Scribd Logo
Upload

Welcome to Scribd!

  • 95 views

    Iis 6.0 Security Architecture

    Uploaded by

    Arun Mohanaraj
    IIS 6.0 introduced a more secure architecture for IIS including features like reduced attack surface by disabling unnecessary components by default, defense in depth through sandboxing and privilege restrictions, and always being up-to-date through automatic updates and recycling of application pools. ASP.NET added additional security layers like authentication, authorization, input validation, and configuration of users and roles. The document discussed the new architecture including compartmentalization using application pools, HTTP.SYS as the kernel mode listener, and the W3SVC service for configuration and process management.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd

    Iis 6.0 Security Architecture

    Uploaded by

    Arun Mohanaraj
    95 views38 pages
    IIS 6.0 introduced a more secure architecture for IIS including features like reduced attack surface by disabling unnecessary components by default, defense in depth through sandboxing and privilege restrictions, and always being up-to-date through automatic updates and recycling of application pools. ASP.NET added additional security layers like authentication, authorization, input validation, and configuration of users and roles. The document discussed the new architecture including compartmentalization using application pools, HTTP.SYS as the kernel mode listener, and the W3SVC service for configuration and process management.

    Original Description:

    set

    Original Title

    Bh Win 03 Muckin

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    IIS 6.0 introduced a more secure architecture for IIS including features like reduced attack surface by disabling unnecessary components by default, defense in depth through sandboxing and privilege restrictions, and always being up-to-date through automatic updates and recycling of application pools. ASP.NET added additional security layers like authentication, authorization, input validation, and configuration of users and roles. The document discussed the new architecture including compartmentalization using application pools, HTTP.SYS as the kernel mode listener, and the W3SVC service for configuration and process management.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Download as ppt, pdf, or txt
    95 views38 pages

    Iis 6.0 Security Architecture

    Uploaded by

    Arun Mohanaraj
    IIS 6.0 introduced a more secure architecture for IIS including features like reduced attack surface by disabling unnecessary components by default, defense in depth through sandboxing and privilege restrictions, and always being up-to-date through automatic updates and recycling of application pools. ASP.NET added additional security layers like authentication, authorization, input validation, and configuration of users and roles. The document discussed the new architecture including compartmentalization using application pools, HTTP.SYS as the kernel mode listener, and the W3SVC service for configuration and process management.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Download as ppt, pdf, or txt
    You are on page 1of 38

    IIS 6.

    0 SECURITY ARCHITECTURE
    Its a Whole New World
    Michael Muckin
    Security Architect
    Microsoft Consulting Services

    Agenda
    Setting the Stage
    IIS 6.0 Security design
    ASP.NET Security Config
    Scanning & Tools
    Hardening IIS 6.0

    Demos throughout

    Setting the Stage


    No news that IIS is a primary target
    What is this Security Push and
    Trustworthy Computing?
    IIS 6.0 should be tangible evidence of
    these initiatives

    Vulnerability Trends
    Application

    Increasing

    V
    e
    r
    t
    i
    c
    a
    l

    Decreasin
    g
    Leveling
    out

    OS

    Network
    Physical

    Horizon
    tal
    Data
    BROWSER

    IIS 6.0 Security Design


    Product quality
    Improve design, coding, and testing practices
    Fewer vulnerabilities out of the box

    Security conscious architecture

    Reduced attack surface


    Defense in depth
    Limit the possible damage should new
    vulnerabilities be discovered

    Always up-to-date
    Make it practical to keep systems up-to-date
    with the latest software patches

    Product Quality
    Security stand-down
    Development practices
    /GS
    Prefix/Prefast runs
    Single String Class
    QFE and IIS core
    team merged
    Code review for
    every change

    External reviews
    keep us honest
    Removed legacy code
    Security design review
    for every feature

    Extensive test
    infrastructure
    External tools
    Internal tools
    IIS tools
    Buffer overflow scanner
    Cross-site scripting
    Fault injection in
    regular test runs

    Reduced Attack Surface


    Windows Server 2003 disables 20+ Services
    IIS is not installed on Windows Server 2003
    If you install IIS
    IIS components

    IIS 5.0 clean


    install

    IIS 6.0 clean


    install

    Static file support

    enabled

    enabled

    ASP

    enabled

    disabled

    Server-side includes

    enabled

    disabled

    Internet Data Connector

    enabled

    disabled

    WebDAV

    enabled

    disabled

    Index Server ISAPI

    enabled

    disabled

    Internet Printing ISAPI

    enabled

    disabled

    CGI

    enabled

    disabled

    Frontpage Server
    Extensions

    enabled

    disabled

    Password Change
    Functionality

    enabled

    disabled

    SMTP

    enabled

    disabled

    FTP

    enabled

    disabled

    Vulnerability Distribution
    Web-Server only

    Web Server Components


    IIS Core
    ASP

    Server-side includes
    (SSINC.DLL)
    Internet Data Connector
    (HTTPODBC.DLL)
    WebDAV (HTTPEXT.DLL)
    Index Server ISAPI
    (WEBHITS.DLL, QUERY.DLL,
    IDQ.DLL
    Internet Printing ISAPI
    (MSW3PRT.DLL
    Frontpage Server Extensions
    (div.)
    Password Change

    Severity

    Defense In Depth
    Buffer overflows
    New Low Privilege accts: Network Service
    (default) and Local Service
    Default Privileges:

    SeAssignPrimaryTokenPrivilege
    SeSecurityPrivilege
    SeSystemtimePrivilege
    SeAuditPrivilege
    SeChangeNotifyPrivilege
    SeUndockPrivilege

    vs. the LocalSystem account which has


    almost every system Privilege (21 total)

    Defense In Depth
    Canonicalization issues

    Rigorous and restrictive parsing


    Default handler is restricted to a list of known
    extensions

    Denial-of-service attacks

    Fault-tolerant infrastructure
    Limits

    Cross-site scripting issues

    ASP.NET data validation controls

    Executing command-line scripts

    Secure defaults: dont allow anonymous account


    to execute *.exes

    Site defacements

    No write access for anonymous account in home


    dir

    Secure By Default
    Secure Defaults I

    No executable VDirs
    /SCRIPTS and /MSADC

    X
    X
    XX
    XX

    Secure timeouts and limits


    16k request limit

    Old legacy code removed


    ISM.DLL/.HTR
    Sub-authentication

    Known extensions
    Check if file exists

    Secure By Default
    Secure Defaults II
    Strong ACLs on

    Logfiles
    Custom error directory
    On cache directories

    Persistent ASP template cache


    Compression cache

    IE Shipped in Hardened State on all Servers


    Admin must add Zones/settings as desired

    ASP

    ASPEnableParentPath = FALSE
    Hang detection
    4MB response buffer limit
    Internal health detection

    Secure By Default

    Secure Defaults III


    Restrictive URL Canonicalization
    Hostname and URL rules
    A raw byte must be URL_TOKEN, per RFC 2396 and
    2732

    Alphanumeric: A..Z a..z 0..9


    Hex-Escaped: %xx or %uNNNN
    Mark: - _ . ! ~ * ' ( )
    Reserved: ; / ? : @ & = + $ , [ ]
    Unwise: { } | \ ^ `
    But Not: 0x00-0x1F 0x7F " # < >

    NTFS canonicalization
    \\?\
    Streams outlawed

    Security Conscious
    Architecture
    Compartmentalization

    Third-Party code runs only in Worker


    Processes
    Powerful sandboxing
    HTTP pre-request logging

    Rearchitecting IIS
    A review of IIS5
    INETINFO.EXE
    ISAPI Filters and
    Extensions
    Metabase

    user

    DLLHost.E
    XE
    DLLHost.EX
    ISAPI
    E
    Extensions
    DLLHost.EX
    ISAPI
    E Extensions
    ISAPI
    Extensions

    WinSock 2.0

    kernel

    TCP/IP

    IIS 6.0 Request Processing


    Inetinfo
    FTP
    FTP
    NNTP
    NNTP

    Application Pools

    WWW Service

    XML
    Metabase

    Administration
    Administration
    &
    &
    Monitoring
    Monitoring

    SMTP
    SMTP

    User mode
    Kernel mode

    Queue

    IIS 6.0

    Cache

    HTTP
    Request

    Response

    Rearchitecting IIS
    A New Architecture for IIS6
    GOAL: prevent apps
    from affecting system
    health
    Web service in
    INETINFO split out to
    do this:

    Multiple W3 Cores

    W3 Core

    web
    app

    kernel

    HTTP.SYS: kernel mode


    listener and request
    router
    WAS: config and
    process manager
    W3 Core: where apps
    get loaded

    WAS

    HTTP.SYS

    Rearchitecting IIS
    HTTP.SYS

    What is it?
    Kernel-mode HTTP stack/listener
    Always running

    Reliability Features
    Process routing based on URL
    Request queues: kernel-mode
    queuing

    Performance Features
    Kernel-mode response cache
    Text-based and binary logging

    Rearchitecting IIS
    HTTP.SYS

    Namespace Mapper

    Req. Queue

    Listener

    Req. Queue

    HTTP.SYS

    Req. Queue

    HTTP.SYS API

    Send Response

    HTTP Engine
    HTTP Parser

    Response Cache

    TCP/IP
    REQUEST

    Rearchitecting IIS

    Web Admin Service (WAS)


    Application Manager
    Manages lifetime of W3 Core(s)

    Configuration Manager
    Configures HTTP.SYS

    No application code
    Ensures reliability
    Easier to identify problems

    Hosted in SVCHOST.exe

    Rearchitecting IIS
    W3 Core

    What is it?
    Main web processing DLL responsible
    for processing web requests

    Mini-web server
    Contains all web request processing
    functionality
    Loads ISAPIs filters and extensions

    Separates request processing from


    rest of web server

    Application Pools

    Application Isolation in Processes


    Can create 1 or
    more application
    pools
    Each served by 1 or
    more processes.
    Each worker process
    serves only 1 pool.
    Reqs routed directly to
    pool by HTTP.sys

    Isolate apps based on:


    Site/Customer
    Functionality
    Reliability

    Application Pooling

    Configurable Worker Process ID


    Worker process can
    be started as:
    Network Service
    (default)
    Local System
    Local Service
    Configured ID

    Recycling

    What is it and Why use it?


    What is it?
    Periodically restart
    applications based on:
    Uptime
    # of requests
    Scheduled time
    Memory consumption
    On-demand

    Why use it?


    Refresh apps to ensure
    availability
    Prevent bad apps from
    taking over the system

    Recycling

    Overlapping Recycle
    New
    Worker
    Process

    Old
    Worker
    Process

    ISAPI Exts &


    Filters

    ISAPI Exts &


    Filters

    Web Proc.
    Core DLL

    Web Proc.
    Core DLL

    user
    kernel

    HTTP.SYS
    Request

    Ready for
    Shut down
    Recycle

    WAS

    startup
    ready

    Countering DoS

    ISAPI Interaction REPORT_UNHEALTHY


    HSE_REQ_REPORT_UNHEALTHY
    Goal: allow an ISAPI to report to IIS that it needs to be
    recycled.
    bResult = pECB-> ServerSupportFunction(
    pECB->ConnID,
    HSE_REQ_REPORT_UNHEALTHY,
    psz_reason_unhealthy,
    NULL,
    NULL
    );

    ASP Hang Detection


    Used to detect when ASP threads block in components

    Health Detection
    Crash Detection & Rapid Fail
    Protection
    WAS detects process
    crash/AVs
    On failure

    Publish event to event


    log
    Check crash count
    If (Crash count > Max
    Crashes in time limit)
    Disable app pool

    Else start new process

    Rapid Fail Protection


    Only allow x crashes in
    y minutes
    Return 503s when
    invoked

    ASP.NET Secure Config


    ASP.NET Security Layers
    Configuring ASP.NET Security
    Server-side Input Validation

    ASP.NET Security Layers


    IIS
    Authentication
    URLScan (not specific to ASP.NET)
    Static file ACLs

    ASP.NET
    Web Service Extensions
    Authorization by Role and URL
    File access by ASP mapped extensions

    ASP.NET Accounts
    When ASP.NET is enabled a new account
    is created: ASPNET and a new Group
    IIS_WPG
    Configurable in IIS Service Manager MMC
    For multiple Pools requiring complete
    isolation:
    Create low-priv accounts for each Pool
    Add to IIS_WPG group
    Config each Pool with appropriate Identity
    Both ASPNET and the IUSR_xxxx accounts need
    Read and Execute (ntfs) access to ASP.NET files
    (.aspx, .asmx, etc.)
    Careful of code-behind files that are being
    accessed set ACLs appropriately (aspx.cs,

    ASP.NET Config Files


    Understanding the .Config files
    XML files with Web and App settings
    ACL these files tightly
    Remove Users and Power Users

    Hierarchical application of security settings


    Machine.config
    Web.config (For all ASP.NET apps)
    App1 -> Web.config (Individual App settings)

    Resultant = inherited settings


    Settings:
    AuthN, AuthZ by Users, Roles (Domain and Forms)
    HTTP Verbs Allowed/Disallowed
    URLs
    File access

    Dont put Connection Strings or User/Pwds in


    here !!

    Users and Roles


    Web.config <system.web> tag:
    <authorization>
    <allow users=Sue, Joe"/>
    <deny users=?/>

    </authorization>
    ----------------------------------<authorization>
    <allow verbs=HEAD, GET, POST
    roles="Administrators"/>
    <allow verbs=HEAD, GET, POST
    roles="Users"/>
    <deny users=?/>
    </authorization>

    Note: ? = all unauthenticated users

    More Granular Control


    Web.config <location> tag:
    <location path="ListUsers.aspx">
    <system.web>
    <authentication mode="forms">
    <forms loginUrl="AdminLogin.aspx"
    protection="All"/>
    </authentication>
    <authorization>
    <allow users="admin"/>
    <deny users=*/>
    </authorization>
    </system.web>
    </location>

    Note: * = all users; HTTP Verbs can also


    be specified within the <location> tag

    ASP.NET Server-side
    Validation
    <%@ Page Language="C#" %>

    C# Example (1) The Control


    <html>
    <head>
    <script runat=server>
    void ValidateBtn_OnClick(object sender, EventArgs e)
    {
    if (Page.IsValid)
    {
    lblOutput.Text = "Page is valid.";
    }
    else
    {
    lblOutput.Text = "Page is not valid!";
    }
    }

    void ServerValidation (object source, ServerValidateEventArgs args)


    {
    try
    {
    Regex r = new Regex(@"^\d{4}$"); # Digits only exactly 4
    if (!r.Match(args).Success)
    throw new Exception("Invalid ID");
    }
    <snip>
    </script>
    </head>

    ASP.NET Server-side
    Validation
    <form runat="server">
    <h3>My CustomValidator Example</h3>

    C# Example (2) Hooking the Control


    <asp:Label id=lblOutput runat="server"
    Text=Part Number:"
    Font-Name=Tahoma" Font-Size="10pt" /><br>
    <p>
    <asp:TextBox id="Text1" runat="server" />
    &nbsp;&nbsp;
    <asp:CustomValidator id="CustomValidator1"
    ControlToValidate="Text1"
    OnServerValidate="ServerValidation"
    Display="Static"
    ErrorMessage=Part Number entered is wrong!"
    ForeColor="green"
    Font-Name=Tahoma" Font-Size="10pt" runat="server"/>
    <p>
    <asp:Button id="Button1" Text="Validate"
    OnClick="ValidateBtn_OnClick" runat="server"/>
    </form>

    Scanning an IIS 6 Default Box


    Scanning an ASP.NET enabled
    Box
    Log Parser
    IISLockDown/URLScan
    Web Extensions

    Summary
    Completely new Architecture
    Kernel mode request handling
    Complete Application Isolation

    Secure Defaults
    At the Code Level
    Deployment Default IIS box is only a static
    web server Admin must turn on what is
    needed

    IIS/ASP.NET focus on App-layer security


    Web Service Extensions
    URLScan
    ASP.Net .config files
    Server-side Controls
    > 10,000 sites already live on IIS 6.0
    microsoft.com running production since RC1

    Questions ???

    You might also like