Download presentation
Presentation is loading. Please wait.
Published byFrancis Bryant Modified over 8 years ago
1
SEC312 Securing Internet Information Services Vikas Malhotra Program Manager Internet Information Services
2
Agenda Agenda The Journey … Where we were Security Challenges What we did Approach and methodology used Where we are today and where we are going
3
Our Journey Step #1 Understanding The Challenges
4
Analyzing Pre-IIS 6.0 Vulnerabilities Challenges Canonicalization Problems Buffer Overflow Extensive Resource Usage Cross-Site Scripting Enabled Everything Results Remote Command Execution Elevation of Privilege Information Disclosure Denial-of-Service
5
Web Server Vulnerability Distribution Web Server ComponentsSeverity IIS Core ASP Server-side includes (SSINC.DLL) Internet Data Connector (HTTPODBC.DLL) WebDAV (HTTPEXT.DLL) Index Server ISAPI (WEBHITS.DLL, QUERY.DLL, IDQ.DLL Internet Printing ISAPI (MSW3PRT.DLL Frontpage Server Extensions (div.) Password Change Functionality (ISM.DLL)
6
Understanding What An Attacker Is Doing … demo demo
7
Buffer Overruns at Work Higher addresses BuffersOther vars EBP EIP Args void foo(char *p, int i) { int j = 0; CFoo foo; int (*fp)(int) = &func; char b[16]; } Question: What happens if we assign the value p to b and p > 16 characters?
8
Buffer Overruns at Work Higher addresses BuffersOther vars EBP EIP Args Function return address Exception handlers Function pointers Virtual methods
9
Now the buffer overflow demo … demo demo
10
Don’t worry, we fixed these types of problems … Compiled with the /GS Complier option (the canary!) Reduced request limit (16k) Internal and external code reviews … these and many more in just a few minutes …
11
Our Journey Step #2 Understanding Our Product
12
Product Quality Finding Vulnerabilities In Existing Code Start with education (like the demo) Identify attack paths, access categories, and prioritize critical areas Discover threats, design flaws and vulnerabilities Threat models Data Flow Diagrams Understand overall security risk Develop mitigating strategies
13
Product Quality Secure By Design Identify overall security strengths Identify Threat Path entry points and privilege boundaries Prioritize discussion based on Access Category Identify Access Categories Identify components on the Threat Path Determine component actions on the Threat Path Enumerate potential threats to each component on the Threat Path Identify mitigating or preventative security measures Determine whether the threat is a vulnerability Classify the vulnerability Identify compounding vulnerabilities Plot vulnerability on a risk chart Determine mitigation or remediation strategy Identify Threat Paths Identify Threats Rank and Remedy Vulnerabilities Identify Vulnerabilities
14
Product Quality Identify Threat Paths Goals Identify specific threats to the application Prioritize Ensure complete analysis Output Data flow diagram, including privilege boundaries Access categories Threat paths Identify overall security strengths Identify Threat Path entry points and privilege boundaries Prioritize discussion based on Access Category Identify Access Categories Identify Threat Paths
15
Product Quality IIS access categories Remote anonymous user Example: www.microsoft.com Remote authenticated user Example: Online banking application Remote authenticated user with file manipulation capability Example: ISP Local user with execute privileges Example: Terminal Server Local administrator
16
System Behavior Modeling Graphic representation showing communication between objects Describes activities that process data Shows how data flows through a system Shows logical sequence of associations and activities Sometimes known as a process model (similar to DFD modeling)
17
More Detail: Level 0
18
Even More Detail: Level 1
19
Identify Threats Goals Identify security-critical processing along the threat paths Determine overall threat profile Output List of application-specific threats Identify components on the Threat Path Determine component actions on the Threat Path Enumerate potential threats to each component on the Threat Path Identify Threats
20
Identify Vulnerabilities Goals Determine specific security weaknesses Identify areas for focused code review or QA testing Output List of specific vulnerabilities Areas requiring further analysis Identify mitigating or preventative security measures Determine whether the threat is a vulnerability Classify the vulnerability Identify Vulnerabilities
21
Rank And Remedy Goals Prioritize vulnerabilities for remediation Determine appropriate mitigation strategy Understand risk Output Risk chart Resolution roadmap Identify compounding vulnerabilities Plot vulnerability on a risk chart Determine mitigation or remediation strategy Rank and Remedy Vulnerabilities
22
Plot Vulnerability On A Risk Chart Rank and Remedy Vulnerabilities
23
Our Journey Step #3 How We Used What We Learned To Improve IIS
24
IIS 5 Request Processing Kernel mode User mode Metabase INETINFO.exe RequestResponse DLLHOST.exeDLLHOST.exe DLLHOST.exeDLLHOST.exe TCP/IP X X FTPFTP NNTPNNTP SMTPSMTP AFD WinSock
25
IIS 6.0 Request Processing Administration&MonitoringAdministration&Monitoring WWW Service HTTPHTTP CacheCacheQueueQueue Kernel mode User mode XMLMetabase Inetinfo FTPFTP NNTPNNTP SMTPSMTP IIS 6.0 RequestResponse Application Pools … X TCP/IP
26
Reduced Attack Surface Windows Server 2003 disables 20+ Services IIS is not installed on Windows 2003 Server Now if you install IIS… IIS componentsIIS 5.0 clean installIIS 6.0 clean install Static file supportenabled ASPenableddisabled Server-side includesenableddisabled Internet Data Connectorenableddisabled WebDAVenableddisabled Index Server ISAPIenableddisabled Internet Printing ISAPIenableddisabled CGIenableddisabled Frontpage Server Extensionsenableddisabled Password Change Functionalityenableddisabled SMTPenableddisabled FTPenableddisabled ASP.NETXdisabled BITSXdisabled
27
IIS processes run with the lowest possible privilege Third-Party code runs only in Worker Processes Improved Isolation and Sandboxing HTTP Per-Request Logging Reduces DoS attacks Advanced Health Monitoring Recycling CPU Accounting Secure By Design IIS 6.0 Architecture
28
Secure By Default IIS 6.0 Architecture No Executable virtual directories /SCRIPTS and /MSADC Secure Timeouts And Limits 16k Request Limit Old Legacy Code Removed ISM.DLL /.HTR Sub-Authentication Check if File Exists
29
Secure By Default Command Line Files not executable Restrictive URL Canonicalization NTFS canonicalization Content write protected Strong ACL’s on Logfiles Custom Error Directory On Cache Directories ASP ASPEnableParentPath = FALSE Hang detection Internal Health Detection
30
Walkthrough Of Some New Security Features demo demo App Pool Identity (and settings) Web Extension List 404 Error Messages
31
Our Journey Step #4 Our Efforts Going Forward
32
Product Quality Secure By Design Company wide Cultural Shift with Executive Sponsorship Training Process shift Security Design Review for Every Feature Threat Modeling Development Practices /GS Complier option Prefix/Prefast runs Single String Class QFE and IIS core team merged Code review for every change External Reviews
33
Product Quality Security By Default Test Practices Tests to verify all previous vulnerabilities still fixed New Test Infrastructure External Tools and Internal Tools Expand Testing Beyond Regression IIS Tools Buffer Overflow Scanner Cross-site Scripting
34
Secure In Deployment Improved Patch Management Software Update Services SMS No reboots through recycling Resource-free DLL’s
35
Bonus demos! – SSL related demos Self SSL SSL Diagnostics
36
Summary New IIS architecture for greater security and reliability Improvements to enhance IIS 4.0 and 5.0 security are continuously being done through ongoing patches and security roll-ups Stay informed and keep systems up to date
37
Ask The Experts Get Your Questions Answered I will be in the ATE after this session and throughout the week Other Program Managers and IIS Support Professionals are here and will be also working in the ATE to help you out
38
Community Resources IIS Community Portal http://www.microsoft.com/windowsserver2003/community/centers/iis/ IIS Portal http://www.microsoft.com/iis IIS Newsgroups Microsoft.public.inetserver.iis Microsoft.public.inetserver.iis.ftp Microsoft.public.inetserver.iis.security Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http://www.microsoft.com/communities/newsgroups/default.mspx Community Resources http://www.microsoft.com/communities/default.mspx Most Valuable Professional (MVP) http://www.mvp.support.microsoft.com/ User Groups Meet and learn with your peers http://www.microsoft.com/communities/usergroups/default.mspx
39
Suggested Reading And Resources The tools you need to put technology to work! TITLE Available Microsoft® Windows® Security Resource Kit: 0-7356-1868-2 Today Internet Information Services (IIS) 6.0 Resource Kit: 0-7356- 1420-2 8/27/03 Microsoft Press books are 20% off at the TechEd Bookstore Also buy any TWO Microsoft Press books and get a FREE T-Shirt
40
evaluations evaluations
41
© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Questions? Product Feedback? vmalhot@microsoft.com
42
© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.