Re: #Include with parent paths

From: Lisa Cozzens [MSFT] (lcozzens@online.microsoft.com)
Date: 01/13/03 

From: lcozzens@online.microsoft.com (Lisa Cozzens [MSFT])
Date: Mon, 13 Jan 2003 22:34:54 GMT

> Thanks for the response.
>
> When I installed Windows 2000 Adv Server the first time, I failed to
do
> any patching right away. And sure enough, within 5 minutes of having port
> 80 open to the world, the server was compromised by Nimda. So I
reformatted
> and started from scratch, making sure to do the patches before exposing
the
> server and everything seems to be working fine now.

Unfortunately, that's not at all uncommon. My normal procedure for bringing
up a new box is:
1. Unplug the network cable.
2. Install Windows 2000.
3. Set WWW Publishing Service to Disabled.
4. Plug in the network cable.
5. Install all necessary service packs/security patches.
6. Set WWW Publishing Service to Automatic.

If you have all the necessary patches on CD-ROM, that's even better. You
can fully patch the machine before connecting it to the network.

> 2 questions though.
>
> 1) Why does enabling parent paths through IIS pose a security risk?

For maximum security, you should be able to limit the files that a web
client can view through your IIS server. If a file isn't in
\inetpub\wwwroot and isn't in a virtual directory linked into IIS, a web
client shouldn't be able to view that file. If you enable parent paths,
this is not the case. For example, if you have a file called insecure.asp
in c:\inetpub\wwwroot, you can view a file called veryimportantfile.txt in
C:\Winnt through the web by including the following line in insecure.asp:
<!-- #include file="../../winnt/veryimportantfile.txt"-->

This is a security risk -- you're able to view a file in a
non-IIS-accessible directory. With parent paths disabled, the ../../
notation doesn't work, so you can only view files in IIS-accessible
directories.

> 2) What do I need to do keep up to date with security updates and patches?
> I use the Windows Update feature frequently, but is this all I need to do?
> Do all security updates show up through Windows Update?

Windows Update is good. Hfnetchk is better for keeping servers up-to-date
on security patches:
Q315665 HOW TO: Use the Hfnetchk Hotfix Checker Tool
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q315665

Q303215 Microsoft Network Security Hotfix Checker (Hfnetchk.exe) Tool Is
Available
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q303215

Thanks,
Lisa

>
> Thanks again,
> Dan
>
> "Lisa Cozzens [MSFT]" <lcozzens@online.microsoft.com> wrote in message
> news:eOs#WNCuCHA.2424@cpmsftngxa09...
> > Hi Dan,
> >
> > What's going on is that someone was trying to hack into your server by
> > taking advantage of some security holes that existed in old versions of
> > IIS. Fortunately, it looks like your server is properly patched, so it
> > didn't let the attacker in.
> >
> > It's hard to tell whether this was an automated attack or whether it was
> > actually someone specifically targeting your system. Some of the
requests
> > are classic symptoms of a Nimda-infected machine making automated
attacks
> > against random IP addresses, but others are unusual and aren't part of
any
> > standard worm attack that I've seen. They might indicate that a hacker
> > specifically went after your system.
> >
> > At any rate, these requests have nothing to do with whether or not
parent
> > paths were disabled. Disabling parent paths simply means that you can't
> use
> > parent paths from within your ASP code. These requests aren't coming
from
> > ASP code -- they're coming from someone or some machine that's just
> hitting
> > IIS directly.
> >
> > For more information on the hole this hacker was trying to exploit, see:
> >
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
> > bulletin/MS00-057.asp
> > As you can see, a patch has been available to protect against these
kinds
> > of attacks since August of 2000.
> >
> > Hope this helps,
> > Lisa
> >
> > --------------------
> > > From: "Daniel Hartley" <dhartley@data2you.net>
> > > Subject: #Include with parent paths
> > > Date: Thu, 9 Jan 2003 10:35:11 -0800
> > > Lines: 53
> > > X-Priority: 3
> > > X-MSMail-Priority: Normal
> > > X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
> > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> > > Message-ID: <#RdHX3AuCHA.2028@TK2MSFTNGP11>
> > > Newsgroups: microsoft.public.inetserver.iis.security
> > > NNTP-Posting-Host: 66-17-15-254.bkfd.arrival.net 66.17.15.254
> > > Path: cpmsftngxa06!TK2MSFTNGP08!TK2MSFTNGP11
> > > Xref: cpmsftngxa06 microsoft.public.inetserver.iis.security:13952
> > > X-Tomcat-NG: microsoft.public.inetserver.iis.security
> > >
> > > Hi,
> > > I've recently learned that having parent paths enabled for
> > > websites/virtual directories is a security risk (even though it is
> enabled
> > > by default). However, I can't seem to find out exactly why. Anyone
> know?
> > > I suspect it has something to do with hackers trying to run system
> > programs
> > > or scripts but don't know for sure. After reading this, I disabled
that
> > > option in IIS for all my websites/virtual directories (only 1 project
> used
> > > parent paths), and looked closely at my older IIS log files (from when
> > > parent paths were still enabled) to see if I could find if someone was
> > > trying to exploit this security risk. I ran into this which looks
> awfully
> > > suspicious:
> > >
> > > #Software: Microsoft Internet Information Services 5.0
> > > #Version: 1.0
> > > #Date: 2002-11-25 13:35:53
> > > #Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem
> > > cs-uri-query sc-status cs(User-Agent)
> > > 2002-11-25 13:35:53 211.23.169.108 - 123.123.123.123 80 GET
> > > /msadc/....../winnt/system32/cmd.exe /c+dir+c:\ 404
> > Mozilla/3.0+(compatible)
> > > 2002-11-25 13:36:00 211.23.169.108 - 123.123.123.123 80 GET
> > > /scripts/....../winnt/system32/cmd.exe /c+dir+c:\ 404
> > > Mozilla/3.0+(compatible)
> > > 2002-11-25 13:36:36 211.23.169.108 - 123.123.123.123 80 GET - - 501
> > > Mozilla/3.0+(compatible)
> > > 2002-11-25 13:36:51 211.23.169.108 - 123.123.123.123 80 GET
> > > /msadc/....../winnt/system32/cmd.exe /c+dir+c:\ 404
> > Mozilla/3.0+(compatible)
> > > 2002-11-25 13:36:57 211.23.169.108 - 123.123.123.123 80 GET
> > > /scripts/....../winnt/system32/cmd.exe /c+dir+c:\ 404
> > > Mozilla/3.0+(compatible)
> > > 2002-11-25 13:37:33 211.23.169.108 - 123.123.123.123 80 GET - - 501
> > > Mozilla/3.0+(compatible)
> > > 2002-11-25 13:37:40 211.23.169.108 - 123.123.123.123 80 GET
> > > /....../config.sys - 404 Mozilla/3.0+(compatible)
> > > 2002-11-25 13:37:40 211.23.169.108 - 123.123.123.123 80 GET
> > > /....../etc/hosts - 404 Mozilla/3.0+(compatible)
> > >
> > >
> > > (Hope that looks ok, this is from an IIS log file from November, I
> changed
> > > our server's IP to123.123.123.123)
> > >
> > > This looks pretty scary to me. Can anyone shed some light on exactly
> > what's
> > > going on, and is this a result of having parent paths enabled?
> > >
> > > Thanks,
> > > Dan
> > >
> > >
> > > ---
> > > Outgoing mail is certified Virus Free.
> > > Checked by AVG anti-virus system (http://www.grisoft.com).
> > > Version: 6.0.438 / Virus Database: 246 - Release Date: 1/7/2003
> > >
> > >
> > >
> >
> > -----
> > Please do not send email directly to this alias. This is an online
> > account name for newsgroup participation only.
> >
> > This posting is provided "AS IS" with no warranties, and confers
> > no rights. You assume all risk for your use.
> >
> > © 2002 Microsoft Corporation. All rights reserved.
> >
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.438 / Virus Database: 246 - Release Date: 1/7/2003
>
>
>

-----
Please do not send email directly to this alias. This is an online
account name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers
no rights. You assume all risk for your use.

© 2002 Microsoft Corporation. All rights reserved.