Web Security Basics and IIS Tools

Document Sample
Web Security Basics and IIS Tools Powered By Docstoc
					"Securing Internet Information
            Server"




                        Frank A. Nevers
                        fnevers@iu.edu
      University Information Technology Security Office
    Office of the Vice President for Information Technology
                Overview
• Internet Security
• IIS Attack
    – Hacking tools
    – Counter Measures
• Planning and Installation
    – Operating System
        • Tools
        • Auditing/ Security Logs
    – IIS
        • Authentication
        • Stay Current
        • Tools
        • Auditing
•   Best Practices
•   Future
•   Summary
•   Additional Resources
                  WebdevShare 2002
How Secure are you?




     http://www.owasp.org/


      WebdevShare 2002
Stages of web security

             Apps
           CGI,Asp
            scripts



         Web Server




      Operating System




       WebdevShare 2002
     “Balance of Interests”
                     Security




                      Apps

                      scripts


                  Web Server



               Operating System

Functionalit                        Ease Of Use
y

                 WebdevShare 2002
  Web Server Dominance?




     Totals for Active Servers Across All Domains
               June 2000 - August 2002

– Netcraft survey    http://www.netcraft.com/Survey/



                  WebdevShare 2002
                      IIS Insecure?

• Microsoft is a “natural” target
• IIS installs by default out of the box
   – Turned on many unneeded services
   – 7 externally accessible DLL’s via URL mapping
        • Exp. Idq.dll for indexing service
   –   Sample Apps are installed
   –   Help
   –   Admin scripts
   –   Webdav
   –   Front Page Server Extension enabled

                            WebdevShare 2002
                     Insecure…

• Tight integration with the OS
  – IIS runs as a Local System account
  – Components have system level permissions
    accessible via the web
     • Two indexing service vulnerabilities
     • IP printing vulnerability

• Easy to miss something with all of the
  settings/options
• Frequency of hotfixes and security
  updates
                        WebdevShare 2002
       Why?
Internet Storm Center




     WebdevShare 2002
                    Why?


100                           100


             60                  60
                                      53

50
       20



 0
      1998 1999 2000 2001 2002

            MS Bulletins Issued


                  WebdevShare 2002
                 Exploits

• Sans/FBI Top Vulnerabilities
  – Unicode Vulnerability (Web Server Folder
    Traversal)
  – ISAPI Extension Buffer Overflows
  – IIS RDS exploit (Microsoft Remote Data
    Services)




                  WebdevShare 2002
                         IIS Attacks

• July 2001 – Code Red I & II
  – Early version, website defacement:
        Welcome to http://www.worm.com!
                 Hacked by Chinese!

• Sept 2001 – Nimda Worm/virus

• Cleanup tools
  – Eeye http://www.eeye.com/html/
  – Xforce ISS http://bvlive01.iss.net/issEn/delivery/xforce/alerts.jsp
  – Sans www.sans.org


                             WebdevShare 2002
                      Hacking tools

• iis5hack
   Cyrus The Great cyrusarmy@yahoo.com

• jill-win32.exe
  dark spyrit dspyrit@beavuh.org

• iiswebexplt.pl
  Wanderley J. Abreu Jr. storm@unikey.com.br




                             WebdevShare 2002
                Automated Tools

• Netcat
  – by Hobbit
     • http://www.atstake.com/research/tools/
• Whisker
  – By Rain Forest Puppy
     • www.wiretrip.net/rfp
• Brutus
  – By HooBie Inc.
     • www.hoobie.net/brutus
• Teleport Pro
  – By Tennyson Maxwell Information Systems
     • www.tenmax.com


                       WebdevShare 2002
         Buffer Overflow Example

• Internet Printing Protocol (IPP) functionality is
  implemented in IIS 5 via an ISAPI filter
  (C:\WINNT\System32\msw3prt.dll)
• Turned on by default
• Malformed requests for .printer files invoke this
  ISAPI and cause a buffer overflow, resulting in
  remote SYSTEM privileges


          GET /null.printer HTTP/1.0
          Host: [> 420 char. buffer]

                       WebdevShare 2002
               Counter Measures

• Physical barrier
   – Place behind a Firewall
   – Separate machines for web and database servers


• Create separate OU for web servers that is locked
  down via Group Policies


• Monitor and Test your web servers
  – (Think like an attacker)

• Detect rogue servers

                        WebdevShare 2002
       Counter Measures (cont.)

• Consider the Risks
  What are you trying to protect?

  – Policy

  – Disclosure?

• Create an Incident Response Plan


                   WebdevShare 2002
  Counter Measures (cont.)

Stay Current                            Tools
                             • Operating System
 Alert lists                      – Hfnetcheck
• Vendor Notifications
                                  – Microsoft Baseline
• Automatic Update                  Security Advisor
  wizard
• SUS – Software             • Security Toolkit
  Update Services                 – Lockdown
   – http://www.microsoft.
     com/windows2000/wi
     ndowsupdate/sus/def
     ault.asp                • CIS Scoring Tool
                   WebdevShare 2002
Planning and Installation
        Secure Installation Planning

• Security Checklists
  – Useful, however Security Checklists DO
    NOT equal System Security
• Baseline Checklists
  – Microsoft, SANS, Pentasafe, etc.
• Build machines offline or with private IP
  addresses



                     WebdevShare 2002
              Harden the OS


• Prevent attackers from:
  – executing command-line tools
     • cacls %windir%\system32\*.exe /P
       Administrators:F
  – modifying your content
     • cacls c:\inetpub\wwwroot\*.* /P Everyone:R
     • cacls c:\inetpub\wwwroot\*.* /E /G
       Administrators:F

• Always use NTFS No FAT!
• Have your content on a separate partition
• Lock down your web environment with
  IPSec
• Use Authentication
                    WebdevShare 2002
  Windows Update
http://windowsupdate.com




        WebdevShare 2002
Update Notification
  Automatic Updates




      WebdevShare 2002
                                  Hfnetchk
  http://www.microsoft.com/downloads/release.asp?releaseid=31154&area=featured&ordinal=2


                                     Sample Output (2)                                  Product and service
                                                                                        pack of the system
                                                                                        being scanned
                                        * WINDOWS 2000 SP2

                                        Patch NOT Found       MS00-077
                                                              MS00-           Q299796
                                                                                           Q number of the
                                        Patch NOT Found       MS00-079
                                                              MS00-           Q276471      related patch – same
                                        Patch NOT Found       MS01-
                                                              MS01-007        Q285851
                                        Patch NOT Found       MS01-013
                                                              MS01-           Q285156
                                                                                           as the Q number
                                        NOTE                  MS01-022
                                                              MS01-           Q296441      written to the registry
                                        Patch NOT Found       MS01-
                                                              MS01-025        Q296185
                                        Patch NOT Found       MS01-031
                                                              MS01-           Q299553      and in Add/Remove
  Use the -v switch (for                                                                  Programs
                                        Patch NOT Found       MS01-
                                                              MS01-037        Q302755
                                        Patch NOT Found       MS01-
                                                              MS01-041        Q298012
                                        Patch NOT Found       MS01-
                                                              MS01-046        Q252795

  verbose)                              * Internet Information Services 5.0

                                        Patch NOT Found       MS01-
                                                              MS01-025        Q296185
                                        Patch NOT Found       MS01-
                                                              MS01-044        Q301625
  Use  the -z switch to                * Internet Explorer 5.5 SP1
                                                                                        Microsoft Security
  bypass registry checks                Patch NOT Found
                                        Patch NOT Found
                                                              MS00-
                                                              MS00-093
                                                              MS01-012
                                                              MS01-
                                                                              Q279328
                                                                              Q283908
                                                                                        Bulletin number

  and evaluate only file                Patch NOT Found
                                        Patch NOT Found
                                                              MS01-015
                                                              MS01-
                                                              MS01-027
                                                              MS01-
                                                                              Q286043
                                                                              Q299618
                                                                                                                     18

  discrepancies
Example:        hfnetchk -v -z

                                                                      Microsoft Get Secure/Stay secure slide
                                     WebdevShare 2002
                                     MBSA
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/Tools/M
                                     BSAhome.asp




                                 WebdevShare 2002
               ISS Internet Scanner
http://www.iss.net/products_services/enterprise_protection/vulnerability
                   assessment/scanner_internet.php




                             WebdevShare 2002
                ISS System Scanner
http://www.iss.net/products_services/enterprise_protection/vulnerability
                   _assessment/scanner_system.php




                             WebdevShare 2002
          HFNetChkPro
http://www.shavlik.com/security/prod_hf.asp




                WebdevShare 2002
CSI Scoring Tool
http://www.cisecurity.org/




       WebdevShare 2002
           Other Analysis Tools

• Nessus http://www.nessus.org/intro.html

• CIS Scoring Tool www.cisecurity.org
  – IIS Web Server Level 2




                    WebdevShare 2002
   Security Configuration Template
             and Analysis
• Collection of security settings
   – Secedit
   – Built-in templates
   – \%systemroot%\Security\Templates
      The templates and their system uses are as follows:
           basicwk.inf     Default workstation
           basicsv.inf     Default server
           compatws.inf Compatible workstation
           securews.inf   Secure wks or server
           hisecws.inf     Highly secure wks or server
   – Center for Internet Security
      • Win2KProGold_r1.2.inf CSI Scoring tool

                         WebdevShare 2002
          Enable Security Auditing
Windows 2000
1. Run, type mmc /a, and then click OK.
2. On the Console menu, click Add/Remove Snap-
   inAdd Under Snap-in, click Group Policy Add
3. In the Select Group Policy Object box, click Local
   Computer
   FinishCloseOK
5. In the Local Computer Policy box, click Computer
      Configuration Windows Settings Security
   SettingsLocal Policies Audit Policy.
6. In the details pane, click Audit logon events.
7. Click Action, Security, select categories to audit.


                       WebdevShare 2002
         Audit Categories
•   Account logon events.               Success/Failure
•   Account management.                 Success/Failure
•   Logon Events                        Success/Failure
•   Object access                       Failure
•   Policy change                       Success/Failure
•   Privilege use                       Success/Failure
•   Process Tracking*                   Success/Failure
•   System events                       None

• *Note: Turn on only for specific analysis




                  WebdevShare 2002
                Monitor Security Logs
•   Event Viewer
    1. StartProgramsAdministrative tools Event viewer
    2. In the console tree, click Security log.
    3. Look in the details pane for information about the event you
       want to view, and then double-click the event for additional
       information.




                             WebdevShare 2002
          Security log




http://rr.sans.org/win/event_logs3.php
             WebdevShare 2002
IIS
                     Is IIS installed?
                 Windows 2000 – IIS 5.0
• My ComputerManageServices and ApplicationsServices
    If you see "World Wide Web Publishing" service, you have IIS installed.




   To remove IIS from Windows 2000:
    StartSettingsControl PanelAdd/Remove ProgramsAdd/Remove
    Windows Componentsuncheck the box next to "Internet Information
    Services (IIS)“ Reboot”
                               WebdevShare 2002
                 Is IIS Installed?
                   NT 4.0- IIS 4.0
StartSettingsControl PanelServices      appletScroll down;
    if you see "World Wide Web Publishing" service, you have IIS
    installed.


To remove IIS   from NT 4.0:

    StartSettingsControl PanelNetworkSelect Services
    tabHighlight Internet Information Server and click the
    remove button. Reboot




                         WebdevShare 2002
       Authentication Methods


•   Anonymous
•   Basic
•   Digest
•   Integrated Windows
•   Certificate
•   Fortezza




                 WebdevShare 2002
     Authentication - Integrated Windows
                  (Kerberos)
   MIT                       ADS Windows Domain
   Kerberos Realm
              TGT           TGT
                    Service Ticket




                                        Service Ticket




Windows 2000/XP                                          Web Server

                     WebdevShare 2002
        Password Protect your web site
          Disable anonymous access
• Start the Internet Service Manager.
• Right-click Internet Information Server  Connect.

• In the "Connect to Computer" field, type the name of the
  computer running IIS  OK.

• In the left side of the window, click the name of your server.
   name of your Web site,  Properties.

• Select the Directory Security tab.

• Under "Anonymous Access and Authentication Control", 
  Edit...

• Uncheck the box next to Allow Anonymous Access.

• To enable Web browsers other than Microsoft Internet Explorer,
  you must check the box next to Basic Authentication.
                           WebdevShare 2002
                    SSL

• Protocol for encrypting network traffic
• Operates on the transport layer port
  443
• How it works:
  – Client connects to server
  – Server indicates need for SSL
  – Client and server exchange crypto keys
  – Secure session begins
• Obtain certificates from Thawte

                 WebdevShare 2002
           Hide your headers

• In URL SCAN set:
  – RemoveServerHeader =0
  – Optionally Change it by:
    • AlternateServerName=Apache/1.3.23




                  WebdevShare 2002
               Microsoft Trustworthy
                Computing Initiative


• Security Tool Kit

   – http://www.microsoft.com/technet/treeview/default.asp?url=/t
     echnet/security/tools/stkintro.asp



      Image to Burn your own CD- Available soon!




                           WebdevShare 2002
               Lockdown Wizard
        Lockdown                          URLscan
• Disable:                           Packet   Filtering
    –   ASP Pages
    –   Index Server Pages
    –   Server Side Includes
    –   IDC Database Connector
    –   Internet Printing
    –   .HTR Scripting
    –   /MSADC Virtual Folder
    –   WebDAV
   Removes IIS Samples
   Sets NTFS Permissions


                       WebdevShare 2002
Microsoft Security Tool Kit
       Lockdown Demo




         WebdevShare 2002
Select Server Template
      Demo (cont.)




       WebdevShare 2002
Internet Services
    Demo (cont.)




     WebdevShare 2002
Script Maps
 Demo (cont.)




  WebdevShare 2002
      Caution!
ISAPI apps may reappear




       WebdevShare 2002
Additional Security
     Demo (cont.)




      WebdevShare 2002
URL Scan
Demo (cont.)




 WebdevShare 2002
Apply Settings
  Demo (cont.)




   WebdevShare 2002
Status and Report
    Demo (cont.)




     WebdevShare 2002
Completion
 Demo (cont.)




  WebdevShare 2002
                  IIS LOGS

1. Internet Services
   Manager
2. Select web site
   Properties
3. Check Enable Logging
4. Properties Extended
   Properties

 URLSCAN log


                   WebdevShare 2002
                   IIS Logs (cont.)
• Enable Logging W3C Extended Logging
• Load the Internet Information Services tool.
• Right-click site in question, and choose Properties from the
  context menu.
• Click the Web Site tab.
•  Enable Logging check box.
• Choose W3C Extended Log File Format from the Active Log
  Format drop-down list.
•  Properties.
• Click the Extended Properties tab, and set the following
  properties:
• Client IP Address                      User Name
• Method                                 URI Stem
• HTTP Status                            Win32 Status
• User Agent                             Server IP Address
• Server Port


                           WebdevShare 2002
                         IIS Logs (cont.)
• Set Appropriate IIS Log File ACLs
   –   Make sure the ACLs on the IIS-generated log files c:\winnt\system32\LogFiles) are
   –   Administrators (Full Control)
   –   System (Full Control)
   –   Everyone (RWC)
   –   This is to help prevent malicious users deleting the files to cover their tracks.
• Create a separate Partition for Log files

• Copy logs off to a separate server to prevent
  tampering
• Daily, hourly

• Increase the size of your security log to 500 MB

• Configure it to only overwrite events older then 15
  days if you have a once per week backup schedule.


                                    WebdevShare 2002
                     IIS Logs (cont.)
                        Code Red
• GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNN
  NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
  NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
  NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
  NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
  NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
  %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7
  801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190
  %u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00
  =a

• HTTP status response code 404 – you’re OK!
• HTTP status response code 200 – you were patched!
•   No record whatsoever? Infected! (or not scanned yet)



                             WebdevShare 2002
                          IIS Logs (cont.)
                                     URL scan
#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2002-09-16 02:11:04

#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status
    cs(User-Agent)
2002-09-16 02:11:04 194.237.47.73 - 134.68.183.21 80 GET /<Rejected-By-UrlScan>
    ~/scripts/..%255c%255c../winnt/system32/cmd.exe 401 -
2002-09-16 02:49:09 134.169.89.150 - 134.68.183.21 80 GET /<Rejected-By-UrlScan>
    ~/scripts/..%255c%255c../winnt/system32/cmd.exe 401 -
2002-09-16 04:46:16 61.170.139.224 - 134.68.183.21 80 GET /<Rejected-By-UrlScan>
    ~/default.ida 401 -
2002-09-16 06:04:49 203.236.242.92 - 134.68.183.21 80 GET /<Rejected-By-UrlScan>
    ~/default.ida 401 -
2002-09-16 08:30:01 202.63.212.11 - 134.68.183.21 80 GET /<Rejected-By-UrlScan>
    ~/default.ida 401 -
2002-09-16 11:59:53 134.68.63.219 - 134.68.183.21 80 GET /<Rejected-By-UrlScan> ~/ 401
    Microsoft-WebDAV-MiniRedir/5.1.2600
2002-09-16 13:26:47 134.68.183.252 - 134.68.183.21 80 GET /<Rejected-By-UrlScan> ~/ 401
    Microsoft-WebDAV-MiniRedir/5.1.2600
2002-09-16 14:00:19 134.68.63.219 - 134.68.183.21 80 GET /<Rejected-By-UrlScan> ~/ 401
    Microsoft-WebDAV-MiniRedir/5.1.2600
2002-09-16 14:00:19 134.68.63.219 - 134.68.183.21 80 GET /<Rejected-By-UrlScan> ~/ 401
    Microsoft-WebDAV-MiniRedir/5.1.2600



                                     WebdevShare 2002
   Ongoing Maintenance
• Remain informed, vigilant and
  educated!
  – Audit
     • Event Viewer logs
  – Monitor
     • IIS Logs
  – Check for new security hot fixes
     •   ITSO Alerts
     •   Subscribe to the Security Notification Service
     •   Use HFNETCHK
     •   Query Windows Update
  – Do Backups
  – Use tools to detect intrusions
     • URLSCAN

                 WebdevShare 2002
If you suspect a Compromise

• Determine strategy

• CERT
   – Technical
      • analysis
      • Forensics

• Notification
   – Public Disclosure
   – Media


              WebdevShare 2002
             General Steps for
     Creating a Secure IIS Installation
1.   Install Windows 2000 Server and IIS off the
     network.
2.   Patch Windows 2000 with the latest service pack
3.   Disable anonymous FTP access
4.   Install the IIS 5.0 Rollup patch
5.   Bring the Windows 2000 Server on the network and
     run Windows Automatic Update
6.   Run the IIS Lockdown utility to remove open
     scripts, internet printer files, etc.
7.   Run the Hfnetcheck and MBSA utilities
8.   Run a vulnerability scanner on the machine.
9.   Stay informed

                      WebdevShare 2002
                 Best Practices
• Physical barrier.
    – Place Content on a different drive
    – Use separate domains or organizational units.
• Turn off anonymous FTP immediately.
• Disable Unnecessary Services, Protocols and Features.
    –   Remove unused virtual directories
    –   Clean out scripts directory
    –   Remove unused application mappings
    –   Disable parent paths
•   Lower your connection timeout
•   Don’t send detailed error messages
•   Keep up-to-date – Patch your system
•   ISS/ Nessus vulnerability scan of your web environment.
•   Stay Informed.
•   Enable Security logging.
•   Prevent Rouge web servers
•   Monitor the audit logs daily.
•   Stay Informed

                       WebdevShare 2002
                 Future
          Windows.NET and IIS 6.0


• Reduced attack surface
     •   IIS is not installed by default
     •   Server Lockdown: static files only
     •   Secure defaults
     •   Secure timeouts and limits
• Code Security
     • Buffer Overflow Checks
         – automated in the Windows build
           environment
     • VC++ compiler supported (/Gs)
• Isolation through a new process model
     • Worker Processes run as a low privileged by
       default
• Always secure with Automatic Update

                 WebdevShare 2002
               Retiring Systems

• Securely Delete data
   – Symantec – GDisk
   – Autoclave
     • http://staff.washington.edu/jdlarios/autoclave/
  – Declasfy
     • http://www.dmares.com/maresware/df.htm#DECLASFY
  – Cybercide
     • http://www.cyberscrub.com/cybercide/
  – Eraser
     • http://www.tolvanen.com/eraser/


                        WebdevShare 2002
 Obsolete Tools?


• Hfcinst
• Hfnetchk (prior to3.32)
• Microsoft Personal
  Security Advisor
• Outdated mssecure.xml
  or mssecure.cab files




        WebdevShare 2002
                Indiana University

• Hierarchy
   – Vice President for Information Technology
      • ITPO
      • ITSO
   – LSP
      • Users
• Security Classes
   – EdCert
• IUWare Security CD
• Bulletin/Alert service
• IUfred

                      WebdevShare 2002
                “Summary”
                      Security




                       Apps

                       scripts


                   Web Server



                Operating System

Functionality                        Ease Of Use


                  WebdevShare 2002
            Additional Resources

• ITSO
         • http://www.itso.iu.edu/

• Microsoft Security
         • http://www.microsoft.com/security
         • Technet-IIS Checklists 5.0
           http://www.microsoft.com/technet/treeview/default.asp?url= /technet/
           prodtechnol/iis/tips/iis5chk.asp
• SANS
         • http://www.sans.org/

• NSA Security Recommendations
         • http://nsa2.www.conxion.com/win2k/guides/w2k-14.pdf

• National Strategy for Securing Cyberspace
         • http://www.whitehouse.gov/pcipb/cyberstrategy-draft.pdf




                            WebdevShare 2002
  Security is a war as well as an
art form: you need to be methodical
  and militant, but also creative
            and flexible.
                   - ancient   rfp.labs proverb
Questions?



Thank You
  ITSO