Presentation is loading. Please wait.

Presentation is loading. Please wait.

IIS 6.0 SECURITY ARCHITECTURE Its a Whole New World Michael Muckin Security Architect Microsoft Consulting Services.

Published byMadisen Whybrew Modified over 10 years ago

Similar presentations

Presentation on theme: "IIS 6.0 SECURITY ARCHITECTURE Its a Whole New World Michael Muckin Security Architect Microsoft Consulting Services."— Presentation transcript:

1 IIS 6.0 SECURITY ARCHITECTURE Its a Whole New World Michael Muckin Security Architect Microsoft Consulting Services

2 Agenda Setting the Stage IIS 6.0 Security design ASP.NET Security Config Scanning & Tools Hardening IIS 6.0 Demos throughout

3 Setting the Stage No news that IIS is a primary target What is this Security Push and Trustworthy Computing? IIS 6.0 should be tangible evidence of these initiatives

4 Vulnerability Trends Physical Network OS Application VerticalVerticalVerticalVertical Horizontal Decreasing – Leveling out Increasing

5 IIS 6.0 Security Design Product quality Improve design, coding, and testing practices Fewer vulnerabilities out of the box Security conscious architecture Reduced attack surface Defense in depth Limit the possible damage should new vulnerabilities be discovered Always up-to-date Make it practical to keep systems up-to-date with the latest software patches

6 Product Quality Security stand-down Development practices /GS Prefix/Prefast runs Single String Class QFE and IIS core team merged Code review for every change External reviews keep us honest Removed legacy code Security design review for every feature Extensive test infrastructure External tools Internal tools IIS tools Buffer overflow scanner Cross-site scripting Fault injection in regular test runs

7 Reduced Attack Surface Windows Server 2003 disables 20+ Services IIS is not installed on Windows Server 2003 If you install IIS… IIS componentsIIS 5.0 clean installIIS 6.0 clean install Static file supportenabledenabled ASPenableddisabled Server-side includesenableddisabled Internet Data Connectorenableddisabled WebDAVenableddisabled Index Server ISAPIenableddisabled Internet Printing ISAPIenableddisabled CGIenableddisabled Frontpage Server Extensionsenableddisabled Password Change Functionalityenableddisabled SMTPenableddisabled FTPenableddisabled ASP.NETXdisabled BITSXdisabled

8 Vulnerability Distribution Web-Server only Web Server ComponentsSeverity IIS Core ASP Server-side includes (SSINC.DLL) Internet Data Connector (HTTPODBC.DLL) WebDAV (HTTPEXT.DLL) Index Server ISAPI (WEBHITS.DLL, QUERY.DLL, IDQ.DLL Internet Printing ISAPI (MSW3PRT.DLL Frontpage Server Extensions (div.) Password Change Functionality (ISM.DLL)

9 Defense In Depth Buffer overflows New Low Privilege accts: Network Service (default) and Local Service Default Privileges: SeAssignPrimaryTokenPrivilegeSeSecurityPrivilegeSeSystemtimePrivilegeSeAuditPrivilegeSeChangeNotifyPrivilegeSeUndockPrivilege …vs. the LocalSystem account – which has almost every system Privilege (21 total)

10 Defense In Depth Canonicalization issues Rigorous and restrictive parsing Default handler is restricted to a list of known extensions Denial-of-service attacks Fault-tolerant infrastructure Limits Cross-site scripting issues ASP.NET data validation controls Executing command-line scripts Secure defaults: dont allow anonymous account to execute *.exes Site defacements No write access for anonymous account in home dir

11 Secure By Default Secure Defaults I No executable VDirs /SCRIPTS and /MSADC Secure timeouts and limits 16k request limit Old legacy code removed ISM.DLL/.HTRSub-authentication Known extensions Check if file exists X X X X X X

12 Secure By Default Secure Defaults II Strong ACLs on Logfiles Custom error directory On cache directories Persistent ASP template cache Compression cache IE Shipped in Hardened State on all Servers Admin must add Zones/settings as desired ASP ASPEnableParentPath = FALSE Hang detection 4MB response buffer limit Internal health detection

13 Secure By Default Secure Defaults III Restrictive URL Canonicalization Hostname and URL rules A raw byte must be URL_TOKEN, per RFC 2396 and 2732 Alphanumeric: A..Z a..z 0..9 Hex-Escaped: %xx or %uNNNN Mark: - _. ! ~ * ' ( ) Reserved: ; / ? : @ & = + $, [ ] Unwise: { } | \ ^ ` But Not: 0x00-0x1F 0x7F " # But Not: 0x00-0x1F 0x7F " # NTFS canonicalization \\?\ Streams outlawed

14 Security Conscious Architecture Compartmentalization Third-Party code runs only in Worker Processes Powerful sandboxing HTTP pre-request logging

15 DLLHost.EXE ISAPI Extensions DLLHost.EXE ISAPI Extensions Rearchitecting IIS A review of IIS5 TCP/IP kernel user WinSock 2.0 INETINFO.EXE Metabase ISAPI Filters and Extensions DLLHost.EXE ISAPI Extensions INETINFO.EXE Metabase ISAPI Filters and Extensions

16 IIS 6.0 Request Processing Administration&MonitoringAdministration&Monitoring WWW Service HTTP CacheQueue Kernel mode User mode XMLMetabase Inetinfo FTPFTP NNTPNNTP SMTPSMTP IIS 6.0 RequestResponse Application Pools … X

17 Rearchitecting IIS A New Architecture for IIS6 GOAL: prevent apps from affecting system health Web service in INETINFO split out to do this: HTTP.SYS: kernel mode listener and request router WAS: config and process manager W3 Core: where apps get loaded Multiple W3 Cores WAS W3 Core web app HTTP.SYS kernel

18 Rearchitecting IIS HTTP.SYS What is it? Kernel-mode HTTP stack/listener Always running Reliability Features Process routing based on URL Request queues: kernel-mode queuing Performance Features Kernel-mode response cache Text-based and binary logging

19 Rearchitecting IIS HTTP.SYS TCP/IP HTTP.SYS Send Response ResponseCache Response Cache HTTP.SYS API Listener Namespace Mapper HTTP Engine HTTP Parser Req. Queue REQUEST

20 Rearchitecting IIS Web Admin Service (WAS) Application Manager Manages lifetime of W3 Core(s) Configuration Manager Configures HTTP.SYS No application code Ensures reliability Easier to identify problems Hosted in SVCHOST.exe

21 Rearchitecting IIS W3 Core What is it? Main web processing DLL responsible for processing web requests Mini-web server Contains all web request processing functionality Loads ISAPIs – filters and extensions Separates request processing from rest of web server

22 Application Pools Application Isolation in Processes Can create 1 or more application pools Each served by 1 or more processes. Each worker process serves only 1 pool. Reqs routed directly to pool by HTTP.sys Isolate apps based on: Site/CustomerFunctionalityReliability

23 Application Pooling Configurable Worker Process ID Worker process can be started as: Network Service (default) Local System Local Service Configured ID

24 Recycling What is it and Why use it? What is it? Periodically restart applications based on: Uptime # of requests Scheduled time Memory consumption On-demand Why use it? Refresh apps to ensure availability Prevent bad apps from taking over the system

25 Recycling Overlapping Recycle kernel user WAS HTTP.SYS Old Worker Process ISAPI Exts & Filters Web Proc. Core DLL Ready for Recycle New Worker Process ISAPI Exts & Filters Web Proc. Core DLL Shut down Request startup ready Request

26 Countering DoS ISAPI Interaction – REPORT_UNHEALTHY HSE_REQ_REPORT_UNHEALTHY Goal: allow an ISAPI to report to IIS that it needs to be recycled. bResult = pECB-> ServerSupportFunction( pECB->ConnID,HSE_REQ_REPORT_UNHEALTHY,psz_reason_unhealthy,NULL,NULL); ASP Hang Detection Used to detect when ASP threads block in components

27 Health Detection Crash Detection & Rapid Fail Protection WAS detects process crash/AVs On failure Publish event to event log Check crash count If (Crash count > Max Crashes in time limit) Disable app pool Else start new process Rapid Fail Protection Only allow x crashes in y minutes Return 503s when invoked

28 ASP.NET Secure Config ASP.NET Security Layers Configuring ASP.NET Security Server-side Input Validation

29 ASP.NET Security Layers IISAuthentication URLScan (not specific to ASP.NET) Static file ACLs ASP.NET Web Service Extensions Authorization by Role and URL File access by ASP mapped extensions

30 ASP.NET Accounts When ASP.NET is enabled – a new account is created: ASPNET – and a new Group IIS_WPG Configurable in IIS Service Manager MMC For multiple Pools requiring complete isolation: Create low-priv accounts for each Pool Add to IIS_WPG group Config each Pool with appropriate Identity Both ASPNET and the IUSR_xxxx accounts need Read and Execute (ntfs) access to ASP.NET files (.aspx,.asmx, etc.) Careful of code-behind files that are being accessed – set ACLs appropriately – (aspx.cs, aspx.vb)

31 ASP.NET Config Files Understanding the.Config files XML files with Web and App settings ACL these files tightly Remove Users and Power Users Hierarchical application of security settings Machine.config Web.config (For all ASP.NET apps) App1 -> Web.config (Individual App settings) Resultant = inherited settings Settings: AuthN, AuthZ by Users, Roles (Domain and Forms) HTTP Verbs Allowed/Disallowed URLs File access Dont put Connection Strings or User/Pwds in here !!

32 Users and Roles Web.config – tag:<authorization> </authorization>-----------------------------------<authorization> <allow verbs=HEAD, GET, POST <allow verbs=HEAD, GET, POST roles="Administrators"/> roles="Administrators"/> <allow verbs=HEAD, GET, POST <allow verbs=HEAD, GET, POST roles="Users"/> roles="Users"/> </authorization> Note: ? = all unauthenticated users

33 More Granular Control Web.config – tag: <forms loginUrl="AdminLogin.aspx" <forms loginUrl="AdminLogin.aspx" protection="All"/> protection="All"/> </location> Note: * = all users; HTTP Verbs can also be specified within the tag

34 ASP.NET Server-side Validation C# Example (1) – The Control <html><head> void ValidateBtn_OnClick(object sender, EventArgs e) { if (Page.IsValid) if (Page.IsValid) { lblOutput.Text = "Page is valid."; lblOutput.Text = "Page is valid."; } else else { lblOutput.Text = "Page is not valid!"; lblOutput.Text = "Page is not valid!"; } } void ServerValidation (object source, ServerValidateEventArgs args) void ServerValidation (object source, ServerValidateEventArgs args) { try try { Regex r = new Regex(@"^\d{4}$"); # Digits only – exactly 4 if (!r.Match(args).Success) if (!r.Match(args).Success) throw new Exception("Invalid ID"); throw new Exception("Invalid ID"); } … … … … </head>

35 ASP.NET Server-side Validation C# Example (2) – Hooking the Control My CustomValidator Example My CustomValidator Example <asp:Label id=lblOutput runat="server" Text=Part Number:" Font-Name=Tahoma" Font-Size="10pt" /> Font-Name=Tahoma" Font-Size="10pt" /> <p> <asp:CustomValidator id="CustomValidator1" <asp:CustomValidator id="CustomValidator1"ControlToValidate="Text1"OnServerValidate="ServerValidation"Display="Static" ErrorMessage=Part Number entered is wrong!" ForeColor="green" Font-Name=Tahoma" Font-Size="10pt" runat="server"/> <p> <asp:Button id="Button1" Text="Validate" OnClick="ValidateBtn_OnClick" runat="server"/> </form>

36 Scanning an IIS 6 Default Box Scanning an ASP.NET enabled Box Log Parser IISLockDown/URLScan Web Extensions

37 Summary Completely new Architecture Kernel mode request handling Complete Application Isolation Secure Defaults At the Code Level Deployment – Default IIS box is only a static web server – Admin must turn on what is needed IIS/ASP.NET focus on App-layer security Web Service Extensions URLScan ASP.Net.config files Server-side Controls > 10,000 sites already live on IIS 6.0 microsoft.com running production since RC1

38 Questions ???

Download ppt "IIS 6.0 SECURITY ARCHITECTURE Its a Whole New World Michael Muckin Security Architect Microsoft Consulting Services."

Similar presentations

Securing and Tuning IIS7 Microsoft® Hosting Deployment Accelerator.

Securing and Tuning IIS7 Microsoft® Hosting Deployment Accelerator.
Faith Allington Program Manager Microsoft Corporation WSV322.

Faith Allington Program Manager Microsoft Corporation WSV322.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Internet Information Server 6.0. IIS 6.0 Enhancements  Fundamental changes, aimed at: Reliability & Availability Reliability & Availability Performance.

Internet Information Server 6.0. IIS 6.0 Enhancements  Fundamental changes, aimed at: Reliability & Availability Reliability & Availability Performance.
INTRODUCTION TO ASP.NET MVC AND EXAMPLE WALKTHROUGH RAJAT ARYA EFECS - OIM DAWG – 4/21/2009 ASP.NET MVC.

INTRODUCTION TO ASP.NET MVC AND EXAMPLE WALKTHROUGH RAJAT ARYA EFECS - OIM DAWG – 4/21/2009 ASP.NET MVC.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
IIS6 Web Services. Overview Application Platform Features Reliability Features Manageability Features Performance and Scalability Features Security Features.

IIS6 Web Services. Overview Application Platform Features Reliability Features Manageability Features Performance and Scalability Features Security Features.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
IIS v7.0 Martin Parry Developer & Platform Group Microsoft Limited

IIS v7.0 Martin Parry Developer & Platform Group Microsoft Limited
Satisfy Your Technical Curiosity Internet Information Services (IIS) 7.0 End-to-End Overview of Microsoft's New Web Application Server Bart De Smet MVP,

Satisfy Your Technical Curiosity Internet Information Services (IIS) 7.0 End-to-End Overview of Microsoft's New Web Application Server Bart De Smet MVP,
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Internet Information Server (IIS)

Internet Information Server (IIS)
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.
Reliability and Performance Application protection IIS Reliable Restart Socket pooling Multisite hosting Process throttling Bandwidth throttling.

Reliability and Performance Application protection IIS Reliable Restart Socket pooling Multisite hosting Process throttling Bandwidth throttling.
Building Scalable and Reliable Web Applications Vineet Gupta Technology Evangelist Microsoft Corporation

Building Scalable and Reliable Web Applications Vineet Gupta Technology Evangelist Microsoft Corporation
April-June 2006 Windows Hosting Seminar Series Product Roadmap: IIS 7.0 Matthew Boettcher Web Platform Technical Evangelist (Hosting) Developer & Platform.

April-June 2006 Windows Hosting Seminar Series Product Roadmap: IIS 7.0 Matthew Boettcher Web Platform Technical Evangelist (Hosting) Developer & Platform.
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Similar presentations

Ads by Google