Download - IIS Security Apr2002
-
8/10/2019 IIS Security Apr2002
1/68
IIS Security
Best Practices
Thom Robbins
-
8/10/2019 IIS Security Apr2002
2/68
Overview
The Basics
Latest IIS Security Issues
Managing Service Packs and Hotfixes
Windows 2000 Configuration Best PracticesIIS 5.0 Configuration Best Practices
IIS Security-related Tools
If
Resources
Questions
-
8/10/2019 IIS Security Apr2002
3/68
What is covered?
Current issues
Advice and Best Practices
Configuration information for tightening
the security of Windows 2000 and IIS
5.0
IIS 5.0 Security and Hotfix related tools
List of resources for further information
-
8/10/2019 IIS Security Apr2002
4/68
What is not covered
Firewall and port settings
Port settings are application-specific and are outside of the
scope of this workshop
A list of known ways IIS has been compromised
Detailed settings for every component such as IPSec,
Certificates, etc.
How to completely protect against any possible
attack
The hope is to tighten the security enough so that a potential
attacker fails or gives up and chooses an easier target
-
8/10/2019 IIS Security Apr2002
5/68
The Basics
Know your Corporate Security Policy!
If you dont have one, develop one!!!
How to react to a break-in? Where are backups stored?
Who has physical access to the servers?
Subscribe to the Microsoft Security
Notification Service http://www.microsoft.com/technet/security/bulletin/
notify.asp
Automatic notification of security issues via e-mail
http://www.microsoft.com/technet/security/bulletin/notify.asphttp://www.microsoft.com/technet/security/bulletin/notify.asphttp://www.microsoft.com/technet/security/bulletin/notify.asphttp://www.microsoft.com/technet/security/bulletin/notify.asp -
8/10/2019 IIS Security Apr2002
6/68
Latest IIS Security
BulletinsMS01-044
15 August 2001 Cumulative Patch for IIS
Includes the functionality of all security patchesrelease to date for IIS 5.0
Includes the functionality of all security patchesreleased for IIS 4.0 since Windows NT 4.0Service Pack 5
Includes fixes for five newly discovered securityvulnerabilities affecting IIS 4.0 and 5.0
See http://www.microsoft.com/securityfordetails
http://www.microsoft.com/securityhttp://www.microsoft.com/security -
8/10/2019 IIS Security Apr2002
7/68
Latest IIS Security Issues
Code Red II Worm
Can be averted by installation of the patch
provided in MS01-44Removal if already infected:
The safest way to ensure complete removal is to
rebuild the server
The other option is to use the Code Red II Worm
Removal Tool found on http://www.microsoft.com
http://www.microsoft.com/http://www.microsoft.com/ -
8/10/2019 IIS Security Apr2002
8/68
Managing Service Packs
and HotfixesService Packs
Deploy via SMS Server
Deploy via Group Policy
Deploy via logon scripts and .msi packages
Hotfixes
HFNetChk Tool
QChain
-
8/10/2019 IIS Security Apr2002
9/68
HFNetChk Tool
Microsoft Network Security Hotfix Checker
(hfnetchk.exe)
Brand new! Just released in August 2001Command-line tool to check patch status of
all machines on the network from a central
location
HFNetChk refers to an XML database
constantly updated by Microsoft
-
8/10/2019 IIS Security Apr2002
10/68
HFNetChk Features
Runs on NT 4.0 or Windows 2000 systems
Scans local and/or remote systems for
patches for the following products: Windows NT 4.0
Windows 2000
All system services, including Internet InformationServer 4.0 and 5.0
SQL Server 7.0 and 2000 (including MicrosoftData Engine)
Internet Explorer 5.01 and later
-
8/10/2019 IIS Security Apr2002
11/68
HFNetChk
Screenshot
-
8/10/2019 IIS Security Apr2002
12/68
HFNetChk Features (contd)
Three items evaluated to determine
installed patches:
Registry key installed by patch
File versions
Checksum for each file installed by patch
See Knowledge Base article, Q303215for details and download locations
-
8/10/2019 IIS Security Apr2002
13/68
QChain
Safely chains hotfixes together, allowing the
installation of multiple hotfixes with only one
rebootWorks on both Windows 2000 and Windows
NT 4.0
For Qchain usage and batch file examples
see Knowledge Base Article: Q296861: Use
Qchain.exe to Install Mutliple Hotfixes with
Only One Reboot
-
8/10/2019 IIS Security Apr2002
14/68
Windows 2000 Configuration
Windows 2000 Configuration Basics
IUSR_ComputernameAccount
IWAM_ComputernameAccountSecurity Templates
IPSec Policies
-
8/10/2019 IIS Security Apr2002
15/68
Windows 2000 Configuration
Basics
Block all traffic to server before installationtakes place
If possible, install the IIS server in its own
domain, and on a member serverCreate a new Inetpub root directory onpartition different from the OS Use a name other than Inetpub to help counter
potential attacksPut content for each supported service(WWW, FTP, etc.) on its own partition
-
8/10/2019 IIS Security Apr2002
16/68
Windows 2000 Configuration
Basics (contd)Leave IP Routing turned off
Remove all protocol stacks except TCP/IPunless other stacks are needed
Stop Task Scheduler service if not in use
Stop FTP service if not in use
Stop Telnet service if not in use
If you plan to use Telnet, create a TelnetClientsgroup to restrict users who can access this service
Deny all TCP traffic except traffic to port 80using built-in Windows 2000 port filtering
-
8/10/2019 IIS Security Apr2002
17/68
Windows 2000 Configuration Basics
(contd)
Deny access for IUSR_ComputerNameand
IWAM_ComputerNameto dangerous files
Scrrun.dll
Xcopy.exeCmd.exe
Regedit.exe
Regedt32.exe
AT.exe
Cscript.exe
Regsvr32.exe
Debug.exe
Ftp.exe
Tftp.exeRegsvr32.exe
Debug.exe
Nbtstat.exe
Net.exe
Netsh.exe
Tskill.exe
Poledit.exe
Rexec.exe
Edlin.exeRunas.exe
Runonce.exe
IISSync.exe
IISReset.exe
Wscript.exe
Telnet.exe
Rcp.exe
-
8/10/2019 IIS Security Apr2002
18/68
IUSR_Computername Account
Default anonymous access impersonation
account for IISIUSR_Computernameaccount privileges Select User cannot change password
Select Password Never Expires
User rights Logon Types differ when using Allow IIS to control Password
If option is enabled, a network logon (type 3) is performed
This is a significant security benefit because users cannot gainaccess to remote network resources
If option is disabled, a local logon (type 2) is performedIf anonymous access to the web site is notrequired, disable the IUSR_Computernameaccount
-
8/10/2019 IIS Security Apr2002
19/68
IWAM_ComputernameAccount
Default account used by DLLHost.exefor medium and high isolation web
applications
IWAM_Computernameaccountprivileges Select User cannot change password
Select Password Never Expires
Anonymous access is still performed viaIUSR_Computernameaccount
-
8/10/2019 IIS Security Apr2002
20/68
Security TemplatesSecurity templates
Baseline templates for secure websites
Hisecweb.inf
Copy the template to the %windir%\security\templates directory
Open the Security Templates tool, and look over the settings
Open the Security Configuration And Analysis tool, and load thetemplate
Right-click the Security Configuration And Analysis tool, and
choose Analyze Computer Now from the context menu
Wait for the work to complete
Review the findings, and update the template as necessary
When satisfied with the template, right-click the Security
Configuration And Analysis tool and choose Configure
Computer Now from the context menu
-
8/10/2019 IIS Security Apr2002
21/68
IPSec Policies
Strongly consider setting an IPSec packet-filtering
policy on every Web server
Provides an extra level of security if firewalls are
breached
Block all TCP/IP protocols other than those you
explicitly want to support and the ports you want to
open
Deploying IPSec Policies
IPSec Administration tool
IPSecPol command line tool
-
8/10/2019 IIS Security Apr2002
22/68
IIS Configuration
Web-based Permissions
Set Appropriate ACLs
Enable Logging
Disable All Unnecessary Authentication Types
Set IP Address/DNS Address restrictions
Executable Content Validated for Trustworthiness
Update Root CA Certificates at the IIS Server
Disabling and/or Removing Unneeded Applications,Components, Directories, Script Mappings and WebDAV
Checking CodeDisable Parent Path
Disable IP Address in Content-Location
Perform Auditing of Key Directories
-
8/10/2019 IIS Security Apr2002
23/68
Web-based Permissions
General Access Permissions
Recommended to leave General Access Permissions other
than read disabled
Leave Script Source Access disabled
Leave Write disabled
Leave Directory Browsing disabled Leave Execute permissions set to none
Execute Permissions
Recommend setting on a per-web-site and per-directory
basis
If executables (.exe, .dll) are required, use Scripts and
Executibles setting
Otherwise, if scripts (.asp) are required, use Scripts setting
Otherwise, leave Execute Permissions to the setting of None
-
8/10/2019 IIS Security Apr2002
24/68
Web-based Permissions Screenshot
-
8/10/2019 IIS Security Apr2002
25/68
Set Appropriate ACLs on
Virtual DirectoriesApplication dependent, but rules of thumb are:
File Type Access Control Lists
CGI (.exe, .dll, .cmd, .pl) Everyone (RX)
Administrators (Full Control)System (Full Control)
Script files (.asp) Everyone (RX)Administrators (Full Control)System (Full Control)
Include files (.inc, .shtm, .shtml) Everyone (RX)
Administrators (Full Control)System (Full Control)
Static content (.txt, .gif, .jpg, .html) Everyone (R)Administrators (Full Control)System (Full Control)
-
8/10/2019 IIS Security Apr2002
26/68
Set Appropriate ACLs on
Virtual Directories (contd)Recommended default ACLs by file type
Create new directories for each file type
Set ACLs on the directory Allow the ACLs to inherit to the files
Sample directory structure
C:\inetpub\wwwroot\myserver\static (.html)
C:\inetpub\wwwroot\myserver\include (.inc) C:\inetpub\wwwroot\myserver\script (.asp)
C:\inetpub\wwwroot\myserver\executable (.dll)
C:\inetpub\wwwroot\myserver\images (.gif, .jpeg)
-
8/10/2019 IIS Security Apr2002
27/68
Set Appropriate ACLs on
Virtual Directories (contd)Two directories need special attention C:\inetpub\ftproot (FTP server)
C:\inetpub\mailroot (SMTP server) Set to Everyone (Full Control) by default
Should be overridden with tighter permissionsdepending on functionality
Place folder on different volume than IISserver if your supporting Everyone (Write) ORuse Windows 2000 disk quotas to limit amountof data written to these directories
-
8/10/2019 IIS Security Apr2002
28/68
Set Appropriate IIS Log
File ACLsMake sure the ACLs on the IIS-generated log
files (%systemroot%\system32\LogFiles) are:
Administrators (Full Control) System (Full Control)
Everyone (Read, Write, Change)
Move and rename the IIS Log Files directory
This is to help prevent malicious users deleting thefiles to cover their tracks
-
8/10/2019 IIS Security Apr2002
29/68
Enable LoggingUse W3C Extended Logging Set the following properties:
Client IP Address
User Name
Method HTTP Status
Win32 Status (Look for error 5, Access Denied)
Use net helpmsg to decode error number
User Agent
And if hosting multiple Web servers on singlecomputer: Server IP Address
Server Port
-
8/10/2019 IIS Security Apr2002
30/68
W3C Extended Logging
Extended Properties Screenshot
-
8/10/2019 IIS Security Apr2002
31/68
Disable Unnecessary Authentication
Types
Anonymous Default authentication method
Basic
Should only be used with SSLDigest Requires storing passwords in clear text on the
domain controller
Integrated Either NT Challenge Response or Kerberos as
negotiated by the browser
Inconsistent behavior through proxy servers
-
8/10/2019 IIS Security Apr2002
32/68
Set IP Address/DNS
Address RestrictionsOne option to restrict your web sites to
certain users
Not a common option
Requires IIS to do a DNS lookup,
significantly impacting performance
-
8/10/2019 IIS Security Apr2002
33/68
IP Address/DNS Address
Restrictions Screenshot
-
8/10/2019 IIS Security Apr2002
34/68
Executable Content Validated for
Trustworthiness
Determine whether executable content can be trustedUse DumpBin tool to see whether executable callscertain APIs
Example:
To see whether a file named MyISAPI.dll calls RevertToSelf: Dumpbin /imports MyISAPI.dll | find RevertToSelf
If no results appear, MyISAPI.dll does not call RevertToSelfdirectly
It might call the API through LoadLibrary, in which case youcould search for RevertToSelfcalls in all imported libraries
as well
Please refer to KB article: Q177429 for more info onreading DumpBin output
-
8/10/2019 IIS Security Apr2002
35/68
Update Root CA Certificates
at the IIS ServerAdd any new root CA certificates youtrust (such as new root CA certificates
created with Microsoft CertificateServices 2.0)
Remove all root CA certificates youdont trust
If you dont know the name of the companythat issued the root certificate, do not trustthem!
-
8/10/2019 IIS Security Apr2002
36/68
Update Root CA Certificates
at the IIS Server (contd)All root CA certificates used by IIS
reside in the computers machine store
They can be managed using theCertificates MMC Snap-in
Do not remove Microsoft or VeriSign
roots They are used extensively by the OS
-
8/10/2019 IIS Security Apr2002
37/68
Disable or Remove All
Sample ApplicationsSamples should never be installed on a
production server
Default locations for some of the samples:
SampleVirtualDirectory
Location
IIS Samples \IISSamples c:\inetpub\iissamples
IISDocumentation
\IISHelp c:\winnt\help\iishelp
Data Access \MSADC c:\program files\commonfiles\system\msadc
-
8/10/2019 IIS Security Apr2002
38/68
Disable WebDAV
Enabled by default
Allows for remote file management via
HTTP To disable: Q241520 How to Disable
WebDAV for IIS 5.0
-
8/10/2019 IIS Security Apr2002
39/68
Disable or Remove Unneeded
COM ComponentsRemove unused COM components
If not in use, consider disabling the File
System Object component This also removes the Dictionary Object
Site Server 3.0 uses the File System
Object component
-
8/10/2019 IIS Security Apr2002
40/68
Remove the IISADMPWD
Virtual DirectoryRemove the IISADMPWD VirtualDirectory if it exists
Allows you to reset Windows NT andWindows 2000 passwords
Designed for intranet-only scenarios
Isnt installed by default install of IIS 5,but is not removed when upgrading aIIS 4 server to IIS 5
-
8/10/2019 IIS Security Apr2002
41/68
Remove Unused Script
Mappings
When IIS receives a request for a preconfigured
filetype, the call is handled by a DLL
If the filetype or functionality isnt required, remove
the mapping using the Internet Services ManagerMMC
If you don't use... Remove this entry:
Web-based password reset .htr
Internet Database Connector
(all IIS 5 Web sites should useADO or similar technology)
.idc
Server-side Includes .stm, .shtm and .shtml
Internet Printing .printer
Index Server .htw, .ida and .idq
-
8/10/2019 IIS Security Apr2002
42/68
Remove Unused Script
Mappings (contd)Internet Printing can be configured by
group policy as well
Group policy settings take precedence
Unless mission-critical reason to use
.htr functionality, remove the .htr
extenstion
-
8/10/2019 IIS Security Apr2002
43/68
Check and Querystring
Input in Your ASP Code
Many sites use user input to call other codeor build SQL statements directly
There are attacks where user input is treatedincorrectly as valid input allowing unintendedaccess
You should always check each input and query string before passing it on toanother process or method call that might usean external resource such as the file systemor a database.
Check and Querystring
-
8/10/2019 IIS Security Apr2002
44/68
Check and Querystring
Input in Your ASP Code (contd)
You can perform text checking with JScript V5 and VBScript V5
regular expression capabilities. This example will strip a stringof all invalid characters (characters that are not 0-9a-zA-Z or _):
Set reg = New RegExpreg.Pattern = "\W+" ' One or more characters which' are NOT 0-9a-zA-Z or '_'strUnTainted = reg.Replace(strTainted, "")
Also, be careful when using Scripting File System Object. If thefilename is based on the user's input, the user might attempt toopen a serial port or printer. The following JScript code will stripout invalid filenames:
Set reg = New RegExpreg.Pattern = "^(.+)\|(.+)" ' Any character fromthe start of' the string to a | character.strUnTainted = reg.Replace(strTainted, "$1")
This example will strip all text after a | operator:
var strOut strIn.replace(/(AUX|PRN|NUL|COM\d|LPT\d)+\s*$/i,"");
-
8/10/2019 IIS Security Apr2002
45/68
Disable Parent Paths
Parent Paths allows use of .. in calls tofunctions as MapPath
Enabled by defaultRecommend to disable this
Select Properties of Web site root
Select Home Directory, Configuration Open App Options tab
Uncheck Enable Parent Paths check box
-
8/10/2019 IIS Security Apr2002
46/68
Disable IP Address in
Content-LocationContent-Location header can expose IP
addresses hidden by a NAT firewall or
proxyRecommend to disable this
Refer to Knowledge Base article
Q218180 for further information
-
8/10/2019 IIS Security Apr2002
47/68
Perform Auditing of the File system
Audit important application and systemdirectories for changes such as Traverse Folder / Execute File = Failure
List Folder / Read Data = Failure
Create Files / Write Data = Success / Failure
Create Folders / Append Data = Success / Failure
Delete Subfolders and Files = Success / Failure Delete = Success / Failure
Change Permissions = Success / Failure
This audit policy should be applied to the
IUSR and IWAM accounts on the followingdirectories \winnt
\inetpub
-
8/10/2019 IIS Security Apr2002
48/68
IIS Tools
Security What If Tool
Security Configuration Tool
Lockdown Tool
URLScan
-
8/10/2019 IIS Security Apr2002
49/68
IIS Security What If Tool
Simple HTML tool
Helps determine what browsers,
platforms, authentication schemes, andserver configurations allows access to a
remote resource
IIS S it
-
8/10/2019 IIS Security Apr2002
50/68
IIS Security
What If Tool
Screenshot
-
8/10/2019 IIS Security Apr2002
51/68
IIS Security Configuration
ToolAutomates creation anddeployment of security policies
Two phasesquestions phase anddeployment phase
Questions phase HTML-based questionnaire
Produces a file with a default name ofIISTemplate.txt describing the policy
IIS Security Configuration Tool
-
8/10/2019 IIS Security Apr2002
52/68
IIS Security Configuration Tool
Questionnaire Screenshot
-
8/10/2019 IIS Security Apr2002
53/68
IIS Security Configuration
Tool (contd)Deployment phase Use the IISConfig command line tool to deploy the
IISTemplate.txt file Usage: IISConfig [-s server] [-f configfile] [-n] [-d] [-? | -h]
Where:[-s server] is the server name (DNS or
NetBIOS; IP address is not
supported)
[-f configfile] is the configuration file name
[-n] configures port lockdown, services
and IIS script maps only. Does notuse SCE hisecweb.inf
[-d] display debug output as tool
executes
[-?] display help
-
8/10/2019 IIS Security Apr2002
54/68
IIS Security Configuration
Tool (contd)Subdirectories
DataEntry directory
Where you enter your security policy Engine directory
Where script files used to deploy policy arestored
More information Read the ReadMe.txt file for more
information and known issues
-
8/10/2019 IIS Security Apr2002
55/68
IIS Lockdown Tool
GUI wizard for automating lockdown settings
Two Modes:
Express Lockdown
Provides maximum security
Appropriate for basic web servers
Advanced Lockdown
Allows selection of features
Use only if Express Lockdown settings are notappropriate
Use only if you understand the ramifications of enabling
the features
-
8/10/2019 IIS Security Apr2002
56/68
IIS Lockdown Tool (contd)
Advanced Lockdown Settings
Remove Script Mappings
Disable support for Active Server Pages (.asp) Disable support for Index Server Web Interface (.idq, .htw, .ida)
Disable support for Server Side Includes (.shtm, .shtm, .stm)
Disable support for Internet Data Connector (.idc)
Disable support for Internet Printing (.printer)
Disable support for .HTR scripting (.htr)
-
8/10/2019 IIS Security Apr2002
57/68
IIS Lockdown Tool (contd)
Advanced Lockdown Settings (contd)
Additional Lockdown Actions
Remove sample web files Remove the Scripts virtual directory
Remove the MSADC virtual directory
Disable Distributed Authoring and Versioning (WebDAV)
Set file permissions to prevent the IIS anonymous userfrom executing system utilities (such as cmd.exe, tftp.exe)
Set file permissions to prevent the IIS anonymous user
from writing to content directories
IIS Lockdown Tool
-
8/10/2019 IIS Security Apr2002
58/68
IIS Lockdown Tool
Advanced Lockdown Settings
Screenshots
-
8/10/2019 IIS Security Apr2002
59/68
URLScanISAPI Filter
Analyze and screen HTTP request
Reduces exposure to potential attacks
Allows configuration of IIS to reject requests basedon the following criteria: The request method (verb)
The file extension of the resource requested
Suspicious URL encoding
Presence of non ASCII characters in the URL
Presence of particular character sequences in the URL
Presence of particular headers in the request
Also provides the option of deleting or altering theServer: header in the response
-
8/10/2019 IIS Security Apr2002
60/68
URLScan Configuration
UrlScan's operation is controlled by the UrlScan.ini file
UrlScan.ini should reside in the same directory as UrlScan.dll
Note that UrlScan only reads the ini file at initialization time (for
performance reasons) It is necessary to stop and start the web service before any
changes to this file will be effective
Also note that the default options built into UrlScanl.dll will result
in a configuration that will reject all requests to the server.
It is necessary to provide a UrlScan.ini file for UrlScan to passrequests to be served
A sample UrlScan.ini file is provided that contains the
recommended settings to defend against known attacks against IIS
servers at the time of writing
URLScan.ini Screenshot
-
8/10/2019 IIS Security Apr2002
61/68
-
8/10/2019 IIS Security Apr2002
62/68
URLScan Logging
If a request is denied, the following will
be logged
Reason for the denial Information about the request
Typically, the URL and IP address of the
source of the request
URLScan Logfile Screenshot
-
8/10/2019 IIS Security Apr2002
63/68
URLScan Logfile Screenshot
-
8/10/2019 IIS Security Apr2002
64/68
If You Got Hacked
Have a Incident Response Plan
Remove machines from the net
Find out how the hacker did it
Perform a low-level format
Examine connected computers
-
8/10/2019 IIS Security Apr2002
65/68
Resources
Microsofts Security homepage http://www.microsoft.com/security
Secure Internet Information Services 5
Checklist http://www.microsoft.com/technet/treeview/default.asp?url=/t
echnet/itsolutions/security/tools/iis5chk.asp
Subscribe to the Microsoft Security
Notification Service http://www.microsoft.com/technet/security/bulletin/notify.asp
Automatic notification of security issues via e-mail
http://www.microsoft.com/securityhttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/iis5chk.asphttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/iis5chk.asphttp://www.microsoft.com/technet/security/bulletin/notify.asphttp://www.microsoft.com/technet/security/bulletin/notify.asphttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/iis5chk.asphttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/iis5chk.asphttp://www.microsoft.com/security -
8/10/2019 IIS Security Apr2002
66/68
More Resources
National Security Agency's Windows 2000
Security Recommendation Guidelines http://nsa2.www.conxion.com/win2k/download.htm
SANS Institute Worldwide institute for Security focused information and
training
http://www.sans.org
http://www.sans.org/infosecFAQ/win2000/win2000_list.htm
http://nsa2.www.conxion.com/win2k/download.htmhttp://www.sans.org/http://www.sans.org/infosecFAQ/win2000/win2000_list.htmhttp://www.sans.org/infosecFAQ/win2000/win2000_list.htmhttp://www.sans.org/http://nsa2.www.conxion.com/win2k/download.htm -
8/10/2019 IIS Security Apr2002
67/68
Even More Resources
SecurityFocus Website dedicated to providing computer security related
information
http://www.securityfocus.com
NTBugTraq Mailing list for the discussion of security exploits and security
bugs in Windows NT and its related applications
http://www.ntbugtraq.com
Neohapsis Security consulting firm who provide news and commentary
on the latest security issues
http://www.neohapsis.com
http://www.securityfocus.com/http://www.ntbugtraq.com/http://www.neohapsis.com/http://www.neohapsis.com/http://www.ntbugtraq.com/http://www.securityfocus.com/ -
8/10/2019 IIS Security Apr2002
68/68
Questions