web Edition • Stripped-down, single-function server • e.g., can’t be a DC, CA, or VPN gateway • Supports a limited amount of RAM (2GB) • Does not include Internet Connection Filtering

  49. Gotchas • Remote administration • Multiple vulnerabilities already • Not enabled by default, thank goodness • inetinfo.exe is still there • ftp, smtp, nntp • IIS 5 isolation mode • Runs with SYSTEM context • May be enabled by default on upgrades

  50. IIS 5 isolation mode

More Related