RE: Microsoft .NET, ASP.NET, and IIS - any opinions?

From: Tracy Martin (tracy@arisiasoft.com)
Date: 12/13/01 

From: "Tracy Martin" <tracy@arisiasoft.com>
To: "Ryan Counts" <webmaster@badsushi.com>, <focus-ms@securityfocus.com>
Date: Wed, 12 Dec 2001 18:16:29 -0500

Actually, this *type* of answer is exactly what I'm looking for. My initial
concerns were over the potential accessibility of the compilers and code
through the server, any new ports that might have to be opened, and things
like "well-known directory" exploits (of course, turning off directory
browsing and patching for directory traversal takes care of some of that).

While I have found more information that also applies (such as application
design considerations and integration into policy management by managed code
in .NET - addressed by the link to Foundstone posted by Ken Pfiel), my basic
concerns are still very much in line with your answer. Addressing
application design issues is currently a secondary priority for me, as
development is still in the design stage and I can get these issues
addressed without a problem. However, with the release of .NET coming
shortly (and it's concurrent setting up of who knows how many servers within
the organization - behind the firewall, of course), I find the issues of
integration into IIS of much more immediate concern than the application
issues.

Tracy
> -----Original Message-----
> From: Ryan Counts [mailto:webmaster@badsushi.com]
> Sent: Wednesday, December 12, 2001 18:00
> To: 'Tracy Martin'; focus-ms@securityfocus.com
> Subject: RE: Microsoft .NET, ASP.NET, and IIS - any opinions?
>
>
> To the best of my knowledge, the SDK doesn't seriously modify IIS except
> for adding the mime types to handle the new languages, and I have yet to
> hear of any exploits for these (Granted, give it time, they may appear
> once people are using it on a massive scale). However, for the most
> part, you are basically adding a programming language to IIS, not
> changing IIS itself.
>
> Consider it this way, do you open yourself up to security threats by
> installing Perl, PHP or any other language? For the most part no
> (granted, there are exceptions), but that also leaves the threat of bad
> programming that could potentially leave you exposed. I know I've heard
> of a few Perl scripts and PHP scripts that were vulnerable to exploits,
> but that was because of lapses on the part of the application
> programmers, not because of the underlying compilers and server
> extensions. This might not be the kind of answer you were looking for,
> but everything I've heard points to no current holes with the SDK
> itself. In fact, one clear advantage I've noticed is the install gives
> you complete control over where the files are installed to. So, you
> could safely lock down the install directory without having to hunt down
> dll's and executables thrown into the system32 directory.
>
> Ryan
>
> -----Original Message-----
> From: Tracy Martin [mailto:tracy@arisiasoft.com]
> Sent: Wednesday, December 12, 2001 2:52 PM
> To: focus-ms@securityfocus.com
> Subject: Microsoft .NET, ASP.NET, and IIS - any opinions?
>
> Greetings,
>
> We all know that IIS has it's flaws - and that for many of these there
> are
> patches available (or at least workarounds). However, with the immanent
> release of VisualStudio.NET and ASP.NET, I'm expecting to see installs
> of
> IIS and the .NET runtimes (which, if I understand it correctly,
> basically
> amounts to installing the full SDK - including command line compilers)
> on
> servers all over.
>
> And this begs the question - has anyone who has insight into this done
> any
> security studies on this combination? Is the addition of .NET to IIS
> going
> to cause any additional security holes (over and above those already
> present
> in IIS itself)? And are there recommendations for closing these types of
> holes if encountered?
>
> I already know I'm going to be asked to set up such a server, and I'd
> like
> to get a feel for what I'm letting myself in for. I know there are
> patches
> available for IIS (and I've already applied them to the IIS server we
> have
> live right now), but I'm curious if the addition of .NET to the mix is
> going
> to introduce new problems (and also interested in potential solutions to
> those problems while waiting for "official fixes" from Microsoft).
>
> Any takers?
>
> Tracy
>
>

Relevant Pages

  • Re: Open ports?
    ... Initially, Win2k-Server was installed without IIS and SP2 installed, active ... This server isn't going to be as secure as possible. ... > Microsoft recommends not installing OWA on the same server that is running ... > You may want to consider using two firewalls or a firewall with three NICs ...
    (microsoft.public.win2000.security)
  • Re: Open Ports....How to block them all....?
    ... >> What can be done to secure this server so that this doesn't keep> happening? ... Frequently this happens through an IIS> vulnerability. ... Installing Serv-U software typically involves a> person having the ability to remotely run commands and install files on your> system, ... > Remember that security is not just patches but also proper configuration and> third party hardening tools. ...
    (microsoft.public.inetserver.iis.security)
  • Re: CCM Server Framework Pool dies along with W3SVC in event log
    ... What's odd is that SMS and IIS are working ... installing and configuring the Site Server. ... "Marin Marinov" wrote: ...
    (microsoft.public.sms.admin)
  • Re: Win2k3,IIS6,FPSE2002 Help!
    ... I'm about to uninstall/reinstall IIS and FPSE again. ... Should I select front page 2002 server ... separately after installing IIS? ... > Mukilteo, WA USA ...
    (microsoft.public.frontpage.extensions.windowsnt)
  • Re: IIS Vulnerability
    ... sites with not much traffic I recommend setting your web logs in the IIS MMC ... installing languard file integrity checker ... remove all those files found from your server and put them on a floppy ... > Can anybody help on what to do to remove this vulnerability. ...
    (microsoft.public.inetserver.iis.security)