IIS Security Apr2002

8/10/2019 IIS Security Apr2002

1/68

IIS Security

Best Practices

Thom Robbins

[email protected]


2/68

Overview

The Basics

Latest IIS Security Issues

Managing Service Packs and Hotfixes

Windows 2000 Configuration Best PracticesIIS 5.0 Configuration Best Practices

IIS Security-related Tools

If

Resources

Questions


3/68

What is covered?

Current issues

Advice and Best Practices

Configuration information for tightening

the security of Windows 2000 and IIS

5.0

IIS 5.0 Security and Hotfix related tools

List of resources for further information


4/68

What is not covered

Firewall and port settings

Port settings are application-specific and are outside of the

scope of this workshop

A list of known ways IIS has been compromised

Detailed settings for every component such as IPSec,

Certificates, etc.

How to completely protect against any possible

attack

The hope is to tighten the security enough so that a potential

attacker fails or gives up and chooses an easier target


5/68

The Basics

Know your Corporate Security Policy!

If you dont have one, develop one!!!

How to react to a break-in? Where are backups stored?

Who has physical access to the servers?

Subscribe to the Microsoft Security

Notification Service http://www.microsoft.com/technet/security/bulletin/

notify.asp

Automatic notification of security issues via e-mail
http://www.microsoft.com/technet/security/bulletin/notify.asphttp://www.microsoft.com/technet/security/bulletin/notify.asphttp://www.microsoft.com/technet/security/bulletin/notify.asphttp://www.microsoft.com/technet/security/bulletin/notify.asp


6/68

Latest IIS Security

BulletinsMS01-044

15 August 2001 Cumulative Patch for IIS

Includes the functionality of all security patchesrelease to date for IIS 5.0

Includes the functionality of all security patchesreleased for IIS 4.0 since Windows NT 4.0Service Pack 5

Includes fixes for five newly discovered securityvulnerabilities affecting IIS 4.0 and 5.0

See http://www.microsoft.com/securityfordetails
http://www.microsoft.com/securityhttp://www.microsoft.com/security


7/68

Latest IIS Security Issues

Code Red II Worm

Can be averted by installation of the patch

provided in MS01-44Removal if already infected:

The safest way to ensure complete removal is to

rebuild the server

The other option is to use the Code Red II Worm

Removal Tool found on http://www.microsoft.com
http://www.microsoft.com/http://www.microsoft.com/


8/68

Managing Service Packs

and HotfixesService Packs

Deploy via SMS Server

Deploy via Group Policy

Deploy via logon scripts and .msi packages

Hotfixes

HFNetChk Tool

QChain


9/68

HFNetChk Tool

Microsoft Network Security Hotfix Checker

(hfnetchk.exe)

Brand new! Just released in August 2001Command-line tool to check patch status of

all machines on the network from a central

location

HFNetChk refers to an XML database

constantly updated by Microsoft


10/68

HFNetChk Features

Runs on NT 4.0 or Windows 2000 systems

Scans local and/or remote systems for

patches for the following products: Windows NT 4.0

Windows 2000

All system services, including Internet InformationServer 4.0 and 5.0

SQL Server 7.0 and 2000 (including MicrosoftData Engine)

Internet Explorer 5.01 and later


11/68

HFNetChk

Screenshot


12/68

HFNetChk Features (contd)

Three items evaluated to determine

installed patches:

Registry key installed by patch

File versions

Checksum for each file installed by patch

See Knowledge Base article, Q303215for details and download locations


13/68

QChain

Safely chains hotfixes together, allowing the

installation of multiple hotfixes with only one

rebootWorks on both Windows 2000 and Windows

NT 4.0

For Qchain usage and batch file examples

see Knowledge Base Article: Q296861: Use

Qchain.exe to Install Mutliple Hotfixes with

Only One Reboot


14/68

Windows 2000 Configuration

Windows 2000 Configuration Basics

IUSR_ComputernameAccount

IWAM_ComputernameAccountSecurity Templates

IPSec Policies


15/68


Basics

Block all traffic to server before installationtakes place

If possible, install the IIS server in its own

domain, and on a member serverCreate a new Inetpub root directory onpartition different from the OS Use a name other than Inetpub to help counter

potential attacksPut content for each supported service(WWW, FTP, etc.) on its own partition


16/68


Basics (contd)Leave IP Routing turned off

Remove all protocol stacks except TCP/IPunless other stacks are needed

Stop Task Scheduler service if not in use

Stop FTP service if not in use

Stop Telnet service if not in use

If you plan to use Telnet, create a TelnetClientsgroup to restrict users who can access this service

Deny all TCP traffic except traffic to port 80using built-in Windows 2000 port filtering


17/68

Windows 2000 Configuration Basics

(contd)

Deny access for IUSR_ComputerNameand

IWAM_ComputerNameto dangerous files

Scrrun.dll

Xcopy.exeCmd.exe

Regedit.exe

Regedt32.exe

AT.exe

Cscript.exe

Regsvr32.exe

Debug.exe

Ftp.exe

Tftp.exeRegsvr32.exe

Debug.exe

Nbtstat.exe

Net.exe

Netsh.exe

Tskill.exe

Poledit.exe

Rexec.exe

Edlin.exeRunas.exe

Runonce.exe

IISSync.exe

IISReset.exe

Wscript.exe

Telnet.exe

Rcp.exe


18/68

IUSR_Computername Account

Default anonymous access impersonation

account for IISIUSR_Computernameaccount privileges Select User cannot change password

Select Password Never Expires

User rights Logon Types differ when using Allow IIS to control Password

If option is enabled, a network logon (type 3) is performed

This is a significant security benefit because users cannot gainaccess to remote network resources

If option is disabled, a local logon (type 2) is performedIf anonymous access to the web site is notrequired, disable the IUSR_Computernameaccount


19/68

IWAM_ComputernameAccount

Default account used by DLLHost.exefor medium and high isolation web

applications

IWAM_Computernameaccountprivileges Select User cannot change password

Select Password Never Expires

Anonymous access is still performed viaIUSR_Computernameaccount


20/68

Security TemplatesSecurity templates

Baseline templates for secure websites

Hisecweb.inf

Copy the template to the %windir%\security\templates directory

Open the Security Templates tool, and look over the settings

Open the Security Configuration And Analysis tool, and load thetemplate

Right-click the Security Configuration And Analysis tool, and

choose Analyze Computer Now from the context menu

Wait for the work to complete

Review the findings, and update the template as necessary

When satisfied with the template, right-click the Security

Configuration And Analysis tool and choose Configure

Computer Now from the context menu


21/68

IPSec Policies

Strongly consider setting an IPSec packet-filtering

policy on every Web server

Provides an extra level of security if firewalls are

breached

Block all TCP/IP protocols other than those you

explicitly want to support and the ports you want to

open

Deploying IPSec Policies

IPSec Administration tool

IPSecPol command line tool


22/68

IIS Configuration

Web-based Permissions

Set Appropriate ACLs

Enable Logging

Disable All Unnecessary Authentication Types

Set IP Address/DNS Address restrictions

Executable Content Validated for Trustworthiness

Update Root CA Certificates at the IIS Server

Disabling and/or Removing Unneeded Applications,Components, Directories, Script Mappings and WebDAV

Checking CodeDisable Parent Path

Disable IP Address in Content-Location

Perform Auditing of Key Directories


23/68

Web-based Permissions

General Access Permissions

Recommended to leave General Access Permissions other

than read disabled

Leave Script Source Access disabled

Leave Write disabled

Leave Directory Browsing disabled Leave Execute permissions set to none

Execute Permissions

Recommend setting on a per-web-site and per-directory

basis

If executables (.exe, .dll) are required, use Scripts and

Executibles setting

Otherwise, if scripts (.asp) are required, use Scripts setting

Otherwise, leave Execute Permissions to the setting of None


24/68

Web-based Permissions Screenshot


25/68

Set Appropriate ACLs on

Virtual DirectoriesApplication dependent, but rules of thumb are:

File Type Access Control Lists

CGI (.exe, .dll, .cmd, .pl) Everyone (RX)

Administrators (Full Control)System (Full Control)

Script files (.asp) Everyone (RX)Administrators (Full Control)System (Full Control)

Include files (.inc, .shtm, .shtml) Everyone (RX)

Administrators (Full Control)System (Full Control)

Static content (.txt, .gif, .jpg, .html) Everyone (R)Administrators (Full Control)System (Full Control)


26/68


Virtual Directories (contd)Recommended default ACLs by file type

Create new directories for each file type

Set ACLs on the directory Allow the ACLs to inherit to the files

Sample directory structure

C:\inetpub\wwwroot\myserver\static (.html)

C:\inetpub\wwwroot\myserver\include (.inc) C:\inetpub\wwwroot\myserver\script (.asp)

C:\inetpub\wwwroot\myserver\executable (.dll)

C:\inetpub\wwwroot\myserver\images (.gif, .jpeg)


27/68


Virtual Directories (contd)Two directories need special attention C:\inetpub\ftproot (FTP server)

C:\inetpub\mailroot (SMTP server) Set to Everyone (Full Control) by default

Should be overridden with tighter permissionsdepending on functionality

Place folder on different volume than IISserver if your supporting Everyone (Write) ORuse Windows 2000 disk quotas to limit amountof data written to these directories


28/68

Set Appropriate IIS Log

File ACLsMake sure the ACLs on the IIS-generated log

files (%systemroot%\system32\LogFiles) are:

Administrators (Full Control) System (Full Control)

Everyone (Read, Write, Change)

Move and rename the IIS Log Files directory

This is to help prevent malicious users deleting thefiles to cover their tracks


29/68

Enable LoggingUse W3C Extended Logging Set the following properties:

Client IP Address

User Name

Method HTTP Status

Win32 Status (Look for error 5, Access Denied)

Use net helpmsg to decode error number

User Agent

And if hosting multiple Web servers on singlecomputer: Server IP Address

Server Port


30/68

W3C Extended Logging

Extended Properties Screenshot


31/68

Disable Unnecessary Authentication

Types

Anonymous Default authentication method

Basic

Should only be used with SSLDigest Requires storing passwords in clear text on the

domain controller

Integrated Either NT Challenge Response or Kerberos as

negotiated by the browser

Inconsistent behavior through proxy servers


32/68

Set IP Address/DNS

Address RestrictionsOne option to restrict your web sites to

certain users

Not a common option

Requires IIS to do a DNS lookup,

significantly impacting performance


33/68

IP Address/DNS Address

Restrictions Screenshot


34/68

Executable Content Validated for

Trustworthiness

Determine whether executable content can be trustedUse DumpBin tool to see whether executable callscertain APIs

Example:

To see whether a file named MyISAPI.dll calls RevertToSelf: Dumpbin /imports MyISAPI.dll | find RevertToSelf

If no results appear, MyISAPI.dll does not call RevertToSelfdirectly

It might call the API through LoadLibrary, in which case youcould search for RevertToSelfcalls in all imported libraries

as well

Please refer to KB article: Q177429 for more info onreading DumpBin output


35/68

Update Root CA Certificates

at the IIS ServerAdd any new root CA certificates youtrust (such as new root CA certificates

created with Microsoft CertificateServices 2.0)

Remove all root CA certificates youdont trust

If you dont know the name of the companythat issued the root certificate, do not trustthem!


36/68

Update Root CA Certificates

at the IIS Server (contd)All root CA certificates used by IIS

reside in the computers machine store

They can be managed using theCertificates MMC Snap-in

Do not remove Microsoft or VeriSign

roots They are used extensively by the OS


37/68

Disable or Remove All

Sample ApplicationsSamples should never be installed on a

production server

Default locations for some of the samples:

SampleVirtualDirectory

Location

IIS Samples \IISSamples c:\inetpub\iissamples

IISDocumentation

\IISHelp c:\winnt\help\iishelp

Data Access \MSADC c:\program files\commonfiles\system\msadc


38/68

Disable WebDAV

Enabled by default

Allows for remote file management via

HTTP To disable: Q241520 How to Disable

WebDAV for IIS 5.0


39/68

Disable or Remove Unneeded

COM ComponentsRemove unused COM components

If not in use, consider disabling the File

System Object component This also removes the Dictionary Object

Site Server 3.0 uses the File System

Object component


40/68

Remove the IISADMPWD

Virtual DirectoryRemove the IISADMPWD VirtualDirectory if it exists

Allows you to reset Windows NT andWindows 2000 passwords

Designed for intranet-only scenarios

Isnt installed by default install of IIS 5,but is not removed when upgrading aIIS 4 server to IIS 5


41/68

Remove Unused Script

Mappings

When IIS receives a request for a preconfigured

filetype, the call is handled by a DLL

If the filetype or functionality isnt required, remove

the mapping using the Internet Services ManagerMMC

If you don't use... Remove this entry:

Web-based password reset .htr

Internet Database Connector

(all IIS 5 Web sites should useADO or similar technology)

.idc

Server-side Includes .stm, .shtm and .shtml

Internet Printing .printer

Index Server .htw, .ida and .idq


42/68

Remove Unused Script

Mappings (contd)Internet Printing can be configured by

group policy as well

Group policy settings take precedence

Unless mission-critical reason to use

.htr functionality, remove the .htr

extenstion


43/68

Check and Querystring

Input in Your ASP Code

Many sites use user input to call other codeor build SQL statements directly

There are attacks where user input is treatedincorrectly as valid input allowing unintendedaccess

You should always check each input and query string before passing it on toanother process or method call that might usean external resource such as the file systemor a database.



44/68


Input in Your ASP Code (contd)

You can perform text checking with JScript V5 and VBScript V5

regular expression capabilities. This example will strip a stringof all invalid characters (characters that are not 0-9a-zA-Z or _):

Set reg = New RegExpreg.Pattern = "\W+" ' One or more characters which' are NOT 0-9a-zA-Z or '_'strUnTainted = reg.Replace(strTainted, "")

Also, be careful when using Scripting File System Object. If thefilename is based on the user's input, the user might attempt toopen a serial port or printer. The following JScript code will stripout invalid filenames:

Set reg = New RegExpreg.Pattern = "^(.+)\|(.+)" ' Any character fromthe start of' the string to a | character.strUnTainted = reg.Replace(strTainted, "$1")

This example will strip all text after a | operator:

var strOut strIn.replace(/(AUX|PRN|NUL|COM\d|LPT\d)+\s*$/i,"");


45/68

Disable Parent Paths

Parent Paths allows use of .. in calls tofunctions as MapPath

Enabled by defaultRecommend to disable this

Select Properties of Web site root

Select Home Directory, Configuration Open App Options tab

Uncheck Enable Parent Paths check box


46/68

Disable IP Address in

Content-LocationContent-Location header can expose IP

addresses hidden by a NAT firewall or

proxyRecommend to disable this

Refer to Knowledge Base article

Q218180 for further information


47/68

Perform Auditing of the File system

Audit important application and systemdirectories for changes such as Traverse Folder / Execute File = Failure

List Folder / Read Data = Failure

Create Files / Write Data = Success / Failure

Create Folders / Append Data = Success / Failure

Delete Subfolders and Files = Success / Failure Delete = Success / Failure

Change Permissions = Success / Failure

This audit policy should be applied to the

IUSR and IWAM accounts on the followingdirectories \winnt

\inetpub


48/68

IIS Tools

Security What If Tool

Security Configuration Tool

Lockdown Tool

URLScan


49/68

IIS Security What If Tool

Simple HTML tool

Helps determine what browsers,

platforms, authentication schemes, andserver configurations allows access to a

remote resource

IIS S it


50/68

IIS Security

What If Tool

Screenshot


51/68

IIS Security Configuration

ToolAutomates creation anddeployment of security policies

Two phasesquestions phase anddeployment phase

Questions phase HTML-based questionnaire

Produces a file with a default name ofIISTemplate.txt describing the policy

IIS Security Configuration Tool


52/68

IIS Security Configuration Tool

Questionnaire Screenshot


53/68


Tool (contd)Deployment phase Use the IISConfig command line tool to deploy the

IISTemplate.txt file Usage: IISConfig [-s server] [-f configfile] [-n] [-d] [-? | -h]

Where:[-s server] is the server name (DNS or

NetBIOS; IP address is not

supported)

[-f configfile] is the configuration file name

[-n] configures port lockdown, services

and IIS script maps only. Does notuse SCE hisecweb.inf

[-d] display debug output as tool

executes

[-?] display help


54/68


Tool (contd)Subdirectories

DataEntry directory

Where you enter your security policy Engine directory

Where script files used to deploy policy arestored

More information Read the ReadMe.txt file for more

information and known issues


55/68

IIS Lockdown Tool

GUI wizard for automating lockdown settings

Two Modes:

Express Lockdown

Provides maximum security

Appropriate for basic web servers

Advanced Lockdown

Allows selection of features

Use only if Express Lockdown settings are notappropriate

Use only if you understand the ramifications of enabling

the features


56/68

IIS Lockdown Tool (contd)

Advanced Lockdown Settings

Remove Script Mappings

Disable support for Active Server Pages (.asp) Disable support for Index Server Web Interface (.idq, .htw, .ida)

Disable support for Server Side Includes (.shtm, .shtm, .stm)

Disable support for Internet Data Connector (.idc)

Disable support for Internet Printing (.printer)

Disable support for .HTR scripting (.htr)


57/68

IIS Lockdown Tool (contd)

Advanced Lockdown Settings (contd)

Additional Lockdown Actions

Remove sample web files Remove the Scripts virtual directory

Remove the MSADC virtual directory

Disable Distributed Authoring and Versioning (WebDAV)

Set file permissions to prevent the IIS anonymous userfrom executing system utilities (such as cmd.exe, tftp.exe)

Set file permissions to prevent the IIS anonymous user

from writing to content directories

IIS Lockdown Tool


58/68

IIS Lockdown Tool

Advanced Lockdown Settings

Screenshots


59/68

URLScanISAPI Filter

Analyze and screen HTTP request

Reduces exposure to potential attacks

Allows configuration of IIS to reject requests basedon the following criteria: The request method (verb)

The file extension of the resource requested

Suspicious URL encoding

Presence of non ASCII characters in the URL

Presence of particular character sequences in the URL

Presence of particular headers in the request

Also provides the option of deleting or altering theServer: header in the response


60/68

URLScan Configuration

UrlScan's operation is controlled by the UrlScan.ini file

UrlScan.ini should reside in the same directory as UrlScan.dll

Note that UrlScan only reads the ini file at initialization time (for

performance reasons) It is necessary to stop and start the web service before any

changes to this file will be effective

Also note that the default options built into UrlScanl.dll will result

in a configuration that will reject all requests to the server.

It is necessary to provide a UrlScan.ini file for UrlScan to passrequests to be served

A sample UrlScan.ini file is provided that contains the

recommended settings to defend against known attacks against IIS

servers at the time of writing

URLScan.ini Screenshot


61/68


62/68

URLScan Logging

If a request is denied, the following will

be logged

Reason for the denial Information about the request

Typically, the URL and IP address of the

source of the request

URLScan Logfile Screenshot


63/68

URLScan Logfile Screenshot


64/68

If You Got Hacked

Have a Incident Response Plan

Remove machines from the net

Find out how the hacker did it

Perform a low-level format

Examine connected computers


65/68

Resources

Microsofts Security homepage http://www.microsoft.com/security

Secure Internet Information Services 5

Checklist http://www.microsoft.com/technet/treeview/default.asp?url=/t

echnet/itsolutions/security/tools/iis5chk.asp

Subscribe to the Microsoft Security

Notification Service http://www.microsoft.com/technet/security/bulletin/notify.asp

Automatic notification of security issues via e-mail
http://www.microsoft.com/securityhttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/iis5chk.asphttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/iis5chk.asphttp://www.microsoft.com/technet/security/bulletin/notify.asphttp://www.microsoft.com/technet/security/bulletin/notify.asphttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/iis5chk.asphttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/iis5chk.asphttp://www.microsoft.com/security


66/68

More Resources

National Security Agency's Windows 2000

Security Recommendation Guidelines http://nsa2.www.conxion.com/win2k/download.htm

SANS Institute Worldwide institute for Security focused information and

training

http://www.sans.org

http://www.sans.org/infosecFAQ/win2000/win2000_list.htm
http://nsa2.www.conxion.com/win2k/download.htmhttp://www.sans.org/http://www.sans.org/infosecFAQ/win2000/win2000_list.htmhttp://www.sans.org/infosecFAQ/win2000/win2000_list.htmhttp://www.sans.org/http://nsa2.www.conxion.com/win2k/download.htm


67/68

Even More Resources

SecurityFocus Website dedicated to providing computer security related

information

http://www.securityfocus.com

NTBugTraq Mailing list for the discussion of security exploits and security

bugs in Windows NT and its related applications

http://www.ntbugtraq.com

Neohapsis Security consulting firm who provide news and commentary

on the latest security issues

http://www.neohapsis.com
http://www.securityfocus.com/http://www.ntbugtraq.com/http://www.neohapsis.com/http://www.neohapsis.com/http://www.ntbugtraq.com/http://www.securityfocus.com/


68/68

Questions

[email protected]

Documents

IIS Security Apr2002