Transcript INTERNET INFORMATION SERVICES 6.0 SECURITY

IIS 6.0 SECURITY ARCHITECTURE
It’s a Whole New World
Michael Muckin
Security Architect
Microsoft Consulting Services
Agenda
Setting the Stage
IIS 6.0 Security design
ASP.NET Security Config
Scanning & Tools
Hardening IIS 6.0
Demos throughout
Setting the Stage
No news that IIS is a primary target
What is this “Security Push” and Trustworthy
Computing?
IIS 6.0 should be tangible evidence of these
initiatives
Vulnerability Trends
Application
V
e
r
t
i
c
a
l
Increasing
Decreasing –
Leveling out
OS
Network
Physical
Horizontal
BROWSER
Web Server
Logic/
Web
Svcs
Data
IIS 6.0 Security Design
Product quality
Improve design, coding, and testing practices
Fewer vulnerabilities out of the box
Security conscious architecture
Reduced attack surface
Defense in depth
Limit the possible damage should new
vulnerabilities be discovered
Always up-to-date
Make it practical to keep systems up-to-date
with the latest software patches
Product Quality
Security stand-down
Development practices
/GS
Prefix/Prefast runs
Single String Class
QFE and IIS core
team merged
Code review for
every change
External reviews
keep us honest
Removed legacy code
Security design review for
every feature
Extensive test
infrastructure
External tools
Internal tools
IIS tools
Buffer overflow scanner
Cross-site scripting
Fault injection in
regular test runs
Reduced Attack Surface
Windows Server 2003 disables 20+ Services
IIS is not installed on Windows Server 2003
If you install IIS…
IIS components
IIS 5.0 clean install
IIS 6.0 clean install
Static file support
enabled
enabled
ASP
enabled
disabled
Server-side includes
enabled
disabled
Internet Data Connector
enabled
disabled
WebDAV
enabled
disabled
Index Server ISAPI
enabled
disabled
Internet Printing ISAPI
enabled
disabled
CGI
enabled
disabled
Frontpage Server Extensions
enabled
disabled
Password Change Functionality
enabled
disabled
SMTP
enabled
disabled
FTP
enabled
disabled
ASP.NET
X
disabled
BITS
X
disabled
Vulnerability Distribution
Web-Server only
Web Server Components
IIS Core
ASP
Server-side includes (SSINC.DLL)
Internet Data Connector
(HTTPODBC.DLL)
WebDAV (HTTPEXT.DLL)
Index Server ISAPI (WEBHITS.DLL,
QUERY.DLL, IDQ.DLL
Internet Printing ISAPI (MSW3PRT.DLL
Frontpage Server Extensions (div.)
Password Change Functionality
(ISM.DLL)
Severity
Defense In Depth
Buffer overflows
New Low Privilege accts: Network Service (default)
and Local Service
Default Privileges:
SeAssignPrimaryTokenPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeAuditPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
…vs. the LocalSystem account – which has almost
every system Privilege (21 total)
Defense In Depth
Canonicalization issues
Rigorous and restrictive parsing
Default handler is restricted to a list of known extensions
Denial-of-service attacks
Fault-tolerant infrastructure
Limits
Cross-site scripting issues
ASP.NET data validation controls
Executing command-line scripts
Secure defaults: don’t allow anonymous account to
execute *.exe’s
Site defacements
No write access for anonymous account in home dir
Secure By Default
Secure Defaults I
No executable VDirs
/SCRIPTS and /MSADC
X
X
XX
XX
Secure timeouts and limits
16k request limit
Old legacy code removed
ISM.DLL/.HTR
Sub-authentication
Known extensions
Check if file exists
Secure By Default
Secure Defaults II
Strong ACLs on
Logfiles
Custom error directory
On cache directories
Persistent ASP template cache
Compression cache
IE Shipped in Hardened State on all Servers
Admin must add Zones/settings as desired
ASP
ASPEnableParentPath = FALSE
Hang detection
4MB response buffer limit
Internal health detection
Secure By Default
Secure Defaults III
Restrictive URL Canonicalization
Hostname and URL rules
A raw byte must be URL_TOKEN, per RFC 2396 and 2732
Alphanumeric: A..Z a..z 0..9
Hex-Escaped: %xx or %uNNNN
Mark: - _ . ! ~ * ' ( )
Reserved: ; / ? : @ & = + $ , [ ]
Unwise: { } | \ ^ `
But Not: 0x00-0x1F 0x7F " # < >
NTFS canonicalization
\\?\
Streams outlawed
Security Conscious
Architecture
Compartmentalization
Third-Party code runs only in Worker
Processes
Powerful sandboxing
HTTP pre-request logging
Rearchitecting IIS
A review of IIS5
DLLHost.EXE
INETINFO.EXE
DLLHost.EXE
ISAPI
Extensions
DLLHost.EXE
ISAPI
Extensions
ISAPI
Extensions
ISAPI Filters and
Extensions
Metabase
user
kernel
WinSock 2.0
TCP/IP
IIS 6.0 Request Processing
Inetinfo
FTP
NNTP
Application Pools
WWW Service
XML
Metabase
Administration
&
Monitoring
X
SMTP
…
User mode
Kernel mode
Queue
IIS 6.0
Cache
HTTP
Request
Response
Rearchitecting IIS
A New Architecture for IIS6
GOAL: prevent apps from
affecting system health
Web service in INETINFO
split out to do this:
WAS
HTTP.SYS: kernel mode
listener and request router
WAS: config and process
manager
W3 Core: where apps get
loaded
web
app
kernel
Multiple W3 Cores
W3 Core
HTTP.SYS
Rearchitecting IIS
HTTP.SYS
What is it?
Kernel-mode HTTP stack/listener
Always running
Reliability Features
Process routing based on URL
Request queues: kernel-mode queuing
Performance Features
Kernel-mode response cache
Text-based and binary logging
Rearchitecting IIS
HTTP.SYS
Namespace Mapper
Req. Queue
Listener
Req. Queue
HTTP.SYS
Req. Queue
HTTP.SYS API
Send Response
HTTP Engine
HTTP Parser
Response Cache
TCP/IP
REQUEST
Rearchitecting IIS
Web Admin Service (WAS)
Application Manager
Manages lifetime of W3 Core(s)
Configuration Manager
Configures HTTP.SYS
No application code
Ensures reliability
Easier to identify problems
Hosted in SVCHOST.exe
Rearchitecting IIS
W3 Core
What is it?
Main web processing DLL responsible for
processing web requests
Mini-web server
Contains all web request processing
functionality
Loads ISAPI’s – filters and extensions
Separates request processing from rest of
web server
Application Pools
Application Isolation in Processes
Can create 1 or more
application pools
Each served by 1 or more
processes.
Each worker process serves
only 1 pool.
Reqs routed directly to pool
by HTTP.sys
Isolate apps based on:
Site/Customer
Functionality
Reliability
Application Pooling
Configurable Worker Process ID
Worker process can
be started as:
Network Service
(default)
Local System
Local Service
Configured ID
Recycling
What is it and Why use it?
What is it?
Periodically restart
applications based on:
Uptime
# of requests
Scheduled time
Memory consumption
On-demand
Why use it?
Refresh apps to ensure
availability
Prevent bad apps from
taking over the system
Recycling
Overlapping Recycle
New Worker
Process
Web Proc.
Core DLL
ISAPI Exts &
Filters
Old Worker
Process
Web Proc.
Core DLL
ISAPI Exts &
Filters
user
kernel
HTTP.SYS
Request
Ready for
Shut down
Recycle
WAS
startup
ready
Countering DoS
ISAPI Interaction – REPORT_UNHEALTHY
HSE_REQ_REPORT_UNHEALTHY
Goal: allow an ISAPI to report to IIS that it needs to be recycled.
bResult = pECB-> ServerSupportFunction(
pECB->ConnID,
HSE_REQ_REPORT_UNHEALTHY,
psz_reason_unhealthy,
NULL,
NULL
);
ASP Hang Detection
Used to detect when ASP threads block in components
Health Detection
Crash Detection & Rapid Fail Protection
WAS detects process
crash/AV’s
On failure
Publish event to event log
Check “crash count”
If (Crash count > Max
Crashes in time limit)
Disable app pool
Else start new process
Rapid Fail Protection
Only allow x crashes in y
minutes
Return 503’s when invoked
ASP.NET Secure Config
ASP.NET Security Layers
Configuring ASP.NET Security
Server-side Input Validation
ASP.NET Security Layers
IIS
Authentication
URLScan (not specific to ASP.NET)
Static file ACLs
ASP.NET
Web Service Extensions
Authorization by Role and URL
File access by ASP mapped extensions
ASP.NET Accounts
When ASP.NET is enabled – a new account is
created: “ASPNET” – and a new Group “IIS_WPG”
Configurable in IIS Service Manager MMC
For multiple Pools requiring complete isolation:
Create low-priv accounts for each Pool
Add to IIS_WPG group
Config each Pool with appropriate Identity
Both ASPNET and the IUSR_xxxx accounts need Read and
Execute (ntfs) access to ASP.NET files (.aspx, .asmx, etc.)
Careful of “code-behind” files that are being accessed –
set ACLs appropriately – (aspx.cs, aspx.vb)
ASP.NET Config Files
Understanding the “.Config” files
XML files with Web and App settings
ACL these files tightly
Remove “Users” and “Power Users”
Hierarchical application of security settings
Machine.config
Web.config (For all ASP.NET apps)
App1 -> Web.config (Individual App settings)
Resultant = inherited settings
Settings:
AuthN, AuthZ by Users, Roles (Domain and Forms)
HTTP Verbs Allowed/Disallowed
URLs
File access
Don’t put Connection Strings or User/Pwds in here !!
Users and Roles
Web.config – <system.web> tag:
<authorization>
<allow users=“Sue, Joe"/>
<deny users=”?”/>
</authorization>
----------------------------------<authorization>
<allow verbs=”HEAD, GET, POST”
roles="Administrators"/>
<allow verbs=”HEAD, GET, POST”
roles="Users"/>
<deny users=”?”/>
</authorization>
Note: “?” = all unauthenticated users
More Granular Control
Web.config – <location> tag:
<location path="ListUsers.aspx">
<system.web>
<authentication mode="forms">
<forms loginUrl="AdminLogin.aspx"
protection="All"/>
</authentication>
<authorization>
<allow users="admin"/>
<deny users=”*”/>
</authorization>
</system.web>
</location>
Note: “*” = all users; HTTP Verbs can also be specified
within the <location> tag
ASP.NET Server-side Validation
C# Example (1) – The Control
<%@ Page Language="C#" %>
<html>
<head>
<script runat=server>
void ValidateBtn_OnClick(object sender, EventArgs e)
{
if (Page.IsValid)
{
lblOutput.Text = "Page is valid.";
}
else
{
lblOutput.Text = "Page is not valid!";
}
}
void ServerValidation (object source, ServerValidateEventArgs args)
{
try
{
Regex r = new Regex(@"^\d{4}$"); # Digits only – exactly 4
if (!r.Match(args).Success)
throw new Exception("Invalid ID");
}
… <snip> …
</script>
</head>
ASP.NET Server-side Validation
C# Example (2) – Hooking the Control
<form runat="server">
<h3>My CustomValidator Example</h3>
<asp:Label id=lblOutput runat="server"
Text=“Part Number:"
Font-Name=“Tahoma" Font-Size="10pt" /><br>
<p>
<asp:TextBox id="Text1" runat="server" />
&nbsp;&nbsp;
<asp:CustomValidator id="CustomValidator1"
ControlToValidate="Text1"
OnServerValidate="ServerValidation"
Display="Static"
ErrorMessage=“Part Number entered is wrong!"
ForeColor="green"
Font-Name=“Tahoma" Font-Size="10pt" runat="server"/>
<p>
<asp:Button id="Button1" Text="Validate"
OnClick="ValidateBtn_OnClick" runat="server"/>
</form>
Scanning an IIS 6 Default Box
Scanning an ASP.NET enabled Box
Log Parser
IISLockDown/URLScan
Web Extensions
Summary
Completely new Architecture
Kernel mode request handling
Complete Application Isolation
Secure Defaults
At the Code Level
Deployment – Default IIS box is only a static web
server – Admin must turn on what is needed
IIS/ASP.NET focus on App-layer security
Web Service Extensions
URLScan
ASP.Net .config files
Server-side Controls
> 10,000 sites already live on IIS 6.0
microsoft.com running production since RC1
Questions ???