IIS and by hcj


									IIS and .NET Security

Santosh Kumar Nukavarapu
•   Overview IIS and .NET security
•   Security Features IIS 7.0
•   Authentication in ASP.NET
•   Apache VS IIS
•   XML ,.NET and IIS
•   Security Flaws in IIS
•   Code Access Security
               Why Security?
• To stop unauthorized access.

• To provide Application level safety.

• Make sure that correct response is delivered
  to client.
          .NET's only Friend: IIS
• IIS authenticates user requests and hands it
  over to ASP.NET.

• ASP.NET will look after Authorization.

• Unauthorized accesses will be stopped and
  response will be a 401 page.

• Developers set all the security settings
  required for ASP.NET in web.config file.
       Security Features in IIS 7.0
•   Basic Access Authentication
•   Digest Access Authentication
•   Integrated Windows Authentication
•   .NET Passport Authentication
•   Client Certificate Mapping
•   Request Filtering
•   URL Authorization
      Basic Access Authentication
• Web Browser provides credentials.
• user name is appended with a colon and
  concatenated with the password.
• The Result is encoded with Base64 algorithm.
• Decoding is easy at server side.
• Non Http compatible characters in user name
  and password is made compatible through
• It is supported by all major browsers.
      Digest Access Authentication
• Password is not sent as plain text as is Basic
• MD5 is used.
• HA1 = MD5(username:realm:password).
• HA2=MD5(method:digestURI)
• Response=MD5(HA1:nonce:HA2)
• Server and client nonce help to prevent replay
  Integrated Windows Authentication
• Passwords are not sent across networks.
• Authenticating mechanism such as Kerberos is
• Windows credentials is used for Authentication.
• NT domain or Active Directory account is
• Good for Intranet environments as clients and
  browsers are on same network.
• Not suited for non- Microsoft browsers.
     .NET Passport Authentication
• No need of login and logout pages for
  individual sites.
• Centralized sign –in and sign-out.
• Could be customized to maintain the look and
  feel of site.
• Cookies are strongly encrypted.
• No need to provide credentials while browsing
  through different participating websites.
• Clicking on sign out deletes all the .NET
  passport cookies that were used for different
  participating websites.
• No server to sever communication ,all the
  communication to the centralized server is
  done through HTTP Redirects form the clients
  web browser.
• EX: Windows Live ID
       Client Certificate Mapping
• A certificate is a digital key.
• While accessing the server this digital key will be
  automatically presented for authentication.
• These certificates can be mapped to windows
  accounts in a active domain directory.
• No need of Basic, Digest and integrated windows
  authentication as users are automatically
  authenticated when they log on with client
• There are three ways to map client certificates:
  Directory Service (DS) mapping, one-to-one
  mapping, and many-to-one mapping.
• Three ways to map client certificates:

• Directory Service (DS) mapping
• one-to-one mapping
• many-to-one mapping.
     Directory Service (DS) mapping
• Directory Service (DS) mapping
• Windows active directory is used to
  authenticate users with client certificates.
• one-to-one mapping
• The certificate submitted by clients browser is
  checked with the certificate in server and
  accordingly mapping is done.
• Many-to-One Mapping
• The certificate is searched to satisfy specific
  criteria .Ex :use of wild cards.
                     Request Filtering
• Filter Double-encoded Requests - This feature prevents attacks that rely
  on double-encoded requests.
• Filter High Bit Characters - This feature defines a set of allowed file
  extensions that IIS 7.0 will serve.
• Filter Based on File Extensions - This feature defines a set of allowed file
  extensions that IIS 7.0 will serve.
• Filter Based on Request Limits - This filter combines three features:
• 1. maxAllowedContentLength this is the upper limit on the content size.
• 2. maxUrl this is the upper bound on a URL length.
• 3. maxQueryString this is the upper bound on the length of a query string.

• Filter by Verbs - This feature defines a list of VERBS that IIS 7.0 accepts as
  part of a request.
• Filter Based on URL Sequences - This feature defines a list of sequences
  that IIS 7.0 rejects when it is part of a request.
            URL Authorization

• IIS 7.0 makes URL Authorization much easier.
• Previous versions needed to configure Access
  control lists in the system.
• Authorization rules are put on the actual URI
  and not on the file system resources.
• Ex: Consider there are three users
  Santosh,kumar and nukavarapu
• Only kumar is supposed to access kumarsecret.aspx
• IIS Setup
• Create three accounts and group them via Windows
  User manager.
• The above can be done from command prompt also as
• net user santosh <password_of_your_choice> /add
  net user kumar <password_of_your_choice> /add
  net user nukavarapu <password_of_your_choice> /add
  net localgroup kumarAndFriends /add
  net localgroup kumarAndFriends santosh /add
  net localgroup kumarAndFriends kumar /add
•   1. Open Explorer and go into the %systemdrive%\inetpub\wwwroot directory.
    2. Create a directory called "secure".
    3. Change into the "secure" directory and create a new file called "default.aspx". You can do this
    with notepad or any other text editor.
    4. Paste the following code into the default.aspx page:

•   <%@Language="C#"%>
      string currentUser = Request.ServerVariables["LOGON_USER"];
      if (currentUser == "")
         currentUser = "anonymous";
      Response.Write("<b>Current User:</b> " + currentUser);
    %> 5. Create another file called bobsSecret.aspx and paste the following code into it:
•   <%@Language="C#"%>
      string currentUser = Request.ServerVariables["LOGON_USER"];
       if (currentUser == "")
          currentUser = "anonymous";
       Response.Write("<b>Current User:</b> " + currentUser);
    <b>My secret:</b> I used Apache before I discovered IIS7.</b> ");
•   6. Now see if the two web pages work by requesting http://localhost/secure/ and
    Configuring URL Authorization
• Now secure the two pages so that only santosh and kumar have access:
• 1. Double click the "secure" web directory again and select "Authorization
  2. Remove the "Allow All Users" rule.
  3. Click "Add Allow Rule…" and select the "Specified roles or user groups:"
  radio button and add “kumarAndFriends" and click the "OK" button.

• 4. Close all Internet Explorer windows because Internet Explorer caches
  the credentials that you entered in the previous step.
  5. Open Internet Explorer and try to access the page using Fred's
  credentials. You do not get access.
  6. Now try kumar's credentials or santosh's credentials. You get access.
  Configuring URL Authorization for a
            single web page
• 1.Double click the "Secure" web directory again and select "Content
  View" at the bottom of the page.
  2. You will see a list of files in the secure folder namely
  "default.aspx" and “kumarSecret.aspx".
  3. Right click on bobsSecret.aspx and select "Feature View"
• 4. Now you are making only changes for the kumarSecret.aspx
  page as indicated in the statusbar.
  5. Select "Authorization Rules" again. You see the inherited
  settings, i.e. the kumarAndFriends group is allowed to access
  6. Remove the “kumarAndFriends" rule.
  7. Now click "Add Allow Rule…"
  8. Click the "Specified users:" radio button, enter “kumar" and click
• 9. Close all Internet Explorer windows and request
  10. Only by entering kumar's credentials will you get access.
•   Performance:
                                 Apache VS IIS
•   Apache Software Foundation is not supporting 64 bit technology on Windows.
•   So you can not use Windows64 + Apache combination.
•   On 64-bits systems the choice is between Windows + IIS6 or Linux + Apache.
•   In order to run PHP under IIS6 on 64 bit platform you have to play a lot with 32-bit emulation of IIS6
    and making sure that all php exentions are loaded and executed in 32-bit mode.

•   Stability:

•   Windows and IIS6 has proprietary code. That means that in case of any vulnerability found a user
    has to wait and live with vulnerable system until Microsoft will fix the issue and release a fix.
•   Linux and Apache are open source products. This means that everyone has access to the source
    code and as soon as vulnerability has been found everyone who has appropriate level of knowledge
    can fix it.
•   Apache 2 had more vulnerabilities then ISS6. However, IIS6 has more critical vulnerabilities that
    might result of service failure or giving admin access to the hacker.

•   Cost

•   Windows setup costs include: more powerful hardware to run GUI and antivirus software
•   Windows and IIS6 license for the server
•   Linux setup costs include: hardware only. It also should not be as powerful as one for Windows to
    server same amount of requests.
•   Optional Linux installation if you are looking for Red Hat or Suse. But it is cheaper anyway and it is
    required only if you have some very specific requirements to go for commercial Linux release.
• Use PrincipalPermission to Demand Role-
  Base Security
• [PrincipalPermission(SecurityAction.Demand,
  public class AdminOnlyPage : BasePage
    // ...
• Securing a Particular Directory in ASP.NET for
  Specific Roles
• <location path="Secure" >
     <deny users="?" />
         Prevent SQL Injection by Using
• Prevent SQL Injection by Using SqlParameters
• using System.Data;
  using System.Data.SqlClient;
   using (SqlConnection connection = new SqlConnection(connectionString))
     DataSet userDataset = new DataSet();
     SqlDataAdapter myCommand = new SqlDataAdapter(
           "LoginStoredProcedure", connection);
     myCommand.SelectCommand.CommandType =
   SqlDbType.VarChar, 11);
     myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text;
• Turn On Custom Errors To Keep Errors Private
• <customErrors mode="On"
  defaultRedirect="YourErrorPage.htm" />
   Prevent Cross-Site Scripting Using
      HtmlEncode and UrlEncode
• Prevent Cross-Site Scripting Using HtmlEncode and
• Response.Write(HttpUtility.HtmlEncode(Request.Form["na
• Response.Write(HttpUtility.UrlEncode(urlString));
• // Encode the string input from the HTML input text field
  StringBuilder sb = new
  // Selectively allow <b> and <i>
  sb.Replace("&lt;b&gt;", "<b>");
  sb.Replace("&lt;/b&gt;", "</b>");
  sb.Replace("&lt;i&gt;", "<i>");
  sb.Replace("&lt;/i&gt;", "</i>");
              Security Flaws in IIS
• A buffer overflow involving chunked encoding with the ASP
  (Active Server Page) ISAPI filter.
• Another buffer overflow involving HTTP header processing,
  in which an attacker can spoof delimiter checking and
  persuade IIS that delimiting characters are present when
  they're not.
• It's possible for an invalid and very long file name to pass
  the include safety check, resulting in a file name bigger
  than its intended buffer, and obviously a buffer overflow.
• A denial of service vulnerability involving the way an ISAPI
  filter included in FrontPage Server Extensions and ASP.NET
  generates a errors when a request is received containing a
  URL exceeding the maximum length set by the filter. IIS
  attempts to process the URL while returning an error
  message, resulting in an access violation which causes it to
  crash. Affects IIS 4.0, 5.0, and 5.1
• we've got three CSS (Cross-Site Scripting) vulnerabilities.
            Code Access Security

• The .NET Framework provides a security
  mechanism to protect computer systems from
  malicious code and to provide a way to allow
  mobile code to run safely, mechanism called
  Code Access Security (CAS).
• .NET allows administrators to assign a pre-
  defined set of permissions to an application.
• These permission sets vary based on the level of
  trust accorded to the application.
• By default, applications receive a level of trust
  dependent upon the evidence presented about
  the code's digital signature, origin, and the
  location of the application.
• ASP.NET Web applications can be further configured by
  assigning them trust levels.
• Trust levels are configured using the <trust> element
  within the configuration file.

• Trust levels are configured using the <trust> element
  within the configuration file.
    <trust level="Full | High | Low | None" originUrl="url"
•   The default mappings for ASP.NET are:
    High mapping maps to web_hightrust.config .This level provides permissions that grant applications
    read/write access to the application directory (subject to operating system permissions) and allows
    the application to replace the authentication principal object. It also restricts applications from
    calling into non-managed code.
    Low mapping maps to web_lowtrust.config.This level allows applications to read from the
    application directory and provides limited network connectivity.
    None mapping maps to web_notrust.config. This level provides basic execution permission and
    supports the application's use of isolated storage.

    Example of Code:
        <trustLevel name="Full" policyFile="internal" />
        <trustLevel name="High" policyFile="web_hightrust.config" />
        <trustLevel name="Low" policyFile="web_lowtrust.config" />
        <trustLevel name="None" policyFile="web_notrust.config" />
• www.msdn.com
• http://www.theregister.co.uk/2002/04/11/eig
• http://learn.iis.net/page.aspx/142/understand
• http://www.visualbuilder.com/aspnet/security

To top