Upload
madisen-whybrew
View
223
Download
0
Tags:
Embed Size (px)
Citation preview
IIS 6.0 SECURITY ARCHITECTUREIIS 6.0 SECURITY ARCHITECTUREIt’s a Whole New WorldIt’s a Whole New World
Michael MuckinMichael MuckinSecurity ArchitectSecurity ArchitectMicrosoft Consulting ServicesMicrosoft Consulting Services
AgendaAgenda
Setting the StageSetting the StageIIS 6.0 Security designIIS 6.0 Security designASP.NET Security ConfigASP.NET Security ConfigScanning & ToolsScanning & ToolsHardening IIS 6.0Hardening IIS 6.0
Demos throughoutDemos throughout
Setting the StageSetting the Stage
No news that IIS is a primary targetNo news that IIS is a primary targetWhat is this “Security Push” and What is this “Security Push” and Trustworthy Computing?Trustworthy Computing?IIS 6.0 should be tangible evidence of IIS 6.0 should be tangible evidence of these initiativesthese initiatives
Vulnerability Trends Vulnerability Trends
Physical
Network
OS
Application
DataBROWSER
Logic/WebSvcsWeb Server
VVeerrttiiccaall
HorizonHorizontaltal
DecreasinDecreasing – g – Leveling Leveling outout
IncreasingIncreasing
IIS 6.0 Security DesignIIS 6.0 Security DesignProduct qualityProduct quality
Improve design, coding, and testing practices Improve design, coding, and testing practices Fewer vulnerabilities out of the box Fewer vulnerabilities out of the box
Security conscious architecture Security conscious architecture
Reduced attack surfaceReduced attack surfaceDefense in depthDefense in depth
Limit the possible damage should new Limit the possible damage should new vulnerabilities be discovered vulnerabilities be discovered
Always up-to-dateAlways up-to-dateMake it practical to keep systems up-to-date Make it practical to keep systems up-to-date with the latest software patches with the latest software patches
Product QualityProduct QualitySecurity stand-downSecurity stand-downDevelopment Development practicespractices
/GS/GSPrefix/Prefast runsPrefix/Prefast runsSingle String ClassSingle String ClassQFE and IIS core QFE and IIS core team mergedteam mergedCode review for Code review for every changeevery change
External reviews External reviews keep us honestkeep us honestRemoved legacy codeRemoved legacy codeSecurity design review Security design review for every featurefor every feature
Extensive test Extensive test infrastructureinfrastructure
External toolsExternal toolsInternal toolsInternal toolsIIS toolsIIS tools
Buffer overflow scannerBuffer overflow scannerCross-site scriptingCross-site scriptingFault injection in Fault injection in regular test runs regular test runs
Reduced Attack SurfaceReduced Attack SurfaceWindows Server 2003 disables 20+ ServicesWindows Server 2003 disables 20+ ServicesIIS is not installed on Windows Server 2003IIS is not installed on Windows Server 2003If you install IIS…If you install IIS…
IIS components IIS 5.0 clean install
IIS 6.0 clean install
Static file support enabledenabled enabledenabled
ASP enabledenabled disableddisabled
Server-side includes enabledenabled disableddisabled
Internet Data Connector enabledenabled disableddisabled
WebDAV enabledenabled disableddisabled
Index Server ISAPI enabledenabled disableddisabled
Internet Printing ISAPI enabledenabled disableddisabled
CGI enabledenabled disableddisabled
Frontpage Server Extensions
enabledenabled disableddisabled
Password Change Functionality
enabledenabled disableddisabled
SMTP enabledenabled disableddisabled
FTP enabledenabled disableddisabled
ASP.NET X disableddisabled
BITS X disableddisabled
Vulnerability DistributionVulnerability DistributionWeb-Server onlyWeb-Server onlyWeb Server Components SeverityIIS Core
ASP
Server-side includes (SSINC.DLL)
Internet Data Connector (HTTPODBC.DLL)
WebDAV (HTTPEXT.DLL)
Index Server ISAPI (WEBHITS.DLL, QUERY.DLL, IDQ.DLL
Internet Printing ISAPI (MSW3PRT.DLL
Frontpage Server Extensions (div.)
Password Change Functionality (ISM.DLL)
Defense In DepthDefense In DepthBuffer overflowsBuffer overflowsNew Low Privilege accts: New Low Privilege accts: Network ServiceNetwork Service (default) and (default) and Local ServiceLocal Service
Default Privileges:Default Privileges:SeAssignPrimaryTokenPrivilegeSeAssignPrimaryTokenPrivilegeSeSecurityPrivilegeSeSecurityPrivilegeSeSystemtimePrivilegeSeSystemtimePrivilegeSeAuditPrivilegeSeAuditPrivilegeSeChangeNotifyPrivilegeSeChangeNotifyPrivilegeSeUndockPrivilegeSeUndockPrivilege
……vs. the vs. the LocalSystemLocalSystem account – which has account – which has almost every system Privilege (21 total) almost every system Privilege (21 total)
Defense In DepthDefense In DepthCanonicalization issuesCanonicalization issues
Rigorous and restrictive parsingRigorous and restrictive parsingDefault handler is restricted to a list of known Default handler is restricted to a list of known extensionsextensions
Denial-of-service attacksDenial-of-service attacksFault-tolerant infrastructureFault-tolerant infrastructureLimitsLimits
Cross-site scripting issuesCross-site scripting issuesASP.NET data validation controlsASP.NET data validation controls
Executing command-line scriptsExecuting command-line scriptsSecure defaults: don’t allow anonymous account Secure defaults: don’t allow anonymous account to execute *.exe’sto execute *.exe’s
Site defacementsSite defacementsNo write access for anonymous account in home No write access for anonymous account in home dirdir
Secure By DefaultSecure By DefaultSecure Defaults ISecure Defaults I
No executable VDirsNo executable VDirs/SCRIPTS and /MSADC/SCRIPTS and /MSADC
Secure timeouts and limitsSecure timeouts and limits16k request limit16k request limit
Old legacy code removedOld legacy code removedISM.DLL/.HTRISM.DLL/.HTRSub-authenticationSub-authentication
Known extensionsKnown extensionsCheck if file existsCheck if file exists
XXXX
XXXX
XXXX
Secure By DefaultSecure By DefaultSecure Defaults IISecure Defaults II
Strong ACLs onStrong ACLs onLogfilesLogfilesCustom error directory Custom error directory On cache directoriesOn cache directories
Persistent ASP template cachePersistent ASP template cacheCompression cacheCompression cache
IE Shipped in Hardened State on all ServersIE Shipped in Hardened State on all ServersAdmin must add Zones/settings as desiredAdmin must add Zones/settings as desired
ASPASPASPEnableParentPath = FALSEASPEnableParentPath = FALSEHang detection Hang detection 4MB response buffer limit4MB response buffer limitInternal health detection Internal health detection
Secure By DefaultSecure By DefaultSecure Defaults IIISecure Defaults III
Restrictive URL CanonicalizationRestrictive URL CanonicalizationHostname and URL rulesHostname and URL rules
A raw byte must be URL_TOKEN, per RFC 2396 and A raw byte must be URL_TOKEN, per RFC 2396 and 27322732
Alphanumeric: A..Z a..z 0..9Alphanumeric: A..Z a..z 0..9Hex-Escaped: %xx or %uNNNNHex-Escaped: %xx or %uNNNNMark: - _ . ! ~ * ' ( )Mark: - _ . ! ~ * ' ( )Reserved: ; / ? : @ & = + $ , [ ]Reserved: ; / ? : @ & = + $ , [ ]Unwise: { } | \ ^ `Unwise: { } | \ ^ `But Not: 0x00-0x1F 0x7F " # < >But Not: 0x00-0x1F 0x7F " # < >
NTFS canonicalizationNTFS canonicalization\\?\\\?\Streams outlawedStreams outlawed
Security Conscious Security Conscious ArchitectureArchitectureCompartmentalizationCompartmentalization
Third-Party code runs only in Worker Third-Party code runs only in Worker ProcessesProcessesPowerful sandboxingPowerful sandboxingHTTP pre-request loggingHTTP pre-request logging
DLLHost.EXE
ISAPIExtensions
DLLHost.EXE
ISAPIExtensions
Rearchitecting IISRearchitecting IISA review of IIS5A review of IIS5
TCP/IPkernel
user WinSock 2.0
INETINFO.EXE
Metabase
ISAPI Filters and Extensions DLLHost.EX
E
ISAPIExtensions
INETINFO.EXE
MetabaseMetabase
ISAPI Filters and Extensions
IIS 6.0 Request ProcessingIIS 6.0 Request Processing
AdministrationAdministration& &
MonitoringMonitoring
AdministrationAdministration& &
MonitoringMonitoring
WWW ServiceWWW Service
HTTP
CacheCacheQueueQueue
Kernel modeKernel mode
User modeUser mode
XMLXMLMetabaseMetabase
InetinfoInetinfo
FTPFTPFTPFTP
NNTPNNTPNNTPNNTP
SMTPSMTPSMTPSMTP
IIS 6.0IIS 6.0
RequestRequest ResponseResponse
Application PoolsApplication Pools
……XX
Rearchitecting IISRearchitecting IISA New Architecture for IIS6A New Architecture for IIS6
GOAL: prevent apps GOAL: prevent apps from affecting system from affecting system healthhealthWeb service in Web service in INETINFO split out to INETINFO split out to do this:do this:
HTTP.SYS: kernel mode HTTP.SYS: kernel mode listener and request listener and request routerrouterWAS: config and WAS: config and process managerprocess managerW3 Core: where apps W3 Core: where apps get loadedget loaded
Multiple W3 CoresMultiple W3 Cores
WASWAS W3 CoreW3 Core
web web appapp
HTTP.SYSHTTP.SYSke
rnel
kern
el
Rearchitecting IISRearchitecting IISHTTP.SYSHTTP.SYS
What is it?What is it?Kernel-mode HTTP stack/listenerKernel-mode HTTP stack/listenerAlwaysAlways running running
Reliability FeaturesReliability FeaturesProcess routing based on URLProcess routing based on URLRequest queues: kernel-mode Request queues: kernel-mode queuingqueuing
Performance FeaturesPerformance FeaturesKernel-mode response cacheKernel-mode response cacheText-based and binary loggingText-based and binary logging
Rearchitecting IISRearchitecting IISHTTP.SYSHTTP.SYS
TCP/IPTCP/IP
HTTP.SYSHTTP.SYS
Send ResponseSend Response
ResponseResponse CacheCache
HTTP.SYS APIHTTP.SYS API
ListenerListener
Namespace MapperNamespace Mapper
HTTP EngineHTTP Engine
HTTP ParserHTTP Parser
Req
. Que
ueR
eq. Q
ueue
Req
. Que
ueR
eq. Q
ueue
Req
. Que
ueR
eq. Q
ueue
REQUESTREQUEST
Rearchitecting IISRearchitecting IISWeb Admin Service (WAS)Web Admin Service (WAS)
Application ManagerApplication ManagerManages lifetime of W3 Core(s)Manages lifetime of W3 Core(s)
Configuration ManagerConfiguration ManagerConfigures Configures HTTP.SYSHTTP.SYS
No application codeNo application codeEnsures reliabilityEnsures reliabilityEasier to identify problemsEasier to identify problems
Hosted in SVCHOST.exeHosted in SVCHOST.exe
Rearchitecting IISRearchitecting IISW3 CoreW3 Core
What is it?What is it?Main web processing DLL responsible Main web processing DLL responsible for processing web requestsfor processing web requests
Mini-web serverMini-web serverContains all web request processing Contains all web request processing functionalityfunctionalityLoads ISAPI’s – filters and extensionsLoads ISAPI’s – filters and extensions
Separates request processing from Separates request processing from rest of web serverrest of web server
Application PoolsApplication PoolsApplication Isolation in ProcessesApplication Isolation in Processes
Can create 1 or Can create 1 or more application more application poolspools
Each served by 1 or Each served by 1 or more processes.more processes.Each worker process Each worker process serves only 1 pool.serves only 1 pool.Reqs routed directly to Reqs routed directly to pool by HTTP.syspool by HTTP.sys
Isolate apps based on:Isolate apps based on:Site/CustomerSite/CustomerFunctionalityFunctionalityReliabilityReliability
Application PoolingApplication PoolingConfigurable Worker Process IDConfigurable Worker Process ID
Worker process Worker process can be started as:can be started as:
Network Service Network Service (default)(default)Local SystemLocal SystemLocal ServiceLocal ServiceConfigured IDConfigured ID
RecyclingRecyclingWhat is it and Why use it?What is it and Why use it?
What is it?What is it?Periodically restart Periodically restart applications based on:applications based on:
UptimeUptime# of requests# of requestsScheduled timeScheduled timeMemory consumptionMemory consumptionOn-demandOn-demand
Why use it?Why use it?Refresh apps to ensure Refresh apps to ensure availabilityavailabilityPrevent bad apps from Prevent bad apps from taking over the systemtaking over the system
RecyclingRecyclingOverlapping RecycleOverlapping Recycle
kernel
user
WA
SW
AS
HTTP.SYSHTTP.SYS
Old Old Worker Worker ProcessProcess
ISAPI Exts &ISAPI Exts &FiltersFilters
Web Proc. Web Proc. Core DLLCore DLL
Ready for Ready for
RecycleRecycle
New New Worker Worker ProcessProcess
ISAPI Exts &ISAPI Exts &FiltersFilters
Web Proc. Web Proc. Core DLLCore DLL
Shut downShut down
RequestRequest
startupstartupreadyready
RequestRequest
Countering DoSCountering DoSISAPI Interaction – REPORT_UNHEALTHYISAPI Interaction – REPORT_UNHEALTHY
HSE_REQ_REPORT_UNHEALTHYHSE_REQ_REPORT_UNHEALTHYGoal: allow an ISAPI to report to IIS that it needs to be Goal: allow an ISAPI to report to IIS that it needs to be recycled.recycled.
bResult = pECB->bResult = pECB-> ServerSupportFunction(ServerSupportFunction(pECB->ConnID,pECB->ConnID,HSE_REQ_REPORT_UNHEALTHY,HSE_REQ_REPORT_UNHEALTHY,psz_reason_unhealthy,psz_reason_unhealthy,NULL,NULL,NULLNULL
););
ASP Hang DetectionASP Hang DetectionUsed to detect when ASP threads block in componentsUsed to detect when ASP threads block in components
Health DetectionHealth DetectionCrash Detection & Rapid Fail Crash Detection & Rapid Fail ProtectionProtection
WAS detects process WAS detects process crash/AV’scrash/AV’sOn failureOn failure
Publish event to event Publish event to event loglogCheck “crash count”Check “crash count”If (Crash count > Max If (Crash count > Max Crashes in time limit)Crashes in time limit)
Disable app poolDisable app pool
Else start new process Else start new process
Rapid Fail ProtectionRapid Fail ProtectionOnly allow x crashes in Only allow x crashes in y minutesy minutesReturn 503’s when Return 503’s when invokedinvoked
ASP.NET Secure ConfigASP.NET Secure Config
ASP.NET Security LayersASP.NET Security LayersConfiguring ASP.NET SecurityConfiguring ASP.NET SecurityServer-side Input ValidationServer-side Input Validation
ASP.NET Security LayersASP.NET Security LayersIISIIS
AuthenticationAuthenticationURLScan (not specific to ASP.NET)URLScan (not specific to ASP.NET)Static file ACLsStatic file ACLs
ASP.NETASP.NETWeb Service ExtensionsWeb Service ExtensionsAuthorization by Role and URLAuthorization by Role and URLFile access by ASP mapped extensionsFile access by ASP mapped extensions
ASP.NET AccountsASP.NET AccountsWhen ASP.NET is enabled – a new account When ASP.NET is enabled – a new account is created: “ASPNET” – and a new Group is created: “ASPNET” – and a new Group “IIS_WPG”“IIS_WPG”Configurable in IIS Service Manager MMCConfigurable in IIS Service Manager MMCFor multiple Pools requiring complete For multiple Pools requiring complete isolation:isolation:
Create low-priv accounts for each PoolCreate low-priv accounts for each PoolAdd to IIS_WPG groupAdd to IIS_WPG groupConfig each Pool with appropriate IdentityConfig each Pool with appropriate Identity
Both ASPNET and the IUSR_xxxx accounts need Both ASPNET and the IUSR_xxxx accounts need Read and Execute (ntfs) access to ASP.NET files Read and Execute (ntfs) access to ASP.NET files (.aspx, .asmx, etc.)(.aspx, .asmx, etc.)
Careful of “code-behind” files that are being Careful of “code-behind” files that are being accessed – set ACLs appropriately – (aspx.cs, accessed – set ACLs appropriately – (aspx.cs, aspx.vb)aspx.vb)
ASP.NET Config FilesASP.NET Config FilesUnderstanding the “.Understanding the “.ConfigConfig” files” filesXML files with Web and App settingsXML files with Web and App settingsACL these files tightlyACL these files tightly
Remove “Users” and “Power Users”Remove “Users” and “Power Users”
Hierarchical application of security settingsHierarchical application of security settingsMachine.configMachine.config
Web.config (For all ASP.NET apps)Web.config (For all ASP.NET apps)App1 -> Web.config (Individual App settings)App1 -> Web.config (Individual App settings)
Resultant = inherited settingsResultant = inherited settingsSettings:Settings:
AuthN, AuthZ by Users, Roles (Domain and Forms)AuthN, AuthZ by Users, Roles (Domain and Forms)HTTP Verbs Allowed/DisallowedHTTP Verbs Allowed/DisallowedURLsURLsFile accessFile access
Don’t put Connection Strings or User/Pwds in here Don’t put Connection Strings or User/Pwds in here !!!!
Users and RolesUsers and RolesWeb.config – <system.web> tag:<authorization> <authorization>
<allow users=“Sue, Joe"/> <allow users=“Sue, Joe"/>
<deny users=”?”/> <deny users=”?”/>
</authorization> </authorization>
----------------------------------------------------------------------
<authorization><authorization>
<allow verbs=”HEAD, GET, POST”<allow verbs=”HEAD, GET, POST”
roles="Administrators"/>roles="Administrators"/>
<allow verbs=”HEAD, GET, POST” <allow verbs=”HEAD, GET, POST”
roles="Users"/>roles="Users"/>
<deny users=”?”/><deny users=”?”/>
</authorization></authorization>
NoteNote: : “?”“?” = all unauthenticated users = all unauthenticated users
More Granular ControlMore Granular ControlWeb.config – <location> tag:<location path="ListUsers.aspx"><location path="ListUsers.aspx">
<system.web><system.web>
<authentication mode="forms"><authentication mode="forms">
<forms loginUrl="AdminLogin.aspx"<forms loginUrl="AdminLogin.aspx"
protection="All"/>protection="All"/>
</authentication></authentication>
<authorization><authorization>
<allow users="admin"/><allow users="admin"/>
<deny users=”*”/><deny users=”*”/>
</authorization></authorization>
</system.web></system.web>
</location></location>
NoteNote: : “*”“*” = all users; HTTP Verbs can also = all users; HTTP Verbs can also be specified within the be specified within the <location><location> tag tag
ASP.NET Server-side ASP.NET Server-side ValidationValidationC# Example (1) – The Control C# Example (1) – The Control
<%@ Page Language="C#" %><%@ Page Language="C#" %>
<html><html><head><head> <script runat=server><script runat=server>
void ValidateBtn_OnClick(object sender, EventArgs e) void ValidateBtn_OnClick(object sender, EventArgs e) { { if (Page.IsValid) if (Page.IsValid) {{ lblOutput.Text = "Page is valid.";lblOutput.Text = "Page is valid."; }} else else {{ lblOutput.Text = "Page is not valid!";lblOutput.Text = "Page is not valid!"; }} }}
void ServerValidation (object source, ServerValidateEventArgs args)void ServerValidation (object source, ServerValidateEventArgs args) {{ try try {{
Regex r = new Regex(@"^\d{4}$"); Regex r = new Regex(@"^\d{4}$"); # Digits only – exactly 4# Digits only – exactly 4 if (!r.Match(args).Success)if (!r.Match(args).Success) throw new Exception("Invalid ID");throw new Exception("Invalid ID"); }} … … <snip> …<snip> … </script> </script>
</head></head>
ASP.NET Server-side ASP.NET Server-side ValidationValidationC# Example (2) – Hooking the ControlC# Example (2) – Hooking the Control
<form runat="server"> <form runat="server"> <h3>My CustomValidator Example</h3> <h3>My CustomValidator Example</h3>
<asp:Label id=lblOutput runat="server" <asp:Label id=lblOutput runat="server" Text=“Part Number:" Text=“Part Number:" Font-Name=“Tahoma" Font-Size="10pt" /><br> Font-Name=“Tahoma" Font-Size="10pt" /><br>
<p><p>
<asp:TextBox id="Text1" runat="server" /> <asp:TextBox id="Text1" runat="server" />
<asp:CustomValidator id="CustomValidator1" <asp:CustomValidator id="CustomValidator1" ControlToValidate="Text1" ControlToValidate="Text1" OnServerValidate="ServerValidation" OnServerValidate="ServerValidation" Display="Static" Display="Static" ErrorMessage=“Part Number entered is wrong!" ErrorMessage=“Part Number entered is wrong!" ForeColor="green" ForeColor="green" Font-Name=“Tahoma" Font-Size="10pt" runat="server"/> Font-Name=“Tahoma" Font-Size="10pt" runat="server"/>
<p> <p>
<asp:Button id="Button1" Text="Validate" <asp:Button id="Button1" Text="Validate" OnClick="ValidateBtn_OnClick" runat="server"/> OnClick="ValidateBtn_OnClick" runat="server"/>
</form></form>
Scanning an IIS 6 Default BoxScanning an IIS 6 Default BoxScanning an ASP.NET enabled Scanning an ASP.NET enabled BoxBoxLog ParserLog ParserIISLockDown/URLScanIISLockDown/URLScanWeb ExtensionsWeb Extensions
SummarySummaryCompletely new ArchitectureCompletely new Architecture
Kernel mode request handlingKernel mode request handlingComplete Application Isolation Complete Application Isolation
Secure DefaultsSecure DefaultsAt the Code LevelAt the Code LevelDeployment – Default IIS box is only a static Deployment – Default IIS box is only a static web server – Admin must turn on what is web server – Admin must turn on what is neededneeded
IIS/ASP.NET focus on App-layer securityIIS/ASP.NET focus on App-layer securityWeb Service ExtensionsWeb Service ExtensionsURLScanURLScanASP.Net .config filesASP.Net .config filesServer-side ControlsServer-side Controls> 10,000 sites already live on IIS 6.0 > 10,000 sites already live on IIS 6.0
microsoft.com running production since RC1microsoft.com running production since RC1
Questions ???Questions ???