ISAPI Priority issue with IIS 5.0

From: Davis, Matt (matt.davis@COUNTRYFINANCIAL.COM)
Date: 02/06/02 

Date:         Tue, 5 Feb 2002 17:14:37 -0600
From: "Davis, Matt" <matt.davis@COUNTRYFINANCIAL.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

We are using a product called Oblix NetPoint that secures web resources like
HTML docs, JSPs, images, etc. The way Oblix works is that it installs an
ISAPI filter in IIS to capture all HTTP requests. The way it is supposed to
work is that the ISAPI filter (called WebGate) is supposed to capture the
incoming HTTP requests, check for an Oblix cookie, and if there is not one,
return a challenge screen to the client browser. Once the client has logged
in, WebGate then redirects the browser to the original request that was made
for the resource. WebGate monitors all subsequent requests for resources to
ensure the client has the proper authorization level for that resource. This
works very similarly as the Netegrity product. This product works in
securing resources that do not go through WebSphere.

The problem comes in when trying to secure a resource that contains
servlets/jsps whose requests get handled by WebSphere 4.0.1. Both the
WebSphere isapi filter and the Oblix webgate isapi filter are installed on
the same webserver with a priority of high. Note that both filters are
installed at the "server" level, not the website level. The oblix filter is
at the top of the list in IIS so it should take the highest priority of all
the "high" priority plugins. It appears that if we hit a url that gets
handled by WAS, IIS executes the WAS isapi filter before executing the Oblix
filter, which is not correct. The end result is that requests made to
resources that WAS should handle do not get secured.

So now we went into debug mode and tried the following things (all
environments having the Oblix webgate isapi filter installed and Oblix
configured to protect the tested resources):

· We installed Jrun 3.0 (works similar to WAS global isapi filter
plugin) on a Windows NT sp6 IIS 4 box, the Jrun resources were secured
correctly (no problems)
· We installed WAS 4.0.1 on a Windows NT sp6 IIS 4 box, the WAS
resources were also secured correctly (no problems)
· We Installed Jrun on a Windows 2000 IIS 5 box (with the isapi filter
plugin), the resources were not secured. This appeared to have the same
result as with WAS, it appeared to hit the Jrun isapi filter first.
· We tested an .asp resource on Windows 2000 IIS 5, however .asps are
mapped using isapi extensions vs. isapi filters. This resource was secured,
it worked like it should.
· We removed the Jrun isapi filter and mapped a .jsp using the isapi
extension, which also worked like it should.
· Just to make sure what we did was not a fluke, we put WAS and Oblix
on a "clean" Windows 2000 IIS 5 box, and we still had the problem.
· We removed the URLScan iis security plugin from the tested boxes.

Note :All IIS 5 boxes we tested with had some standard security "hardening"
on them (Microsoft Security Utility). Our next step is to test on a box
without this hardening.

The above test results lead us to believe that the problem is related to one
of the folowing:
a) IIS5.0 does not handle isapi filter priorities correctly (for any
number of reasons, general bug, security patch, configuration, ect.)
b) Both WAS and Jrun filters have bugs on IIS 5
c) Security hardening of the OS caused problems (still need to test)
The request is actually going to the Oblix filter however, it is not doing
anything with it (this is not likely, especially since we do not see any
requests in the oblix webgate isapi trace log)

Basically, it works fine under IIS 4.0 but not under IIS 5.0.

Any ideas?

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Qualys - Make Your Network Secure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Go Beyond PARTIAL Security: FREE White Paper

Stop hassling with half-baked ENTERPRISE SECURITY.
FREE White Paper shows you how to ensure TOTAL security for your Internet
perimeter with the most current and most complete PROACTIVE Vulnerability
Assessment solution. Get your FREE White Paper now. Click here!
https://www.qualys.com/forms/techwhite_86.html
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo