IIS and .NET Security

Santosh Kumar Nukavarapu

Contents

• Overview IIS and .NET security• Security Features IIS 7.0• Authentication in ASP.NET• Apache VS IIS• XML ,.NET and IIS• Security Flaws in IIS• Code Access Security

Why Security?• To stop unauthorized access.

• To provide Application level safety.

• Make sure that correct response is delivered to client.

.NET's only Friend: IIS• IIS authenticates user requests and hands it

over to ASP.NET.

• ASP.NET will look after Authorization.

• Unauthorized accesses will be stopped and response will be a 401 page.

• Developers set all the security settings required for ASP.NET in web.config file.

Security Features in IIS 7.0

• Basic Access Authentication• Digest Access Authentication• Integrated Windows Authentication• .NET Passport Authentication• Client Certificate Mapping• Request Filtering• URL Authorization

Basic Access Authentication

• Web Browser provides credentials.• user name is appended with a colon and

concatenated with the password.• The Result is encoded with Base64 algorithm.• Decoding is easy at server side.• Non Http compatible characters in user name

and password is made compatible through encoding.

• It is supported by all major browsers.

Digest Access Authentication

• Password is not sent as plain text as is Basic Authentication.

• MD5 is used.• HA1 = MD5(username:realm:password).• HA2=MD5(method:digestURI)• Response=MD5(HA1:nonce:HA2)• Server and client nonce help to prevent replay

attacks.

Integrated Windows Authentication• Passwords are not sent across networks.• Authenticating mechanism such as Kerberos is

used.• Windows credentials is used for Authentication.• NT domain or Active Directory account is

needed.• Good for Intranet environments as clients and

browsers are on same network.• Not suited for non- Microsoft browsers.

.NET Passport Authentication• No need of login and logout pages for

individual sites.• Centralized sign –in and sign-out.• Could be customized to maintain the look and

feel of site.• Cookies are strongly encrypted.• No need to provide credentials while browsing

through different participating websites.• Clicking on sign out deletes all the .NET

passport cookies that were used for different participating websites.

Contd..• No server to sever communication ,all the

communication to the centralized server is done through HTTP Redirects form the clients web browser.

• EX: Windows Live ID

Client Certificate Mapping• A certificate is a digital key.• While accessing the server this digital key will be

automatically presented for authentication.• These certificates can be mapped to windows

accounts in a active domain directory.• No need of Basic, Digest and integrated windows

authentication as users are automatically authenticated when they log on with client certificates.

• There are three ways to map client certificates: Directory Service (DS) mapping, one-to-one mapping, and many-to-one mapping.

Contd..

• Three ways to map client certificates:

• Directory Service (DS) mapping • one-to-one mapping• many-to-one mapping.

Directory Service (DS) mapping • Directory Service (DS) mapping • Windows active directory is used to

authenticate users with client certificates.• one-to-one mapping• The certificate submitted by clients browser is

checked with the certificate in server and accordingly mapping is done.

• Many-to-One Mapping• The certificate is searched to satisfy specific

criteria .Ex :use of wild cards.

Request Filtering• Filter Double-encoded Requests - This feature prevents attacks that rely

on double-encoded requests.• Filter High Bit Characters - This feature defines a set of allowed file

extensions that IIS 7.0 will serve.• Filter Based on File Extensions - This feature defines a set of allowed file

extensions that IIS 7.0 will serve.• Filter Based on Request Limits - This filter combines three features:• 1. maxAllowedContentLength this is the upper limit on the content size.• 2. maxUrl this is the upper bound on a URL length.• 3. maxQueryString this is the upper bound on the length of a query string.

• Filter by Verbs - This feature defines a list of VERBS that IIS 7.0 accepts as part of a request.

• Filter Based on URL Sequences - This feature defines a list of sequences that IIS 7.0 rejects when it is part of a request.

URL Authorization

• IIS 7.0 makes URL Authorization much easier.• Previous versions needed to configure Access

control lists in the system.• Authorization rules are put on the actual URI

and not on the file system resources.• Ex: Consider there are three users Santosh,kumar and nukavarapu

• Only kumar is supposed to access kumarsecret.aspx page.

• IIS Setup• Create three accounts and group them via Windows

User manager.• The above can be done from command prompt also as

below• net user santosh <password_of_your_choice> /add

net user kumar <password_of_your_choice> /addnet user nukavarapu <password_of_your_choice> /addnet localgroup kumarAndFriends /addnet localgroup kumarAndFriends santosh /addnet localgroup kumarAndFriends kumar /add

• 1. Open Explorer and go into the %systemdrive%\inetpub\wwwroot directory. 2. Create a directory called "secure". 3. Change into the "secure" directory and create a new file called "default.aspx". You can do this with notepad or any other text editor. 4. Paste the following code into the default.aspx page:

• <%@Language="C#"%><% string currentUser = Request.ServerVariables["LOGON_USER"]; if (currentUser == "") currentUser = "anonymous"; Response.Write("<b>Current User:</b> " + currentUser);

•%> 5. Create another file called bobsSecret.aspx and paste the following code into it:

• <%@Language="C#"%><% string currentUser = Request.ServerVariables["LOGON_USER"]; if (currentUser == "") currentUser = "anonymous"; Response.Write("<b>Current User:</b> " + currentUser);Response.Write("<b>My secret:</b> I used Apache before I discovered IIS7.</b> ");%>

• 6. Now see if the two web pages work by requesting http://localhost/secure/ and http://localhost/secure/kumarSecret.aspx.

Configuring URL Authorization• Now secure the two pages so that only santosh and kumar have access: • 1. Double click the "secure" web directory again and select "Authorization

Rules". •

2. Remove the "Allow All Users" rule. •

3. Click "Add Allow Rule…" and select the "Specified roles or user groups:" radio button and add “kumarAndFriends" and click the "OK" button.

• 4. Close all Internet Explorer windows because Internet Explorer caches the credentials that you entered in the previous step.

•5. Open Internet Explorer and try to access the page using Fred's credentials. You do not get access.

•6. Now try kumar's credentials or santosh's credentials. You get access.

Configuring URL Authorization for a single web page

• 1.Double click the "Secure" web directory again and select "Content View" at the bottom of the page. 2. You will see a list of files in the secure folder namely "default.aspx" and “kumarSecret.aspx". 3. Right click on bobsSecret.aspx and select "Feature View"

• 4. Now you are making only changes for the kumarSecret.aspx page as indicated in the statusbar. 5. Select "Authorization Rules" again. You see the inherited settings, i.e. the kumarAndFriends group is allowed to access kumarSecret.aspx. 6. Remove the “kumarAndFriends" rule. 7. Now click "Add Allow Rule…" 8. Click the "Specified users:" radio button, enter “kumar" and click "OK".

• 9. Close all Internet Explorer windows and request http://localhost/secure/kumarSecret.aspx 10. Only by entering kumar's credentials will you get access.

Apache VS IIS• Performance:

• Apache Software Foundation is not supporting 64 bit technology on Windows.• So you can not use Windows64 + Apache combination.• On 64-bits systems the choice is between Windows + IIS6 or Linux + Apache.• In order to run PHP under IIS6 on 64 bit platform you have to play a lot with 32-bit emulation of

IIS6 and making sure that all php exentions are loaded and executed in 32-bit mode.

• Stability:

• Windows and IIS6 has proprietary code. That means that in case of any vulnerability found a user has to wait and live with vulnerable system until Microsoft will fix the issue and release a fix.

• Linux and Apache are open source products. This means that everyone has access to the source code and as soon as vulnerability has been found everyone who has appropriate level of knowledge can fix it.

• Apache 2 had more vulnerabilities then ISS6. However, IIS6 has more critical vulnerabilities that might result of service failure or giving admin access to the hacker.

• Cost

• Windows setup costs include: more powerful hardware to run GUI and antivirus software• Windows and IIS6 license for the server• Linux setup costs include: hardware only. It also should not be as powerful as one for Windows to

server same amount of requests.• Optional Linux installation if you are looking for Red Hat or Suse. But it is cheaper anyway and it is

required only if you have some very specific requirements to go for commercial Linux release.

STOP SECURITY ISSUES

• Use PrincipalPermission to Demand Role-Base Security

• [PrincipalPermission(SecurityAction.Demand, Role="Admin")]public class AdminOnlyPage : BasePage{ // ...}

Contd..

• Securing a Particular Directory in ASP.NET for Specific Roles

• <location path="Secure" > <system.web> <authorization> <deny users="?" /> </authorization> </system.web></location>

Prevent SQL Injection by Using SqlParameters

• Prevent SQL Injection by Using SqlParameters• using System.Data;

using System.Data.SqlClient;

using (SqlConnection connection = new SqlConnection(connectionString)){ DataSet userDataset = new DataSet(); SqlDataAdapter myCommand = new SqlDataAdapter( "LoginStoredProcedure", connection); myCommand.SelectCommand.CommandType = CommandType.StoredProcedure; myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11); myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text;

myCommand.Fill(userDataset);}

• Turn On Custom Errors To Keep Errors Private

• <customErrors mode="On" defaultRedirect="YourErrorPage.htm" />

Prevent Cross-Site Scripting Using HtmlEncode and UrlEncode

• Prevent Cross-Site Scripting Using HtmlEncode and UrlEncode

• Response.Write(HttpUtility.HtmlEncode(Request.Form["name"]));

• Response.Write(HttpUtility.UrlEncode(urlString));• // Encode the string input from the HTML input text field

StringBuilder sb = new StringBuilder(HttpUtility.HtmlEncode(htmlInputTxt.Text));// Selectively allow <b> and <i>sb.Replace("&lt;b&gt;", "<b>");sb.Replace("&lt;/b&gt;", "</b>");sb.Replace("&lt;i&gt;", "<i>");sb.Replace("&lt;/i&gt;", "</i>");

Security Flaws in IIS• A buffer overflow involving chunked encoding with the ASP

(Active Server Page) ISAPI filter.• Another buffer overflow involving HTTP header processing,

in which an attacker can spoof delimiter checking and persuade IIS that delimiting characters are present when they're not.

• It's possible for an invalid and very long file name to pass the include safety check, resulting in a file name bigger than its intended buffer, and obviously a buffer overflow.

• A denial of service vulnerability involving the way an ISAPI filter included in FrontPage Server Extensions and ASP.NET generates a errors when a request is received containing a URL exceeding the maximum length set by the filter. IIS attempts to process the URL while returning an error message, resulting in an access violation which causes it to crash. Affects IIS 4.0, 5.0, and 5.1

• we've got three CSS (Cross-Site Scripting) vulnerabilities.

Code Access Security

• The .NET Framework provides a security mechanism to protect computer systems from malicious code and to provide a way to allow mobile code to run safely, mechanism called Code Access Security (CAS).

• .NET allows administrators to assign a pre-defined set of permissions to an application.

• These permission sets vary based on the level of trust accorded to the application.

• By default, applications receive a level of trust dependent upon the evidence presented about the code's digital signature, origin, and the location of the application.

• ASP.NET Web applications can be further configured by assigning them trust levels.

• Trust levels are configured using the <trust> element within the configuration file.

• Trust levels are configured using the <trust> element within the configuration file.

<trust level="Full | High | Low | None" originUrl="url" />

•

Contd..• The default mappings for ASP.NET are:

•High: High mapping maps to web_hightrust.config .This level provides permissions that grant applications read/write access to the application directory (subject to operating system permissions) and allows the application to replace the authentication principal object. It also restricts applications from calling into non-managed code.

•Low: Low mapping maps to web_lowtrust.config.This level allows applications to read from the application directory and provides limited network connectivity.

•None: None mapping maps to web_notrust.config. This level provides basic execution permission and supports the application's use of isolated storage.

•Example of Code:

<securityPolicy> <trustLevel name="Full" policyFile="internal" /> <trustLevel name="High" policyFile="web_hightrust.config" /> <trustLevel name="Low" policyFile="web_lowtrust.config" /> <trustLevel name="None" policyFile="web_notrust.config" /></securityPolicy>

References

• www.msdn.com• http://www.theregister.co.uk/2002/04/11/

eight_new_iis_security_holes/• http://learn.iis.net/page.aspx/142/understand

ing-iis-70-url-authorization/• http://www.visualbuilder.com/aspnet/

security/tutorial/code-access-security/