Presentation is loading. Please wait.

Presentation is loading. Please wait.

SEC312 Securing Internet Information Services Vikas Malhotra Program Manager Internet Information Services.

Published byFrancis Bryant Modified over 8 years ago

Similar presentations

Presentation on theme: "SEC312 Securing Internet Information Services Vikas Malhotra Program Manager Internet Information Services."— Presentation transcript:

1 SEC312 Securing Internet Information Services Vikas Malhotra Program Manager Internet Information Services

2 Agenda Agenda The Journey … Where we were Security Challenges What we did Approach and methodology used Where we are today and where we are going

3 Our Journey Step #1 Understanding The Challenges

4 Analyzing Pre-IIS 6.0 Vulnerabilities Challenges Canonicalization Problems Buffer Overflow Extensive Resource Usage Cross-Site Scripting Enabled Everything Results Remote Command Execution Elevation of Privilege Information Disclosure Denial-of-Service

5 Web Server Vulnerability Distribution Web Server ComponentsSeverity IIS Core ASP Server-side includes (SSINC.DLL) Internet Data Connector (HTTPODBC.DLL) WebDAV (HTTPEXT.DLL) Index Server ISAPI (WEBHITS.DLL, QUERY.DLL, IDQ.DLL Internet Printing ISAPI (MSW3PRT.DLL Frontpage Server Extensions (div.) Password Change Functionality (ISM.DLL)

6 Understanding What An Attacker Is Doing … demo demo

7 Buffer Overruns at Work Higher addresses BuffersOther vars EBP EIP Args void foo(char *p, int i) { int j = 0; CFoo foo; int (*fp)(int) = &func; char b[16]; } Question: What happens if we assign the value p to b and p > 16 characters?

8 Buffer Overruns at Work Higher addresses BuffersOther vars EBP EIP Args Function return address Exception handlers Function pointers Virtual methods

9 Now the buffer overflow demo … demo demo

10 Don’t worry, we fixed these types of problems … Compiled with the /GS Complier option (the canary!) Reduced request limit (16k) Internal and external code reviews … these and many more in just a few minutes …

11 Our Journey Step #2 Understanding Our Product

12 Product Quality Finding Vulnerabilities In Existing Code Start with education (like the demo) Identify attack paths, access categories, and prioritize critical areas Discover threats, design flaws and vulnerabilities Threat models Data Flow Diagrams Understand overall security risk Develop mitigating strategies

13 Product Quality Secure By Design Identify overall security strengths Identify Threat Path entry points and privilege boundaries Prioritize discussion based on Access Category Identify Access Categories Identify components on the Threat Path Determine component actions on the Threat Path Enumerate potential threats to each component on the Threat Path Identify mitigating or preventative security measures Determine whether the threat is a vulnerability Classify the vulnerability Identify compounding vulnerabilities Plot vulnerability on a risk chart Determine mitigation or remediation strategy Identify Threat Paths Identify Threats Rank and Remedy Vulnerabilities Identify Vulnerabilities

14 Product Quality Identify Threat Paths Goals Identify specific threats to the application Prioritize Ensure complete analysis Output Data flow diagram, including privilege boundaries Access categories Threat paths Identify overall security strengths Identify Threat Path entry points and privilege boundaries Prioritize discussion based on Access Category Identify Access Categories Identify Threat Paths

15 Product Quality IIS access categories Remote anonymous user Example: www.microsoft.com Remote authenticated user Example: Online banking application Remote authenticated user with file manipulation capability Example: ISP Local user with execute privileges Example: Terminal Server Local administrator

16 System Behavior Modeling Graphic representation showing communication between objects Describes activities that process data Shows how data flows through a system Shows logical sequence of associations and activities Sometimes known as a process model (similar to DFD modeling)

17 More Detail: Level 0

18 Even More Detail: Level 1

19 Identify Threats Goals Identify security-critical processing along the threat paths Determine overall threat profile Output List of application-specific threats Identify components on the Threat Path Determine component actions on the Threat Path Enumerate potential threats to each component on the Threat Path Identify Threats

20 Identify Vulnerabilities Goals Determine specific security weaknesses Identify areas for focused code review or QA testing Output List of specific vulnerabilities Areas requiring further analysis Identify mitigating or preventative security measures Determine whether the threat is a vulnerability Classify the vulnerability Identify Vulnerabilities

21 Rank And Remedy Goals Prioritize vulnerabilities for remediation Determine appropriate mitigation strategy Understand risk Output Risk chart Resolution roadmap Identify compounding vulnerabilities Plot vulnerability on a risk chart Determine mitigation or remediation strategy Rank and Remedy Vulnerabilities

22 Plot Vulnerability On A Risk Chart Rank and Remedy Vulnerabilities

23 Our Journey Step #3 How We Used What We Learned To Improve IIS

24 IIS 5 Request Processing Kernel mode User mode Metabase INETINFO.exe RequestResponse DLLHOST.exeDLLHOST.exe DLLHOST.exeDLLHOST.exe TCP/IP X X FTPFTP NNTPNNTP SMTPSMTP AFD WinSock

25 IIS 6.0 Request Processing Administration&MonitoringAdministration&Monitoring WWW Service HTTPHTTP CacheCacheQueueQueue Kernel mode User mode XMLMetabase Inetinfo FTPFTP NNTPNNTP SMTPSMTP IIS 6.0 RequestResponse Application Pools … X TCP/IP

26 Reduced Attack Surface Windows Server 2003 disables 20+ Services IIS is not installed on Windows 2003 Server Now if you install IIS… IIS componentsIIS 5.0 clean installIIS 6.0 clean install Static file supportenabled ASPenableddisabled Server-side includesenableddisabled Internet Data Connectorenableddisabled WebDAVenableddisabled Index Server ISAPIenableddisabled Internet Printing ISAPIenableddisabled CGIenableddisabled Frontpage Server Extensionsenableddisabled Password Change Functionalityenableddisabled SMTPenableddisabled FTPenableddisabled ASP.NETXdisabled BITSXdisabled

27 IIS processes run with the lowest possible privilege Third-Party code runs only in Worker Processes Improved Isolation and Sandboxing HTTP Per-Request Logging Reduces DoS attacks Advanced Health Monitoring Recycling CPU Accounting Secure By Design IIS 6.0 Architecture

28 Secure By Default IIS 6.0 Architecture No Executable virtual directories /SCRIPTS and /MSADC Secure Timeouts And Limits 16k Request Limit Old Legacy Code Removed ISM.DLL /.HTR Sub-Authentication Check if File Exists

29 Secure By Default Command Line Files not executable Restrictive URL Canonicalization NTFS canonicalization Content write protected Strong ACL’s on Logfiles Custom Error Directory On Cache Directories ASP ASPEnableParentPath = FALSE Hang detection Internal Health Detection

30 Walkthrough Of Some New Security Features demo demo App Pool Identity (and settings) Web Extension List 404 Error Messages

31 Our Journey Step #4 Our Efforts Going Forward

32 Product Quality Secure By Design Company wide Cultural Shift with Executive Sponsorship Training Process shift Security Design Review for Every Feature Threat Modeling Development Practices /GS Complier option Prefix/Prefast runs Single String Class QFE and IIS core team merged Code review for every change External Reviews

33 Product Quality Security By Default Test Practices Tests to verify all previous vulnerabilities still fixed New Test Infrastructure External Tools and Internal Tools Expand Testing Beyond Regression IIS Tools Buffer Overflow Scanner Cross-site Scripting

34 Secure In Deployment Improved Patch Management Software Update Services SMS No reboots through recycling Resource-free DLL’s

35 Bonus demos! – SSL related demos Self SSL SSL Diagnostics

36 Summary New IIS architecture for greater security and reliability Improvements to enhance IIS 4.0 and 5.0 security are continuously being done through ongoing patches and security roll-ups Stay informed and keep systems up to date

37 Ask The Experts Get Your Questions Answered I will be in the ATE after this session and throughout the week Other Program Managers and IIS Support Professionals are here and will be also working in the ATE to help you out

38 Community Resources IIS Community Portal http://www.microsoft.com/windowsserver2003/community/centers/iis/ IIS Portal http://www.microsoft.com/iis IIS Newsgroups Microsoft.public.inetserver.iis Microsoft.public.inetserver.iis.ftp Microsoft.public.inetserver.iis.security Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http://www.microsoft.com/communities/newsgroups/default.mspx Community Resources http://www.microsoft.com/communities/default.mspx Most Valuable Professional (MVP) http://www.mvp.support.microsoft.com/ User Groups Meet and learn with your peers http://www.microsoft.com/communities/usergroups/default.mspx

39 Suggested Reading And Resources The tools you need to put technology to work! TITLE Available Microsoft® Windows® Security Resource Kit: 0-7356-1868-2 Today Internet Information Services (IIS) 6.0 Resource Kit: 0-7356- 1420-2 8/27/03 Microsoft Press books are 20% off at the TechEd Bookstore Also buy any TWO Microsoft Press books and get a FREE T-Shirt

40 evaluations evaluations

41 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Questions? Product Feedback? vmalhot@microsoft.com

42 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Download ppt "SEC312 Securing Internet Information Services Vikas Malhotra Program Manager Internet Information Services."

Similar presentations

IIS 6.0 SECURITY ARCHITECTURE Its a Whole New World Michael Muckin Security Architect Microsoft Consulting Services.

IIS 6.0 SECURITY ARCHITECTURE Its a Whole New World Michael Muckin Security Architect Microsoft Consulting Services.
Faith Allington Program Manager Microsoft Corporation WSV322.

Faith Allington Program Manager Microsoft Corporation WSV322.
Internet Information Server 6.0. IIS 6.0 Enhancements  Fundamental changes, aimed at: Reliability & Availability Reliability & Availability Performance.

Internet Information Server 6.0. IIS 6.0 Enhancements  Fundamental changes, aimed at: Reliability & Availability Reliability & Availability Performance.
WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation.

WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Netscape Application Server Application Server for Business-Critical Applications Presented By : Khalid Ahmed DS 520 - Fall 98.

Netscape Application Server Application Server for Business-Critical Applications Presented By : Khalid Ahmed DS Fall 98.
SAGE-AU Adelaide Windows Update Services Michael Kleef IT Pro Evangelist Microsoft Corporation Level 200.

SAGE-AU Adelaide Windows Update Services Michael Kleef IT Pro Evangelist Microsoft Corporation Level 200.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Lesson 18: Configuring Application Restriction Policies

Lesson 18: Configuring Application Restriction Policies
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
IIS 7: The Next Generation Web Application Server Platform Michael Volodarsky Program Manager Web Platform and Tools Team Microsoft Corporation.

IIS 7: The Next Generation Web Application Server Platform Michael Volodarsky Program Manager Web Platform and Tools Team Microsoft Corporation.
OFC324 Microsoft Project Server: Putting Enterprise Project Management (EPM) To Work Sam Brooks www.sambrooks.com.

OFC324 Microsoft Project Server: Putting Enterprise Project Management (EPM) To Work Sam Brooks
Building Scalable and Reliable Web Applications Vineet Gupta Technology Evangelist Microsoft Corporation

Building Scalable and Reliable Web Applications Vineet Gupta Technology Evangelist Microsoft Corporation
April-June 2006 Windows Hosting Seminar Series Product Roadmap: IIS 7.0 Matthew Boettcher Web Platform Technical Evangelist (Hosting) Developer & Platform.

April-June 2006 Windows Hosting Seminar Series Product Roadmap: IIS 7.0 Matthew Boettcher Web Platform Technical Evangelist (Hosting) Developer & Platform.
Security of Communication & IT systems Bucharest, 21 st September 2004 Stephen McGibbon Chief Technology Officer, Eastern Europe, Russia & CIS Senior Director,

Security of Communication & IT systems Bucharest, 21 st September 2004 Stephen McGibbon Chief Technology Officer, Eastern Europe, Russia & CIS Senior Director,
The Deep Technical Audit: How to Identify and Mitigate Risks Presented in Other Sessions David J. Goldman Joseph Nocera.

The Deep Technical Audit: How to Identify and Mitigate Risks Presented in Other Sessions David J. Goldman Joseph Nocera.
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Virtual techdays INDIA │ 18-20 august 2010 IIS 7/7.5 Tips & Tricks Jaskirat Singh │ Technical Lead [IIS|Asp.Net team], Microsoft.

Virtual techdays INDIA │ august 2010 IIS 7/7.5 Tips & Tricks Jaskirat Singh │ Technical Lead [IIS|Asp.Net team], Microsoft.
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.

Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.

Similar presentations

Ads by Google