Embed Size (px)
Citation preview
SEC312
Securing Internet Information Services
Vikas MalhotraProgram ManagerInternet Information Services
AgendaAgendaThe Journey …
Where we wereSecurity Challenges
What we didApproach and methodology used
Where we are today and where we are going
Our Journey Step #1Our Journey Step #1Understanding The ChallengesUnderstanding The Challenges
Analyzing Pre-IIS 6.0 Vulnerabilities
ChallengesCanonicalization Problems
Buffer Overflow
Extensive Resource Usage
Cross-Site Scripting
Enabled Everything
ResultsRemote Command Execution
Elevation of Privilege
Information Disclosure
Denial-of-Service
Web Server Vulnerability DistributionWeb Server Components SeverityIIS Core
ASP
Server-side includes (SSINC.DLL)
Internet Data Connector (HTTPODBC.DLL)
WebDAV (HTTPEXT.DLL)
Index Server ISAPI (WEBHITS.DLL, QUERY.DLL, IDQ.DLL
Internet Printing ISAPI (MSW3PRT.DLL
Frontpage Server Extensions (div.)
Password Change Functionality (ISM.DLL)
Understanding What An Attacker Is Doing …
demodemo
Buffer Overruns at Work
Higher addresses
Buffers Other vars
EB
P
EIP Args
void foo(char *p, int i) { int j = 0; CFoo foo; int (*fp)(int) = &func; char b[16];}
Question:
What happens if we assign the value p to b and p > 16 characters?
Buffer Overruns at Work
Higher addresses
Buffers Other vars
EB
P
EIP Args
Function return address
Exception handlers
Function pointersVirtual methods
Now the buffer overflow demo …
demodemo
Don’t worry, we fixed these types of problems …
Compiled with the /GS Complier option (the canary!)
Reduced request limit (16k)
Internal and external code reviews
… these and many more in just a few minutes …
Our Journey Step #2Understanding Our Product
Product QualityFinding Vulnerabilities In Existing Code
Start with education (like the demo)
Identify attack paths, access categories, and prioritize critical areas
Discover threats, design flaws and vulnerabilitiesThreat models
Data Flow Diagrams
Understand overall security risk
Develop mitigating strategies
Product Quality Secure By Design
Identify overallsecurity strengths
Identify Threat Pathentry points and
privilege boundaries
Prioritize discussionbased on Access
Category
Identify AccessCategories
Identify componentson the Threat Path
Determinecomponent actionson the Threat Path
Enumerate potentialthreats to each
component on theThreat Path
Identify mitigating orpreventative security
measures
Determine whetherthe threat is avulnerability
Classify thevulnerability
Identifycompoundingvulnerabilities
Plot vulnerabilityon a risk chart
Determine mitigationor remediation
strategy
Identify Threat Paths Identify Threats Rank and Remedy Vulnerabilities
Identify Vulnerabilities
Product Quality Identify Threat Paths
GoalsIdentify specific threats to the applicationPrioritizeEnsure complete analysis
OutputData flow diagram, including privilege boundariesAccess categoriesThreat paths
Identify overallsecurity strengths
Identify Threat Pathentry points and
privilege boundaries
Prioritize discussionbased on Access
Category
Identify AccessCategories
Identify Threat Paths
Product Quality IIS access categories
Remote anonymous userExample: www.microsoft.com
Remote authenticated userExample: Online banking application
Remote authenticated user with file manipulation capability
Example: ISP
Local user with execute privilegesExample: Terminal Server
Local administrator
System Behavior Modeling
Process
Data Flow
External Entity
Data Store
Graphic representation showing communication between objects
Describes activities that process data
Shows how data flows through a system
Shows logical sequence of associations and activities
Sometimes known as a process model (similar to DFD modeling)
More Detail: Level 0
Browser
1.0 PageRequest
4.0Authentication
Request
5.0Authentication
Data
9.0 Pagecontents
13.0Configuration
changes
18.0 Logsand alerts
1.0Authentication
Module
Webroot
2.0 RequestProcessor
AuthenticationDatabase
6.0 UserInformation
3.0Authentication
query
7.0Authentication
Result
3.0Configuration
manager
8.0 Pagedata
ConfigurationData
16.0 LogRequest
12.0Configuration
Data
14.0Configuration
Data11.0Configuration
Data
2.0Configuration
Data
4.0LoggingEngine
Logs
Administrator
15.0 Logconfiguration
10.0 Log data17.0 Log Data
Even More Detail: Level 1
4.0Authentication
Request
5.0Authentication
Data
2.0 RequestProcessor
AuthenticationDatabase
6.0 UserInformation
3.1Authentication
query
7.0Authentication
Result
1.1 AuthProcessor
1.2 AuthenticationProtocol
Negotiation
4.1Authentication
Capabilities
4.2 AuthProtocolSelection
1.3 Sub-authModule
3.2 ProtocolNegotiation
Request
5.1 UserAuth Data
5.2 User AuthData
6.1 Auth Result
Browser
Identify ThreatsGoals
Identify security-critical processing along the threat paths
Determine overall threat profile
OutputList of application-specific threats
Identify componentson the Threat Path
Determinecomponent actionson the Threat Path
Enumerate potentialthreats to each
component on theThreat Path
Identify Threats
Identify Vulnerabilities
GoalsDetermine specific security weaknesses
Identify areas for focused code review or QA testing
OutputList of specific vulnerabilities
Areas requiring further analysis
Identify mitigating orpreventative security
measures
Determine whetherthe threat is avulnerability
Classify thevulnerability
Identify Vulnerabilities
Rank And Remedy
GoalsPrioritize vulnerabilities for remediation
Determine appropriate mitigation strategy
Understand risk
OutputRisk chart
Resolution roadmap
Identifycompoundingvulnerabilities
Plot vulnerabilityon a risk chart
Determine mitigationor remediation
strategy
Rank and Remedy Vulnerabilities
Plot Vulnerability On A Risk Chart
Rank and Remedy
Vulnerabilities
LOW HIGH
Red flag: fix immediately Red flag: plan to remedy
Fix at client's discretion Bear risk , or f ix at client's discretion
LEVEL OF EFFORT TO REMEDIATE
HIG
HLO
W
Vulnerability
Vulnerability
Vulnerability Vulnerability
Vulnerability
Vulnerability
Vulnerability
Vulnerability
Vulnerability
Vulnerability
Vulnerability
Vulnerability
LOW HIGHLEVEL OF EFFORT TO RESOLVE
HIG
HLO
W
DEG
REE O
F RISK
Risk Matrix
Each f inding’s x-y position in the Business Impact Matrix indicates the relative risk and likelihood of exploit (vertical axis) and the effort required to remediate (horizontal axis). The circle diameter signif ies the overall impact on your business and brand value.
Our Journey Step #3Our Journey Step #3How We Used What We LearnedHow We Used What We LearnedTo Improve IISTo Improve IIS
IIS 5 Request Processing
Kernel modeKernel mode
User modeUser mode
MetabaseMetabase
INETINFO.exeINETINFO.exe
RequestRequest ResponseResponse
DLLHOST.exeDLLHOST.exeDLLHOST.exeDLLHOST.exe
DLLHOST.exeDLLHOST.exeDLLHOST.exeDLLHOST.exe
TCP/IP
XX
XXFTPFTPFTPFTP
NNTPNNTPNNTPNNTP
SMTPSMTPSMTPSMTP
AFD
WinSock
IIS 6.0 Request Processing
AdministrationAdministration& &
MonitoringMonitoring
AdministrationAdministration& &
MonitoringMonitoring
WWW ServiceWWW Service
HTTPHTTPHTTPHTTPCacheCacheCacheCacheQueueQueueQueueQueue
Kernel modeKernel mode
User modeUser mode
XMLXMLMetabaseMetabase
InetinfoInetinfo
FTPFTPFTPFTP
NNTPNNTPNNTPNNTP
SMTPSMTPSMTPSMTP
IIS 6.0IIS 6.0
RequestRequest ResponseResponse
Application Pools
……XX
TCP/IP
Reduced Attack SurfaceWindows Server 2003 disables 20+ Services
IIS is not installed on Windows 2003 Server
Now if you install IIS…
IIS components IIS 5.0 clean install IIS 6.0 clean install
Static file support enabled enabled
ASP enabled disabled
Server-side includes enabled disabled
Internet Data Connector enabled disabled
WebDAV enabled disabled
Index Server ISAPI enabled disabled
Internet Printing ISAPI enabled disabled
CGI enabled disabled
Frontpage Server Extensions enabled disabled
Password Change Functionality enabled disabled
SMTP enabled disabled
FTP enabled disabled
ASP.NET X disabled
BITS X disabled
IIS processes run with the lowest possible privilege
Third-Party code runs only in Worker Processes
Improved Isolation and Sandboxing
HTTP Per-Request Logging
Reduces DoS attacksAdvanced Health Monitoring
Recycling
CPU Accounting
Secure By DesignIIS 6.0 Architecture
Secure By DefaultIIS 6.0 Architecture
No Executable virtual directories/SCRIPTS and /MSADC
Secure Timeouts And Limits16k Request Limit
Old Legacy Code RemovedISM.DLL / .HTR
Sub-Authentication
Check if File Exists
Secure By DefaultCommand Line Files not executable
Restrictive URL Canonicalization
NTFS canonicalization
Content write protected
Strong ACL’s onLogfilesCustom Error Directory On Cache Directories
ASPASPEnableParentPath = FALSEHang detection Internal Health Detection
Walkthrough Of Some New Security Features
demodemo
App Pool Identity (and settings)App Pool Identity (and settings)Web Extension ListWeb Extension List404 Error Messages404 Error Messages
Our Journey Step #4Our Journey Step #4Our Efforts Going ForwardOur Efforts Going Forward
Product QualitySecure By Design
Company wide Cultural Shift with Executive SponsorshipTraining
Process shiftSecurity Design Review for Every FeatureThreat ModelingDevelopment Practices
/GS Complier optionPrefix/Prefast runsSingle String ClassQFE and IIS core team mergedCode review for every changeExternal Reviews
Product Quality Security By Default
Test PracticesTests to verify all previous vulnerabilities still fixed
New Test InfrastructureExternal Tools and Internal ToolsExpand Testing Beyond Regression
IIS ToolsBuffer Overflow ScannerCross-site Scripting
Secure In DeploymentImproved Patch Management
Software Update Services
SMS
No reboots through recycling
Resource-free DLL’s
Bonus demos! – SSL related demos
Self SSL
SSL Diagnostics
Summary
New IIS architecture for greater security and reliability
Improvements to enhance IIS 4.0 and 5.0 security are continuously being done through ongoing patches and security roll-ups
Stay informed and keep systems upto date
Ask The ExpertsGet Your Questions Answered
I will be in the ATE after this session and throughout the week
Other Program Managers and IIS Support Professionals are here and will be also working in the ATE to help you out
Community Resources
IIS Community Portalhttp://www.microsoft.com/windowsserver2003/community/centers/iis/
IIS Portalhttp://www.microsoft.com/iis
IIS NewsgroupsMicrosoft.public.inetserver.iisMicrosoft.public.inetserver.iis.ftpMicrosoft.public.inetserver.iis.security
NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
Community Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
Suggested Reading And Resources
The tools you need to put technology to work!The tools you need to put technology to work!
TITLETITLE AvailableAvailable
Microsoft® Windows® Security Microsoft® Windows® Security Resource Kit: 0-7356-1868-2Resource Kit: 0-7356-1868-2 TodayToday
Internet Information Services Internet Information Services (IIS) 6.0 Resource Kit: (IIS) 6.0 Resource Kit: 0-7356-0-7356-1420-21420-2
8/27/038/27/03
Microsoft Press books are 20% off at the TechEd Bookstore
Also buy any TWO Microsoft Press books and get a FREE T-Shirt
evaluationsevaluations
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Questions?Questions?Product Feedback?Product Feedback?
[email protected]@microsoft.com
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
