Re: IIS still open to hacking even with latest patches...
From: Dinis Cruz (dinis_at_ddplus.net)
Date: 06/17/03
- Next message: Dinis Cruz: "Re: IIS still open to hacking even with latest patches..."
- Previous message: BB: "Re: SSL - private Key info"
- In reply to: jeremy ridgway: "IIS still open to hacking even with latest patches..."
- Next in thread: Barry Randall: "Re: IIS still open to hacking even with latest patches..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 16 Jun 2003 20:27:49 -0700
Hello Jeremy
Unfortunately applying the latest service packs, closing down
unnecessary services and using diferrent accounts is not enough to
stop your servers from being hackeed.
We have produced a security guide called "Secure Shared Hosting with
IIS 5.0" which deals with the security issues in configuring IIS
servers for the most secure sensitive environment: An ISP with
hundreds of websites (one per client) hosted in one Windows 2000/IIS
5.0/FPSE 2002 box.
I've included in this post a section of the security guide that
explains our solution for building such secure server (the guide
contains a STEP-BY-STEP instructions, security templates and test
code).
If you wish to obtain a copy, please visit our website
(http://www.ddplus.net) for more details about the guide and how to
request it.
Hope this helps
Dinis Cruz
IT Security Consultant
DDPlus
----------------
7. Our Solution
----------------
This section explains the steps taken by us to securely configure
several servers in our research labs that were vulnerable to the
problems identified previously.
This doesn't mean that a server configured this way would be 100%
secure against known or unknown exploits. But we know that it would be
very hard to compromise (and more importantly) to use in any malicious
way.
DON'T APPLY THE PROPOSED CHANGES TO YOUR LIVE SERVERS! This document
only describes an implementation from scratch (full machine rebuild)
on the presented server architecture. You will need to adapt this to
your environment and network infrastructure.
How we configure the server:
- Secure by Design: (objectives)
* Layered Security Defence
* Reduced attack perimeter
* Harden the server and remove all un-necessary permissions
services and applications
* Only allow well formatted traffic to arrive at the web server
- Secure by Default:
* Windows 2000 Server with Service Pack 3 and all Critical
Security Patches
* Security Policies to harden the server
* Sharepoint Team Services + FrontPage Extensions 2002 (with
Office XP service Packs 1 and 2)
* IIS Lockdown + URL Scan
* IPSec
- Secure in Deployment:
* Groups and User management
* Secure Folder management
* Website configuration
-----------------------------------------------------
8. More details about the proposed security solutions
-----------------------------------------------------
I) Windows 2000 and service packs:
We start by installing the windows 2000 Advanced Server with SP3 on
our test machine (this guide is also applicable to the standard
version of Windows 2000 Server).
The security starts here and there are several important steps that
need to be performed already at this stage.
Note that until the secure configuration of the server is completed,
this server must be considered UNSECURE and must be located in a
private network (i.e. isolated from the internet and your LAN)
In this scenario we go to the Microsoft website to download the latest
Service Packs and Security patches. Note that this is a huge security
problem because (at this stage) the server could easily be compromised
by an IE exploit of a Cross Site Scripting attack.
So make sure that you disable the default home page directory (make it
blank) and that the only website that you go is the Microsoft Update
site (do this via the link on the Start Menu)
II) Security Policies:
To securely configure the server's services, registry and default
permissions, we apply two different security templates that where
based on the NSA's W2k_Server.inf
(http://www.nsa.gov/snac/win2k/download.htm) and Microsoft's
HiSecWeb.inf (http://support.microsoft.com/default.aspx?scid=kb;en-us;316347)
Security Templates
Changes made to the templates
- NSA's W2k_Server.inf (Applied first)
* We removed the User group from all folders. After applying this
security template the only users that should have rights in all
folders in both the C: and the D: drive are the administrator and
SYSTEM accounts
- Microsoft's HiSecWeb.inf
* Enable Terminal Services (it was disabled)
* Disable the DFS service (it is not needed and it will fail to
start after both security policies are applied)
* Account Lock Period was set to 15 minutes (originally is was 0
minutes)
* Failed Login counter reset was set to 15 minutes
* Several file and directory permissions for the NETWORK and the
INTERACTIVE groups (required by IIS and FPSE). Further changes will be
added manually when following the step by step guide.
See http://www.sans.org/rr/win2000/hisecweb.php for a detailed
analysis of the Microsoft HiSecWeb.inf security policy
In future versions of this guide we will try to combine these two
policies.
Important Note: The W2k_server.inf security policy activates the
Security Log "CrashOnAuditFull" flag. This means that the server will
crash (shows a nice Blue Screen of Death) if the security log file is
full. Since the HiSecWeb.inf changes the security log to 10Mb, you
will need to have a system in place to regularly save/export the
security logs. You will also need to increase the maximum log size to
a value relevant to your set-up
III) IIS Lockdown + URLScan
IIS Lockdown will further harden the server although the security
policies have already gone a long way in securing your server.
The most valuable item here is the installation of the URLSCAN ISAPI
filter that allows the filtering of the requests processed by the IIS
web server. This ensures that only only CORRECTLY FORMATTED AND
VALIDATED REQUESTS are accepted. In other words, if there's any funny
business, it will be rejected here…
IV) Office XP Service Pack 1 and 2
These service packs will upgrade the Sharepoint TS Server Extensions
(and by default FrontPage Server extensions).
This pages http://support.microsoft.com/default.aspx?scid=kb;EN-US;312543
and http://support.microsoft.com/default.aspx?scid=kb;EN-US;323549
contain the list of the issues fixed in Sharepoint TS by each Service
Pack.
What we found very interesting (although we couldn't find an official
explanation for it) is that after we installed the Office XP Service
Pack 1, the FPSE2002 NETWORK vulnerability problem was minimized and
(in a weird way) fixed!
Normally the FPSE2002 adds the NETWORK account to the website‘s root
folder and to the folder just above it (for example the
"D:\Web_Data\Client_FP2002" folder and the "D:\Web_Data" folder)
The permissions added are read and execute to all folders, subfolders
and files. FrontPage and IIS will not work properly if these
permissions are not there, and if removed IIS and FPSE2002 will
eventually add them.
This is where the original problem is. Once those permissions are
there all authenticated users can also read these folders and files.
What we found, after the installation of the Office XP Service Pack 1,
is that suddenly (on the webs that where already created and on new
ones) the file permission is not there! The NETWORK group only has
read and execute rights over the website folders and subfolders, and
the FrontPage and Sharepoint websites work perfectly
This solved the problem of users being able to read the source code of
files outside their website area, but the NETWORK group still allow
the browsing of all folders (which for example, would allow an
attacker to discover where Access database where stored). To solve
this problem we added the steps 14(a), 17(f), 18(f) and 18(g) to
remove the "list folder" permissions from the NETWORK group.
Our tests and the live implementation of these changes in live Web
Servers (hosting hundred of websites), have shown no side effects to
the server's availability, reliability and resilience.
The problem is that every time a new website is created or the server
health is executed the "List Folder" permissions are added back (we
are sure that there are more scenarios).
Although these steps can be implemented manually, the best solution
for this problem is to create a GFO (enforced by Active Directory)
that removes these rights every 30 minutes from the folders hosting
live websites.
V) IPSec
We used IPSec to further lock down the server and only allow
authorized traffic to occur.
Note that after the IPSec policy is "Assigned", the server will still
work perfectly as a web server but will not be able to:
- browse the web,
- access the Local Network
- ping another machine
- do anything apart from responding to web requests, contacting the
SQL server and accepting Terminal Services Sessions from local
computers
The IPSec template provided has the following filters:
- Allow anybody to make anonymous TCP/IP requests on the port 80
(i.e. HTTP traffic)
- Allow the IIS server to connect to the SQL server on the TCP/IP
port 1433
- Allow computers from the Local Network that belong to the subnet
192.168.20.0/24 (sub-net mask 255.255.255.0) to create a Terminal
Services Client connection to the server using the TCP/IP port 3389
- Block all other traffic (inbound and outbound)
If you do a vulnerability scan after the IPSec template is assigned,
you should only be able to see the port 80 open. Of course that if the
computer running the scan is inside the 192.168.20.0/24 subnet, the
3389 port will also appear
VI Best practices in user / group management
All the recommended security steps that allow the creation of a very
secure IIS build are worth nothing if all websites run under the same
anonymous account, or if the folder Access Control Lists (i.e.
permissions) are not properly managed
- Next message: Dinis Cruz: "Re: IIS still open to hacking even with latest patches..."
- Previous message: BB: "Re: SSL - private Key info"
- In reply to: jeremy ridgway: "IIS still open to hacking even with latest patches..."
- Next in thread: Barry Randall: "Re: IIS still open to hacking even with latest patches..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
