Presentation is loading. Please wait.

Presentation is loading. Please wait.

IIS 6.0 SECURITY ARCHITECTURE Its a Whole New World Michael Muckin Security Architect Microsoft Consulting Services.

Similar presentations

Presentation on theme: "IIS 6.0 SECURITY ARCHITECTURE Its a Whole New World Michael Muckin Security Architect Microsoft Consulting Services."— Presentation transcript:

1 IIS 6.0 SECURITY ARCHITECTURE Its a Whole New World Michael Muckin Security Architect Microsoft Consulting Services

2 Agenda Setting the Stage IIS 6.0 Security design ASP.NET Security Config Scanning & Tools Hardening IIS 6.0 Demos throughout

3 Setting the Stage No news that IIS is a primary target What is this Security Push and Trustworthy Computing? IIS 6.0 should be tangible evidence of these initiatives

4 Vulnerability Trends Physical Network OS Application VerticalVerticalVerticalVertical Horizontal Decreasing – Leveling out Increasing

5 IIS 6.0 Security Design Product quality Improve design, coding, and testing practices Fewer vulnerabilities out of the box Security conscious architecture Reduced attack surface Defense in depth Limit the possible damage should new vulnerabilities be discovered Always up-to-date Make it practical to keep systems up-to-date with the latest software patches

6 Product Quality Security stand-down Development practices /GS Prefix/Prefast runs Single String Class QFE and IIS core team merged Code review for every change External reviews keep us honest Removed legacy code Security design review for every feature Extensive test infrastructure External tools Internal tools IIS tools Buffer overflow scanner Cross-site scripting Fault injection in regular test runs

7 Reduced Attack Surface Windows Server 2003 disables 20+ Services IIS is not installed on Windows Server 2003 If you install IIS… IIS componentsIIS 5.0 clean installIIS 6.0 clean install Static file supportenabledenabled ASPenableddisabled Server-side includesenableddisabled Internet Data Connectorenableddisabled WebDAVenableddisabled Index Server ISAPIenableddisabled Internet Printing ISAPIenableddisabled CGIenableddisabled Frontpage Server Extensionsenableddisabled Password Change Functionalityenableddisabled SMTPenableddisabled FTPenableddisabled ASP.NETXdisabled BITSXdisabled

8 Vulnerability Distribution Web-Server only Web Server ComponentsSeverity IIS Core ASP Server-side includes (SSINC.DLL) Internet Data Connector (HTTPODBC.DLL) WebDAV (HTTPEXT.DLL) Index Server ISAPI (WEBHITS.DLL, QUERY.DLL, IDQ.DLL Internet Printing ISAPI (MSW3PRT.DLL Frontpage Server Extensions (div.) Password Change Functionality (ISM.DLL)

9 Defense In Depth Buffer overflows New Low Privilege accts: Network Service (default) and Local Service Default Privileges: SeAssignPrimaryTokenPrivilegeSeSecurityPrivilegeSeSystemtimePrivilegeSeAuditPrivilegeSeChangeNotifyPrivilegeSeUndockPrivilege …vs. the LocalSystem account – which has almost every system Privilege (21 total)

10 Defense In Depth Canonicalization issues Rigorous and restrictive parsing Default handler is restricted to a list of known extensions Denial-of-service attacks Fault-tolerant infrastructure Limits Cross-site scripting issues ASP.NET data validation controls Executing command-line scripts Secure defaults: dont allow anonymous account to execute *.exes Site defacements No write access for anonymous account in home dir

11 Secure By Default Secure Defaults I No executable VDirs /SCRIPTS and /MSADC Secure timeouts and limits 16k request limit Old legacy code removed ISM.DLL/.HTRSub-authentication Known extensions Check if file exists X X X X X X

12 Secure By Default Secure Defaults II Strong ACLs on Logfiles Custom error directory On cache directories Persistent ASP template cache Compression cache IE Shipped in Hardened State on all Servers Admin must add Zones/settings as desired ASP ASPEnableParentPath = FALSE Hang detection 4MB response buffer limit Internal health detection

13 Secure By Default Secure Defaults III Restrictive URL Canonicalization Hostname and URL rules A raw byte must be URL_TOKEN, per RFC 2396 and 2732 Alphanumeric: A..Z a..z 0..9 Hex-Escaped: %xx or %uNNNN Mark: - _. ! ~ * ' ( ) Reserved: ; / ? : @ & = + $, [ ] Unwise: { } | \ ^ ` But Not: 0x00-0x1F 0x7F " # But Not: 0x00-0x1F 0x7F " # NTFS canonicalization \\?\ Streams outlawed

14 Security Conscious Architecture Compartmentalization Third-Party code runs only in Worker Processes Powerful sandboxing HTTP pre-request logging

15 DLLHost.EXE ISAPI Extensions DLLHost.EXE ISAPI Extensions Rearchitecting IIS A review of IIS5 TCP/IP kernel user WinSock 2.0 INETINFO.EXE Metabase ISAPI Filters and Extensions DLLHost.EXE ISAPI Extensions INETINFO.EXE Metabase ISAPI Filters and Extensions

16 IIS 6.0 Request Processing Administration&MonitoringAdministration&Monitoring WWW Service HTTP CacheQueue Kernel mode User mode XMLMetabase Inetinfo FTPFTP NNTPNNTP SMTPSMTP IIS 6.0 RequestResponse Application Pools … X

17 Rearchitecting IIS A New Architecture for IIS6 GOAL: prevent apps from affecting system health Web service in INETINFO split out to do this: HTTP.SYS: kernel mode listener and request router WAS: config and process manager W3 Core: where apps get loaded Multiple W3 Cores WAS W3 Core web app HTTP.SYS kernel

18 Rearchitecting IIS HTTP.SYS What is it? Kernel-mode HTTP stack/listener Always running Reliability Features Process routing based on URL Request queues: kernel-mode queuing Performance Features Kernel-mode response cache Text-based and binary logging

19 Rearchitecting IIS HTTP.SYS TCP/IP HTTP.SYS Send Response ResponseCache Response Cache HTTP.SYS API Listener Namespace Mapper HTTP Engine HTTP Parser Req. Queue REQUEST

20 Rearchitecting IIS Web Admin Service (WAS) Application Manager Manages lifetime of W3 Core(s) Configuration Manager Configures HTTP.SYS No application code Ensures reliability Easier to identify problems Hosted in SVCHOST.exe

21 Rearchitecting IIS W3 Core What is it? Main web processing DLL responsible for processing web requests Mini-web server Contains all web request processing functionality Loads ISAPIs – filters and extensions Separates request processing from rest of web server

22 Application Pools Application Isolation in Processes Can create 1 or more application pools Each served by 1 or more processes. Each worker process serves only 1 pool. Reqs routed directly to pool by HTTP.sys Isolate apps based on: Site/CustomerFunctionalityReliability

23 Application Pooling Configurable Worker Process ID Worker process can be started as: Network Service (default) Local System Local Service Configured ID

24 Recycling What is it and Why use it? What is it? Periodically restart applications based on: Uptime # of requests Scheduled time Memory consumption On-demand Why use it? Refresh apps to ensure availability Prevent bad apps from taking over the system

25 Recycling Overlapping Recycle kernel user WAS HTTP.SYS Old Worker Process ISAPI Exts & Filters Web Proc. Core DLL Ready for Recycle New Worker Process ISAPI Exts & Filters Web Proc. Core DLL Shut down Request startup ready Request

26 Countering DoS ISAPI Interaction – REPORT_UNHEALTHY HSE_REQ_REPORT_UNHEALTHY Goal: allow an ISAPI to report to IIS that it needs to be recycled. bResult = pECB-> ServerSupportFunction( pECB->ConnID,HSE_REQ_REPORT_UNHEALTHY,psz_reason_unhealthy,NULL,NULL); ASP Hang Detection Used to detect when ASP threads block in components

27 Health Detection Crash Detection & Rapid Fail Protection WAS detects process crash/AVs On failure Publish event to event log Check crash count If (Crash count > Max Crashes in time limit) Disable app pool Else start new process Rapid Fail Protection Only allow x crashes in y minutes Return 503s when invoked

28 ASP.NET Secure Config ASP.NET Security Layers Configuring ASP.NET Security Server-side Input Validation

29 ASP.NET Security Layers IISAuthentication URLScan (not specific to ASP.NET) Static file ACLs ASP.NET Web Service Extensions Authorization by Role and URL File access by ASP mapped extensions

30 ASP.NET Accounts When ASP.NET is enabled – a new account is created: ASPNET – and a new Group IIS_WPG Configurable in IIS Service Manager MMC For multiple Pools requiring complete isolation: Create low-priv accounts for each Pool Add to IIS_WPG group Config each Pool with appropriate Identity Both ASPNET and the IUSR_xxxx accounts need Read and Execute (ntfs) access to ASP.NET files (.aspx,.asmx, etc.) Careful of code-behind files that are being accessed – set ACLs appropriately – (aspx.cs, aspx.vb)

31 ASP.NET Config Files Understanding the.Config files XML files with Web and App settings ACL these files tightly Remove Users and Power Users Hierarchical application of security settings Machine.config Web.config (For all ASP.NET apps) App1 -> Web.config (Individual App settings) Resultant = inherited settings Settings: AuthN, AuthZ by Users, Roles (Domain and Forms) HTTP Verbs Allowed/Disallowed URLs File access Dont put Connection Strings or User/Pwds in here !!

32 Users and Roles Web.config – tag: ----------------------------------- roles="Administrators"/> roles="Users"/> Note: ? = all unauthenticated users

33 More Granular Control Web.config – tag: protection="All"/> Note: * = all users; HTTP Verbs can also be specified within the tag

34 ASP.NET Server-side Validation C# Example (1) – The Control void ValidateBtn_OnClick(object sender, EventArgs e) { if (Page.IsValid) if (Page.IsValid) { lblOutput.Text = "Page is valid."; lblOutput.Text = "Page is valid."; } else else { lblOutput.Text = "Page is not valid!"; lblOutput.Text = "Page is not valid!"; } } void ServerValidation (object source, ServerValidateEventArgs args) void ServerValidation (object source, ServerValidateEventArgs args) { try try { Regex r = new Regex(@"^\d{4}$"); # Digits only – exactly 4 if (!r.Match(args).Success) if (!r.Match(args).Success) throw new Exception("Invalid ID"); throw new Exception("Invalid ID"); } … … … …

35 ASP.NET Server-side Validation C# Example (2) – Hooking the Control My CustomValidator Example My CustomValidator Example Font-Name=Tahoma" Font-Size="10pt" />

36 Scanning an IIS 6 Default Box Scanning an ASP.NET enabled Box Log Parser IISLockDown/URLScan Web Extensions

37 Summary Completely new Architecture Kernel mode request handling Complete Application Isolation Secure Defaults At the Code Level Deployment – Default IIS box is only a static web server – Admin must turn on what is needed IIS/ASP.NET focus on App-layer security Web Service Extensions URLScan ASP.Net.config files Server-side Controls > 10,000 sites already live on IIS 6.0 running production since RC1

38 Questions ???

Download ppt "IIS 6.0 SECURITY ARCHITECTURE Its a Whole New World Michael Muckin Security Architect Microsoft Consulting Services."

Similar presentations

Ads by Google