Upload
arun-mohanaraj
View
213
Download
0
Embed Size (px)
DESCRIPTION
set
Citation preview
IIS 6.0 SECURITY ARCHITECTURE
Its a Whole New World
Michael Muckin
Security Architect
Microsoft Consulting Services
Agenda
Setting the StageIIS 6.0 Security designASP.NET Security ConfigScanning & ToolsHardening IIS 6.0Demos throughout
Setting the Stage
No news that IIS is a primary targetWhat is this Security Push and Trustworthy Computing?IIS 6.0 should be tangible evidence of these initiativesVulnerability Trends
Physical
Network
OS
Application
Vertical
Horizontal
Decreasing Leveling out
Increasing
Vulns at the Net and OS layer are leveling out; while attacks at the App layer (vertical) and the browser (horiz) are increasing dramatically. IIS 6 should be a major step forward in the protection of the web server, and to a certain degree, the App layer. Since custom code has a lot to do with these areas, it can only go so far.
Object
Collection
Logic/Web Svcs
Server
Web Server
IIS 6.0 Security Design
Product qualityImprove design, coding, and testing practices Fewer vulnerabilities out of the box Security conscious architecture Reduced attack surfaceDefense in depthLimit the possible damage should newProduct Quality
Security stand-downDevelopment practices/GSPrefix/Prefast runsSingle String ClassQFE and IIS coreReduced Attack Surface
Windows Server 2003 disables 20+ ServicesIIS is not installed on Windows Server 2003If you install IISIIS componentsIIS 5.0 clean installIIS 6.0 clean installStatic file supportenabledenabledASPenableddisabledServer-side includesenableddisabledInternet Data ConnectorenableddisabledWebDAVenableddisabledIndex Server ISAPIenableddisabledInternet Printing ISAPIenableddisabledCGIenableddisabledFrontpage Server ExtensionsenableddisabledPassword Change FunctionalityenableddisabledSMTPenableddisabledFTPenableddisabledASP.NETXdisabledBITS XdisabledVulnerability Distribution
Web-Server only
Defense In Depth
Buffer overflowsNew Low Privilege accts: Network Service (default) and Local Service Default Privileges:SeAssignPrimaryTokenPrivilegeSeSecurityPrivilegeSeSystemtimePrivilegeSeAuditPrivilegeSeChangeNotifyPrivilegeSeUndockPrivilegevs. the LocalSystem account which has almost every system Privilege (21 total)Defense In Depth
Canonicalization issuesRigorous and restrictive parsingDefault handler is restricted to a list of known extensionsDenial-of-service attacksFault-tolerant infrastructureLimitsCross-site scripting issuesASP.NET data validation controlsExecuting command-line scriptsSecure defaults: dont allow anonymous account to execute *.exesSite defacementsNo write access for anonymous account in home dirSecure By Default
Secure Defaults I
X
X
X
X
X
X
16k limit = same as HKLM\System\CurrentControlSet\Services\w3svc\parameters\MaxClientRequestBuffer DWORD = 16384 on IIS 5
Secure By Default
Secure Defaults II
Secure By Default
Secure Defaults III
Security Conscious Architecture
Compartmentalization
Rearchitecting IIS
A review of IIS5
TCP/IP
kernel
user
WinSock 2.0
DLLHost.EXE
ISAPI
Extensions
DLLHost.EXE
ISAPI
Extensions
INETINFO.EXE
Metabase
ISAPI Filters and
Extensions
DLLHost.EXE
ISAPI
Extensions
INETINFO.EXE
Metabase
ISAPI Filters and
Extensions
Now, what happens when one of my apps running in proc causes an AV (an ISAPI w/its own thread pool)?
[animation]
SCM is configured to detect INETINFO crashes and restart it automaticallyBut this doesnt solve a couple of problems:1. Your content is still unavailable for that small amount of time it takes for IISRESET to restart IIS2. SCM isnt capable of detecting when all the threads in IIS are locked. IIS is still up, but its deadlocked.IIS 6.0 Request Processing
XML
Metabase
Inetinfo
FTP
NNTP
SMTP
IIS 6.0
Request
Response
Application Pools
Administration
&
Monitoring
WWW Service
HTTP
Cache
Queue
Kernel mode
User mode
X
Rearchitecting IIS
A New Architecture for IIS6
WAS
W3 Core
web app
HTTP.SYS
kernel
Rearchitecting IIS
HTTP.SYS
[reliability features]
-> Process Routing..: one namespace doesnt necessarily affect other namespaces (depends on routing).
Rearchitecting IIS
HTTP.SYS
TCP/IP
HTTP.SYS
Send Response
Response Cache
HTTP.SYS API
Listener
Namespace Mapper
HTTP Engine
HTTP Parser
Req. Queue
Req. Queue
Req. Queue
REQUEST
If the namespace isnt found in the namespace mapper, the request is returned with a 400 bad req (RFC calls for this)
Rearchitecting IIS
Web Admin Service (WAS)
Rearchitecting IIS
W3 Core
Application Pools
Application Isolation in Processes
Official app pool definition:
The application pool is a defined process boundary used by HTTP.SYS namespace mapper to direct requests to the correct process. It is an isolated space that defines a set of web applications which share one or more worker processes and is managed by the Web Administration Service (WAS) and can contain from a single site to one or more applications.
Reliability: isolate problem child apps in their own process and lock them down so as to not affect
Application Pooling
Configurable Worker Process ID
[orphan] remember to note that a new process is started in the old process place.
Recycling
What is it and Why use it?
Almost like a means of replacing knee-jerk reaction to IISRESET the box no longer.
Recycling
Overlapping Recycle
kernel
user
Ready for
Recycle
Shut down
WAS
HTTP.SYS
Old Worker Process
ISAPI Exts &
Filters
Web Proc. Core DLL
New Worker Process
ISAPI Exts &
Filters
Web Proc. Core DLL
Request
startup
ready
Request
Countering DoS
ISAPI Interaction REPORT_UNHEALTHY
bResult = pECB-> ServerSupportFunction(
pECB->ConnID,
HSE_REQ_REPORT_UNHEALTHY,
psz_reason_unhealthy,
NULL,
NULL
);
ASP Hang DetectionUsed to detect when ASP threads block in components[REPORT_UNHEALTHY]
Must have health detection enabledISAPI extension reports that its unhealthy. After next ping, worker process requests a recycle from WAS.[asp hang detection]
ASP is usually able to timeout a script in most cases
Except when threads are blocked in a component
This is where ASP Hang Detection fits in
Max Threads spawnedASP.DLL calls HSE_REQ_REPORT_UNHEALTHY Worker Process recyclesMany times an attacked/compromised machine will hang this allows the process to recycle, effectively killing the session with any compromises. Not perfect, but helpful.
Health Detection
Crash Detection & Rapid Fail Protection
Almost like a means of replacing knee-jerk reaction to IISRESET the box no longer.
ASP.NET Secure Config
ASP.NET Security LayersConfiguring ASP.NET SecurityServer-side Input ValidationASP.NET Security Layers
IISAuthenticationURLScan (not specific to ASP.NET)Static file ACLsASP.NETWeb Service ExtensionsAuthorization by Role and URLFile access by ASP mapped extensionsThe authenticated user requires NTFS read permissions to all of the files involved in the scenario. The only variable is regarding which gatekeeper is used to enforce access control. The ASP.NET process account only requires read access to the ASP.NET registered file types.
ASP.NET Accounts
When ASP.NET is enabled a new account is created: ASPNET and a new Group IIS_WPGConfigurable in IIS Service Manager MMCFor multiple Pools requiring complete isolation:Create low-priv accounts for each PoolAdd to IIS_WPG groupConfig each Pool with appropriate IdentityBoth ASPNET and the IUSR_xxxx accounts need Read and Execute (ntfs) access to ASP.NET files (.aspx, .asmx, etc.)Careful of code-behind files that are being accessed set ACLs appropriately (aspx.cs, aspx.vb)ASP.NET Config Files
Understanding the .Config filesXML files with Web and App settingsACL these files tightlyRemove Users and Power UsersHierarchical application of security settingsMachine.configWeb.config (For all ASP.NET apps)App1 -> Web.config (Individual App settings)Resultant = inherited settingsSettings:AuthN, AuthZ by Users, Roles (Domain and Forms)HTTP Verbs Allowed/DisallowedURLsFile accessDont put Connection Strings or User/Pwds in here !!Users and Roles
Web.config tag:
More Granular Control
Web.config tag:
Note: * = all users; HTTP Verbs can also be specified within the tag
This is a forms-based config. Be sure to highlight the flexibility that forms provides in the AuthZ space.
ASP.NET Server-side Validation
C# Example (1) The Control
void ValidateBtn_OnClick(object sender, EventArgs e)
{
if (Page.IsValid)
{
lblOutput.Text = "Page is valid.";
}
else
{
lblOutput.Text = "Page is not valid!";
}
}
void ServerValidation (object source, ServerValidateEventArgs args)
{
try
{
Regex r = new Regex(@"^\d{4}$"); # Digits only exactly 4
if (!r.Match(args).Success)
throw new Exception("Invalid ID");
}
ASP.NET Server-side Validation
C# Example (2) Hooking the Control
My CustomValidator Example
Use both client and server-side input validation. Client side is too easily bypassed !!!
Summary
Completely new ArchitectureKernel mode request handlingComplete Application Isolation Secure DefaultsAt the Code LevelDeployment Default IIS box is only a static web server Admin must turn on what is neededIIS/ASP.NET focus on App-layer securityWeb Service ExtensionsURLScanASP.Net .config filesServer-side Controls> 10,000 sites already live on IIS 6.0 microsoft.com running production since RC1Questions ???
Data
BROWSER
Logic/
Web
Svcs
Web Server