-
IIS 6.0 SECURITY ARCHITECTURE
Its a Whole New World
Michael Muckin
Security Architect
Microsoft Consulting Services
-
Agenda
Setting the StageIIS 6.0 Security designASP.NET Security
ConfigScanning & ToolsHardening IIS 6.0
Demos throughout
-
Setting the Stage
No news that IIS is a primary targetWhat is this Security Push and
Trustworthy Computing?IIS 6.0 should be tangible evidence of these
initiatives
-
Vulnerability Trends
Physical
Network
OS
Application
Vertical
Horizontal
Decreasing Leveling out
Increasing
Vulns at the Net and OS layer are leveling out; while attacks at
the App layer (vertical) and the browser (horiz) are increasing
dramatically. IIS 6 should be a major step forward in the
protection of the web server, and to a certain degree, the App
layer. Since custom code has a lot to do with these areas, it can
only go so far.
Object
Collection
Logic/Web Svcs
Server
Web Server
-
IIS 6.0 Security Design
Product qualityImprove design, coding, and testing practices Fewer
vulnerabilities out of the box Security conscious architecture
Reduced attack surfaceDefense in depthLimit the possible damage
should new
vulnerabilities be discovered Always up-to-dateMake it practical to
keep systems up-to-date
with the latest software patches
-
Product Quality
Security stand-downDevelopment practices/GSPrefix/Prefast
runsSingle String ClassQFE and IIS core
team mergedCode review for
every changeExternal reviews
keep us honestRemoved legacy codeSecurity design review for every
featureExtensive test infrastructureExternal toolsInternal toolsIIS
toolsBuffer overflow scannerCross-site scriptingFault injection
in
regular test runs
-
Reduced Attack Surface
Windows Server 2003 disables 20+ ServicesIIS is not installed on
Windows Server 2003If you install IISIIS componentsIIS 5.0 clean
installIIS 6.0 clean installStatic file
supportenabledenabledASPenableddisabledServer-side
includesenableddisabledInternet Data
ConnectorenableddisabledWebDAVenableddisabledIndex Server
ISAPIenableddisabledInternet Printing
ISAPIenableddisabledCGIenableddisabledFrontpage Server
ExtensionsenableddisabledPassword Change
FunctionalityenableddisabledSMTPenableddisabledFTPenableddisabledASP.NETXdisabledBITS
Xdisabled
-
Vulnerability Distribution
Web-Server only
Web Server ComponentsSeverityIIS CoreASPServer-side includes
(SSINC.DLL)Internet Data Connector (HTTPODBC.DLL)WebDAV
(HTTPEXT.DLL)Index Server ISAPI (WEBHITS.DLL, QUERY.DLL,
IDQ.DLLInternet Printing ISAPI (MSW3PRT.DLLFrontpage Server
Extensions (div.)Password Change Functionality (ISM.DLL)
-
Defense In Depth
Buffer overflowsNew Low Privilege accts: Network Service (default)
and Local Service Default
Privileges:SeAssignPrimaryTokenPrivilegeSeSecurityPrivilegeSeSystemtimePrivilegeSeAuditPrivilegeSeChangeNotifyPrivilegeSeUndockPrivilegevs.
the LocalSystem account which has almost every system Privilege (21
total)
-
Defense In Depth
Canonicalization issuesRigorous and restrictive parsingDefault
handler is restricted to a list of known
extensionsDenial-of-service attacksFault-tolerant
infrastructureLimitsCross-site scripting issuesASP.NET data
validation controlsExecuting command-line scriptsSecure defaults:
dont allow anonymous account to execute *.exesSite defacementsNo
write access for anonymous account in home dir
-
Secure By Default
Secure Defaults I
No executable VDirs/SCRIPTS and /MSADCSecure timeouts and limits16k
request limitOld legacy code
removedISM.DLL/.HTRSub-authenticationKnown extensionsCheck if file
exists
X
X
X
X
X
X
16k limit = same as
HKLM\System\CurrentControlSet\Services\w3svc\parameters\MaxClientRequestBuffer
DWORD = 16384 on IIS 5
-
Secure By Default
Secure Defaults II
Strong ACLs onLogfilesCustom error directory On cache
directoriesPersistent ASP template cacheCompression cacheIE Shipped
in Hardened State on all ServersAdmin must add Zones/settings as
desiredASPASPEnableParentPath = FALSEHang detection 4MB response
buffer limitInternal health detection
-
Secure By Default
Secure Defaults III
Restrictive URL CanonicalizationHostname and URL rulesA raw byte
must be URL_TOKEN, per RFC 2396 and 2732Alphanumeric: A..Z a..z
0..9Hex-Escaped: %xx or %uNNNNMark: - _ . ! ~ * ' ( )Reserved: ; /
? : @ & = + $ , [ ]Unwise: { } | \ ^ `But Not: 0x00-0x1F 0x7F "
# < >NTFS canonicalization\\?\Streams outlawed
-
Security Conscious Architecture
Compartmentalization
Third-Party code runs only in Worker ProcessesPowerful
sandboxingHTTP pre-request logging
-
Rearchitecting IIS
A review of IIS5
TCP/IP
kernel
user
WinSock 2.0
DLLHost.EXE
ISAPI
Extensions
DLLHost.EXE
ISAPI
Extensions
INETINFO.EXE
Metabase
ISAPI Filters and
Extensions
DLLHost.EXE
ISAPI
Extensions
INETINFO.EXE
Metabase
ISAPI Filters and
Extensions
Now, what happens when one of my apps running in proc causes an
AV (an ISAPI w/its own thread pool)?
[animation]
SCM is configured to detect INETINFO crashes and restart it
automaticallyBut this doesnt solve a couple of problems:1. Your
content is still unavailable for that small amount of time it takes
for IISRESET to restart IIS2. SCM isnt capable of detecting when
all the threads in IIS are locked. IIS is still up, but its
deadlocked.
-
IIS 6.0 Request Processing
XML
Metabase
Inetinfo
FTP
NNTP
SMTP
IIS 6.0
Request
Response
Application Pools
Administration
&
Monitoring
WWW Service
HTTP
Cache
Queue
Kernel mode
User mode
X
-
Rearchitecting IIS
A New Architecture for IIS6
GOAL: prevent apps from affecting system healthWeb service in
INETINFO split out to do this:HTTP.SYS: kernel mode listener and
request routerWAS: config and process managerW3 Core: where apps
get loadedMultiple W3 Cores
WAS
W3 Core
web app
HTTP.SYS
kernel
-
Rearchitecting IIS
HTTP.SYS
What is it?Kernel-mode HTTP stack/listenerAlways runningReliability
FeaturesProcess routing based on URLRequest queues: kernel-mode
queuingPerformance FeaturesKernel-mode response cacheText-based and
binary logging
[reliability features]
-> Process Routing..: one namespace doesnt necessarily affect
other namespaces (depends on routing).
-
Rearchitecting IIS
HTTP.SYS
TCP/IP
HTTP.SYS
Send Response
Response Cache
HTTP.SYS API
Listener
Namespace Mapper
HTTP Engine
HTTP Parser
Req. Queue
Req. Queue
Req. Queue
REQUEST
If the namespace isnt found in the namespace mapper, the request
is returned with a 400 bad req (RFC calls for this)
-
Rearchitecting IIS
Web Admin Service (WAS)
Application ManagerManages lifetime of W3 Core(s)Configuration
ManagerConfigures HTTP.SYSNo application codeEnsures
reliabilityEasier to identify problemsHosted in SVCHOST.exe
-
Rearchitecting IIS
W3 Core
What is it?Main web processing DLL responsible for processing web
requestsMini-web serverContains all web request processing
functionalityLoads ISAPIs filters and extensionsSeparates request
processing from rest of web server
-
Application Pools
Application Isolation in Processes
Can create 1 or more application poolsEach served by 1 or more
processes.Each worker process serves only 1 pool.Reqs routed
directly to pool by HTTP.sysIsolate apps based
on:Site/CustomerFunctionalityReliability
Official app pool definition:
The application pool is a defined process boundary used by
HTTP.SYS namespace mapper to direct requests to the correct
process. It is an isolated space that defines a set of web
applications which share one or more worker processes and is
managed by the Web Administration Service (WAS) and can contain
from a single site to one or more applications.
Reliability: isolate problem child apps in their own process and
lock them down so as to not affect
-
Application Pooling
Configurable Worker Process ID
Worker process can be started as:Network Service (default)Local
SystemLocal ServiceConfigured ID
[orphan] remember to note that a new process is started in the
old process place.
-
Recycling
What is it and Why use it?
What is it?Periodically restart applications based on:Uptime# of
requestsScheduled timeMemory consumptionOn-demandWhy use it?Refresh
apps to ensure availabilityPrevent bad apps from taking over the
system
Almost like a means of replacing knee-jerk reaction to IISRESET
the box no longer.
-
Recycling
Overlapping Recycle
kernel
user
Ready for
Recycle
Shut down
WAS
HTTP.SYS
Old Worker Process
ISAPI Exts &
Filters
Web Proc. Core DLL
New Worker Process
ISAPI Exts &
Filters
Web Proc. Core DLL
Request
startup
ready
Request
-
Countering DoS
ISAPI Interaction REPORT_UNHEALTHY
HSE_REQ_REPORT_UNHEALTHYGoal: allow an ISAPI to report to IIS that
it needs to be recycled.
bResult = pECB-> ServerSupportFunction(
pECB->ConnID,
HSE_REQ_REPORT_UNHEALTHY,
psz_reason_unhealthy,
NULL,
NULL
);
ASP Hang DetectionUsed to detect when ASP threads block in
components
[REPORT_UNHEALTHY]
Must have health detection enabledISAPI extension reports that its
unhealthy. After next ping, worker process requests a recycle from
WAS.
[asp hang detection]
ASP is usually able to timeout a script in most cases
Except when threads are blocked in a component
This is where ASP Hang Detection fits in
Max Threads spawnedASP.DLL calls HSE_REQ_REPORT_UNHEALTHY Worker
Process recycles
Many times an attacked/compromised machine will hang this allows
the process to recycle, effectively killing the session with any
compromises. Not perfect, but helpful.
-
Health Detection
Crash Detection & Rapid Fail Protection
WAS detects process crash/AVsOn failurePublish event to event
logCheck crash countIf (Crash count > Max Crashes in time
limit)Disable app poolElse start new process Rapid Fail
ProtectionOnly allow x crashes in y minutesReturn 503s when invoked
Almost like a means of replacing knee-jerk reaction to IISRESET
the box no longer.
-
ASP.NET Secure Config
ASP.NET Security LayersConfiguring ASP.NET SecurityServer-side
Input Validation
-
ASP.NET Security Layers
IISAuthenticationURLScan (not specific to ASP.NET)Static file
ACLsASP.NETWeb Service ExtensionsAuthorization by Role and URLFile
access by ASP mapped extensions
The authenticated user requires NTFS read permissions to all of
the files involved in the scenario. The only variable is regarding
which gatekeeper is used to enforce access control. The ASP.NET
process account only requires read access to the ASP.NET registered
file types.
-
ASP.NET Accounts
When ASP.NET is enabled a new account is created: ASPNET and a new
Group IIS_WPGConfigurable in IIS Service Manager MMCFor multiple
Pools requiring complete isolation:Create low-priv accounts for
each PoolAdd to IIS_WPG groupConfig each Pool with appropriate
IdentityBoth ASPNET and the IUSR_xxxx accounts need Read and
Execute (ntfs) access to ASP.NET files (.aspx, .asmx, etc.)Careful
of code-behind files that are being accessed set ACLs appropriately
(aspx.cs, aspx.vb)
-
ASP.NET Config Files
Understanding the .Config filesXML files with Web and App
settingsACL these files tightlyRemove Users and Power
UsersHierarchical application of security
settingsMachine.configWeb.config (For all ASP.NET apps)App1 ->
Web.config (Individual App settings)Resultant = inherited
settingsSettings:AuthN, AuthZ by Users, Roles (Domain and
Forms)HTTP Verbs Allowed/DisallowedURLsFile accessDont put
Connection Strings or User/Pwds in here !!
-
Users and Roles
Web.config tag:
-
More Granular Control
Web.config tag:
Note: * = all users; HTTP Verbs can also be specified within the
tag
This is a forms-based config. Be sure to highlight the
flexibility that forms provides in the AuthZ space.
-
ASP.NET Server-side Validation
C# Example (1) The Control
void ValidateBtn_OnClick(object sender, EventArgs e)
{
if (Page.IsValid)
{
lblOutput.Text = "Page is valid.";
}
else
{
lblOutput.Text = "Page is not valid!";
}
}
void ServerValidation (object source, ServerValidateEventArgs
args)
{
try
{
Regex r = new Regex(@"^\d{4}$"); # Digits only exactly 4
if (!r.Match(args).Success)
throw new Exception("Invalid ID");
}
-
ASP.NET Server-side Validation
C# Example (2) Hooking the Control
My CustomValidator Example
Use both client and server-side input validation. Client side is
too easily bypassed !!!
- Scanning an IIS 6 Default BoxScanning an ASP.NET enabled BoxLog
ParserIISLockDown/URLScanWeb Extensions
-
Summary
Completely new ArchitectureKernel mode request handlingComplete
Application Isolation Secure DefaultsAt the Code LevelDeployment
Default IIS box is only a static web server Admin must turn on what
is neededIIS/ASP.NET focus on App-layer securityWeb Service
ExtensionsURLScanASP.Net .config filesServer-side Controls>
10,000 sites already live on IIS 6.0 microsoft.com running
production since RC1
-
Questions ???
Data
BROWSER
Logic/
Web
Svcs
Web Server
![[first - 8] bh/bm/pages ... 03/04/16](https://img.pdfslide.tips/doc/110x75/584a34411a28ab0b678bda3c/first-8-bhbmpages-030416.jpg)
