Securing Microsoft IIS
Cornell University Security Seminar
July 25th, 2001
Moe Arif and Thomas P. Braun
CIT, Systems & OperationsThis web page is also available as PowerPoint slides
Overview
- Introduction:
NNvulnerabilities, exploits and scope- Tutorial on prevention:
NNsetup, configuration, and patching- Discussion:
NNmaintain current patch levels
NNprevent "rogue servers"
NNalert mechanisms
NNalternatives
NN...BLANK Contents
Vulnerabilities: Internet Information Services 5.0
- MS01-033 (June 2001): Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise
- MS01-026 (May 2001): Superfluous Decoding Operation Could Allow Command Execution via IIS
- MS01-025 (May 2001): Index Server Search Function Contains Unchecked Buffer
- MS01-023 (May 2001): Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0 Server
- MS01-016 (March 2001): Malformed WebDAV Request Can Cause IIS to Exhaust CPU Resources
- MS01-014 (March 2001): Malformed URL Can Cause Service Failure in IIS 5.0 and Exchange 2000
- MS01-004 (January 2001): Malformed .HTR Request Allows Reading of File Fragments
- MS00-100 (December 2000): Malformed Web Form Submission Vulnerability
- MS00-086 (November 2000): Web Server File Request Parsing Vulnerability
- MS00-084 (November 2000): Indexing Services Cross Site Scripting Vulnerability
- MS00-080 (October 2000): Session ID Cookie Marking Vulnerability
- MS00-078 (October 2000): Web Server Folder Traversal Vulnerability
- MS00-060 (August 2000): IIS Cross-Site Scripting Vulnerabilities
- MS00-058 (August 2000): Specialized Header Vulnerability
Exploits: "code red"
- July 2001 (released 07/13, peak 07/19)
- "Most successful" worm since Morris worm
- Exploits known vulnerability in IIS / Indexing server (MS01-033)
- Resides in memory (and on the wire)
(does not change content of hard drive)- At least two versions exist
- Operates in three phases:
- Propagation
- Attack www.whitehouse.gov
- Sleep...
- "Quick fix": reboot (host is still vulnerable)
- Containment (@cornell.edu): block traffic to (remote) port 80 from infected hosts
- Recovery:
- Apply patches (IIS and indexing server)
- Reboot
- Notify [email protected] to remove block
Exploits: "UNICODE"
Defacements:
- Individual (manual)
- sadmind worm (Solaris->IIS)
- Easy to detect :-)
- Log entry: 2001-07-25 11:20:51 [evil attacker] - [unpatched server] 80 GET /scripts/root.exe /c+echo+^<html^>^<body+bgcolor%3Dblack^>^ <br^>^<br^>^<br^>^<br^>^<br^>^<br^>^<table+width%3D100%^>^<td^> ^<p+align%3D%22center%22^>^<font+size%3D7+color%3Dred^> fuck+USA+Government^</font^>^<tr^>^<td^>^<p+align%3D%22center%22^>^ <font+size%3D7+color%3Dred^>fuck+PoizonBOx^<tr^>^<td^>^<p+align%3D %22center%22^>^<font+size%3D4+color%3Dred^>contact:[email protected]^ </html^>*gt;.././index.asp 502 -
Access to local files and directories:
- UNICODE exploit gives attacker full control over your computer
- Log entry:
2001-07-25 11:20:51 [evil attacker]- [unpatched server] 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir+c:\ 200 �
2001-07-25 11:20:51 [evil attacker]- [unpatched server] 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir+d:\ 200 �
Denial of Service:
- Affects innocent third parties
- Intervention by "cornell.edu"
- Log entry:
2001-07-25 11:20:51 [evil attacker]- [unpatched server]80 GET /scripts/..\../winnt/system32/cmd.exe /c+ping.exe+"-v"+igmp+"-t"+"l"+30000+ [innocent victim]+"n"+500+"-w"+10 502 -Scope
- All Windows computers running IIS: NT, Win2000, Win9x
- Often times IIS is installed (and running) without the knowledge of the administrator
- Three golden rules:
- Disable unnecessary services
- Patch / configure running services
- Report incidents ([email protected])
Responses
General response:
- Contact remote administrators
- Collect host information, correlate incidents, block repeat offenders
Defacements:
- Rebuild server
- Restore data
DoS, scanning:
- Contain activity (network blocks)
- Rebuild server
- Restore data
Why is IIS Insecure?
- How it is installed
- Default installation has many services turned on that are not needed in most situations
- IIS 5.0 installed with 7 externally accessible DLLs via URL mapping
- Example: IDQ.DLL for Indexing Service
- Front Page Server Extension enabled
- All 8 of these services have had security updates since Win2000 was released
- Tightly Integrated with the OS
- By default, IIS service runs as "Local System Account"
- IIS makes components with System level permission accessible via the web
- Example
- Two Indexing Service vulnerabilities
- IP Printing vulnerability
- Configuration is not centralized
- Directory permission at NTFS level
- Easy to overlook something
- Frequency of Security Updates
- 21 Security bulletins for IIS 5.0 alone since last year
- Average: 1 every 3 weeks
- Overall, 100 security bulletins last year, and 33 this year as of 6/18/2001
- Microsoft is a target
- IIS is wide open "out of the box"
- Widely used and distributed
- Anyone can install and run IIS without proper expertise
What can we do?
- Not run IIS at all
- Web server not needed but installed inadvertently
- Consider other servers: e.g. Apache, iPlanet, WebSphere
- If must run IIS, then secure it the best we can
- Minimal Installation
- Proper Configuration
- Latest Patches
Installation
Do not install unnecessary components
- IIS 5.0 is installed under Windows 2000 Server by default. Default installation includes
- Front Page Server Extension
- SMTP but not FTP or NNTP
- Not installed in Win2000 Professional
- Can be manually added
- Automatic if upgraded from NT or 9.x with PWS
- Indexing Service is installed by default as part of Windows 2000
- Illustration of Windows Components Wizard shows how to uninstall the Indexing Service (slide 18)
- Illustration of IIS subcomponents window shows how to uninstall other IIS components (slide 19)
IIS 4.0 in NT 4.0 Option Pack
- IIS 4.0 Components Selected by Default
- FTP, SMTP, Web
- IIS Manager (HTML)
- Option Pack Default Components
- FrontPage 98 Server Extensions
- Index Server, Transaction Server, Scripting Host
- Components needed for a Basic Web Server
- Common Files
- Web Server
- Internet Service Manager
Configuration
Home Directory
- Default is c:\inetpub\wwwroot
- Change to different path and if possible, to another drive letter
- Illustration of Default Web Site Properties window shows how to change path (slide 21)
Directory Security (ACLs)
- Depends on specific needs
- To ease the management of ACLs, create subdirectories for each type. Example:
- D:\SomeDir\WebRoot\server\script (for asp)
- D:\SomeDir\WebRoot\server\exe (for dll)
- D:\SomeDir\WebRoot\server\images (gif, jpeg)
- Some Rules of Thumb
exe, dll, cmd, pl, asp Everyone X Admin, System Full Control inc, shtm, shtml Everyone X Admin, System Full Control txt, gif, jpg, htm, html Everyone R Admin, System Full Control Enable Logging
- Log Directory requires Everyone RWC and should be changed to another location
- In Extended Properties, set the following:
- Client IP
- Server IP, Port
- Win32 Status
- Date, Time
- Leave other default values
- Illustration of and Extended Logging Properties window (Extended Properties tab) (slide 24)
Set IP Address Restrictions
- Web Site Properties _ Directory Security
- May not always be possible
- Can be restricted to Cornell Only IP addresses
- 128.253.0.0/16
- 132.236.0.0/16
- 128.84.0.0/16
- Others?
- Illustration of IP Address and Domain Name Restrictions window (slide 25)
Disable Parent Paths
- Web Site Properties -> Home Directory -> Configuration -> App Options Tab
- Help Prevent "Directory Traversal" (\..\) attacks
- Illustration of Default Web Site Properties window (Home Directory tab) and Application Configuration window (slide 26)
Secure the OS
- Apply latest OS patches
- Rename "Administrator" account
- Drive formatted with NTFS and ACLs set
- Server is NOT part of an NT domain
- Domain account compromise may jeopardize IIS security
- Remove all shares
- Use "Net Share /d" command
- Can remove admin shares (C$, D$, Admin$) via registry
- May not always be possible
- Set password length and complexity requirements
- Check account group membership and privileges
- Debug, Act Part of OS, Backup are "powerful" privileges
- "Access this computer from network"
- Default is Everyone (insecure)
- Should be Authenticated Users. Change under "Account Policy"
- Many, many other such configurations and "tweaking"
- The above list highlights some common configuration
- See Microsoft Documents for detailed and additional information
Microsoft Documents and Other Resources
- For IIS 5.0
- For NT 4.0/IIS 4.0
- CERT Windows NT Configuration Guidelines
- http://www.cert.org/tech_tips/win_configuration_guidelines.html
- http://www.cert.org/tech_tips/win-resources.html
- Excellent source for Windows security resources
- For IIS 5.0
- For NT 4.0/IIS 4.0
- CERT Windows NT Configuration Guidelines
- http://www.cert.org/tech_tips/win_configuration_guidelines.html
- http://www.cert.org/tech_tips/win-resources.html
- Excellent source for Windows security resources
Other Resources: Books
- Microsoft Internet Information Server Resource Kit (IIS 4.0)
- Microsoft Press, 1-57231-638-1
- Securing Windows NT/2000 Servers for the Internet
- Stefan Norberg, O'Reilly, 1-56592-768-0
Patches
Apply the latest OS Service Packs
- SP6A for NT 4.0
- SP1 or SP2 for Windows 2000
- SP1 is a must, SP2 recommended
- These are also available from CIT's public server
- \\public-nt.cit.cornell.edu\technet
- Please disconnect after use :=)
The Service Packs will also update IIS 4.0/5.0
- Easiest way to do a roll-over patch
Apply the hotfixes since Service Pack release
- MS01-026 (May, 2001) patch for both IIS 4.0 and 5.0
- This is a "Must Have" cumulative patch
- Requires SP5 or SP6a for NT
- http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-026.asp
Install additional hot fixes since the release of MS01-026
- Search Microsoft Bulletins by Product and SP level
- http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/current.asp
- Illustration of Search window (slide 33)
"Windows Update" is a great resource
- http://windowsupdate.microsoft.com
- Click on "Product Updates"
- Must use Internet Explorer 5.0 or newer
- Needs "Windows Update Active Setup" plug-in
- Must have IIS installed on the system
- "Critical Updates" for Windows 2000 includes all IIS 5.0 patches
- Illustration of Critical Updates window (slide 35)
- For NT 4.0/IIS 4.0, does not include MS01-026
- Must be manually installed
- Does include MS01-033 (Index Server/Code Red)
Tools
- Maintaining hot fixes requires some effort but some improvements are available
- "no-reboot" patches for Windows 2000
- Microsoft working on patches that don�t require reboot
- QChain.exe
- This tool makes it possible to do a single reboot after multiple patch installation
- Can be downloaded from http://support.microsoft.com/support/kb/articles/Q296/8/61.asp
HFCheck.WSF (Windows Script File)
- Tool to compare the local IIS installation against a list of hotfixes on Microsoft�s site
- http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24168
- Only for IIS 5.0 on Windows 2000
- Determines by checking Windows Registry
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Hotfix\Q<######>
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows2000\SP3\Q<######>
- Fails if HotFix is removed or IIS is reinstalled
- Run regularly using Windows Scheduler
- Example: AT.EXE 11:00pm /Interactive /every:M,T,W,Th,F,S,Su X:\SomePath\hfcheck.wsf
- Writes to Application Log in Event Viewer
- NOTIFY.JS can be modified to send an e-mail
Subscribing to the Microsoft Security Notification Service
- Compose an e-mail to [email protected]
The subject line and the message body are not used to process the subscription request, and can be anything you like.
- Send the e-mail.
- You'll receive a response, asking you to verify that you really want to subscribe. Compose a reply, and put "OK" in the message body. (Without the quotes). Send the reply
- You'll receive two e-mails, one telling you that you've been added to the subscriber list, and the other with more information on the notification the service and its purpose. You'll receive security notifications whenever we send them.
To Summarize
- Install only the components that are absolutely needed
- Configure and tighten security
- Install Service Packs and Hot Fixes
- Stay on top of new patches by using tools and e-mail subscriptions
Last updated 7/25/01
Part of Cornell University's Security Issues
for Network and System Administrators site
