SEC312 Securing Internet Information Services Vikas Malhotra Program Manager Internet Information Services

Agenda Agenda The Journey … Where we were Security Challenges What we did Approach and methodology used Where we are today and where we are going

Our Journey Step #1 Understanding The Challenges

Analyzing Pre-IIS 6.0 Vulnerabilities Challenges Canonicalization Problems Buffer Overflow Extensive Resource Usage Cross-Site Scripting Enabled Everything Results Remote Command Execution Elevation of Privilege Information Disclosure Denial-of-Service

Web Server Vulnerability Distribution Web Server ComponentsSeverity IIS Core ASP Server-side includes (SSINC.DLL) Internet Data Connector (HTTPODBC.DLL) WebDAV (HTTPEXT.DLL) Index Server ISAPI (WEBHITS.DLL, QUERY.DLL, IDQ.DLL Internet Printing ISAPI (MSW3PRT.DLL Frontpage Server Extensions (div.) Password Change Functionality (ISM.DLL)

Understanding What An Attacker Is Doing … demo demo

Buffer Overruns at Work Higher addresses BuffersOther vars EBP EIP Args void foo(char *p, int i) { int j = 0; CFoo foo; int (*fp)(int) = &func; char b[16]; } Question: What happens if we assign the value p to b and p > 16 characters?

Buffer Overruns at Work Higher addresses BuffersOther vars EBP EIP Args Function return address Exception handlers Function pointers Virtual methods

Now the buffer overflow demo … demo demo

Don’t worry, we fixed these types of problems … Compiled with the /GS Complier option (the canary!) Reduced request limit (16k) Internal and external code reviews … these and many more in just a few minutes …

Our Journey Step #2 Understanding Our Product

Product Quality Finding Vulnerabilities In Existing Code Start with education (like the demo) Identify attack paths, access categories, and prioritize critical areas Discover threats, design flaws and vulnerabilities Threat models Data Flow Diagrams Understand overall security risk Develop mitigating strategies

Product Quality Secure By Design Identify overall security strengths Identify Threat Path entry points and privilege boundaries Prioritize discussion based on Access Category Identify Access Categories Identify components on the Threat Path Determine component actions on the Threat Path Enumerate potential threats to each component on the Threat Path Identify mitigating or preventative security measures Determine whether the threat is a vulnerability Classify the vulnerability Identify compounding vulnerabilities Plot vulnerability on a risk chart Determine mitigation or remediation strategy Identify Threat Paths Identify Threats Rank and Remedy Vulnerabilities Identify Vulnerabilities

Product Quality Identify Threat Paths Goals Identify specific threats to the application Prioritize Ensure complete analysis Output Data flow diagram, including privilege boundaries Access categories Threat paths Identify overall security strengths Identify Threat Path entry points and privilege boundaries Prioritize discussion based on Access Category Identify Access Categories Identify Threat Paths

Product Quality IIS access categories Remote anonymous user Example: Remote authenticated user Example: Online banking application Remote authenticated user with file manipulation capability Example: ISP Local user with execute privileges Example: Terminal Server Local administrator

System Behavior Modeling Graphic representation showing communication between objects Describes activities that process data Shows how data flows through a system Shows logical sequence of associations and activities Sometimes known as a process model (similar to DFD modeling)

More Detail: Level 0

Even More Detail: Level 1

Identify Threats Goals Identify security-critical processing along the threat paths Determine overall threat profile Output List of application-specific threats Identify components on the Threat Path Determine component actions on the Threat Path Enumerate potential threats to each component on the Threat Path Identify Threats

Identify Vulnerabilities Goals Determine specific security weaknesses Identify areas for focused code review or QA testing Output List of specific vulnerabilities Areas requiring further analysis Identify mitigating or preventative security measures Determine whether the threat is a vulnerability Classify the vulnerability Identify Vulnerabilities

Rank And Remedy Goals Prioritize vulnerabilities for remediation Determine appropriate mitigation strategy Understand risk Output Risk chart Resolution roadmap Identify compounding vulnerabilities Plot vulnerability on a risk chart Determine mitigation or remediation strategy Rank and Remedy Vulnerabilities

Plot Vulnerability On A Risk Chart Rank and Remedy Vulnerabilities

Our Journey Step #3 How We Used What We Learned To Improve IIS

IIS 5 Request Processing Kernel mode User mode Metabase INETINFO.exe RequestResponse DLLHOST.exeDLLHOST.exe DLLHOST.exeDLLHOST.exe TCP/IP X X FTPFTP NNTPNNTP SMTPSMTP AFD WinSock

IIS 6.0 Request Processing Administration&MonitoringAdministration&Monitoring WWW Service HTTPHTTP CacheCacheQueueQueue Kernel mode User mode XMLMetabase Inetinfo FTPFTP NNTPNNTP SMTPSMTP IIS 6.0 RequestResponse Application Pools … X TCP/IP

Reduced Attack Surface Windows Server 2003 disables 20+ Services IIS is not installed on Windows 2003 Server Now if you install IIS… IIS componentsIIS 5.0 clean installIIS 6.0 clean install Static file supportenabled ASPenableddisabled Server-side includesenableddisabled Internet Data Connectorenableddisabled WebDAVenableddisabled Index Server ISAPIenableddisabled Internet Printing ISAPIenableddisabled CGIenableddisabled Frontpage Server Extensionsenableddisabled Password Change Functionalityenableddisabled SMTPenableddisabled FTPenableddisabled ASP.NETXdisabled BITSXdisabled

IIS processes run with the lowest possible privilege Third-Party code runs only in Worker Processes Improved Isolation and Sandboxing HTTP Per-Request Logging Reduces DoS attacks Advanced Health Monitoring Recycling CPU Accounting Secure By Design IIS 6.0 Architecture

Secure By Default IIS 6.0 Architecture No Executable virtual directories /SCRIPTS and /MSADC Secure Timeouts And Limits 16k Request Limit Old Legacy Code Removed ISM.DLL /.HTR Sub-Authentication Check if File Exists

Secure By Default Command Line Files not executable Restrictive URL Canonicalization NTFS canonicalization Content write protected Strong ACL’s on Logfiles Custom Error Directory On Cache Directories ASP ASPEnableParentPath = FALSE Hang detection Internal Health Detection

Walkthrough Of Some New Security Features demo demo App Pool Identity (and settings) Web Extension List 404 Error Messages

Our Journey Step #4 Our Efforts Going Forward

Product Quality Secure By Design Company wide Cultural Shift with Executive Sponsorship Training Process shift Security Design Review for Every Feature Threat Modeling Development Practices /GS Complier option Prefix/Prefast runs Single String Class QFE and IIS core team merged Code review for every change External Reviews

Product Quality Security By Default Test Practices Tests to verify all previous vulnerabilities still fixed New Test Infrastructure External Tools and Internal Tools Expand Testing Beyond Regression IIS Tools Buffer Overflow Scanner Cross-site Scripting

Secure In Deployment Improved Patch Management Software Update Services SMS No reboots through recycling Resource-free DLL’s

Bonus demos! – SSL related demos Self SSL SSL Diagnostics

Summary New IIS architecture for greater security and reliability Improvements to enhance IIS 4.0 and 5.0 security are continuously being done through ongoing patches and security roll-ups Stay informed and keep systems up to date

Ask The Experts Get Your Questions Answered I will be in the ATE after this session and throughout the week Other Program Managers and IIS Support Professionals are here and will be also working in the ATE to help you out

Community Resources IIS Community Portal IIS Portal IIS Newsgroups Microsoft.public.inetserver.iis Microsoft.public.inetserver.iis.ftp Microsoft.public.inetserver.iis.security Newsgroups Converse online with Microsoft Newsgroups, including Worldwide Community Resources Most Valuable Professional (MVP) User Groups Meet and learn with your peers

Suggested Reading And Resources The tools you need to put technology to work! TITLE Available Microsoft® Windows® Security Resource Kit: Today Internet Information Services (IIS) 6.0 Resource Kit: /27/03 Microsoft Press books are 20% off at the TechEd Bookstore Also buy any TWO Microsoft Press books and get a FREE T-Shirt

evaluations evaluations

© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Questions? Product Feedback?

© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.