Re: IIS and Web services

From: Chris Weber [Security MVP] (chris_at_dev.nul)
Date: 02/19/05 

Date: Fri, 18 Feb 2005 16:30:41 -0800

I assume you're progamming in ASP.NET.

1. Require SSL for the site so that basic auth credentials are always
protected.
2. Do not allow Anonymous access
3. Disable debug messages through web.config
4. Most importantly, validate (ON THE SERVER) every parameter passed to the
web methods to protect against field overflows, SQL injection, and
cross-site scription.
5. Flow the context of the requesting user through end to end, do not allow
a privileged component to execute requests on behalf of a user.

The IIS and ASP.NET infrastructure will provide the auth and ACL security
you need. It's up to your developers to design the WS so they properly
validate and cannot be abused.

After doing Webapp security assessments for many years, the application
layer continues to be the biggest security problem.

regards,
Chris

"Leneise44" <Leneise44@discussions.microsoft.com> wrote in message
news:49DC98D3-684C-4EBD-8902-AE531FD9F885@microsoft.com...
>A healthcare company plans to secure calls to webservices using a
>combination
> of SSL, XML firewall(between iis aspx server and web services server) and
> using basic authentication. We plan to migrate our ldap users from our
> integrated security into the basic authenticatino on the local iis web
> server. There will be another firewall limiting traffic using IPSEC
> between
> the web and our iis server. My question: Will this be sufficient security
> to
> protect our web services? Certificates are ruled out, our users will not
> respond to these and someone can just sit at the box and log in. The xml
> firewall is securing the calls between the iis server and web services
> server. I'm trying to avoid having to write complex, custom code within
> the
> webservices layer using WSA 2.0 and tokens etc...The IT staff here is very
> basic and cannot maintain and administer complex code. Any and all
> comments
> appreciated. Thank you for your insight.

Relevant Pages

  • RE: NT/IIS decoy
    ... Does anyone know how to hide or mask the identity of a IIS 4.0 or 5.0 server ... Principal Security Consultant ... Best Individual Income Protection Provider 2001 - Health Insurance Magazine ...
    (Pen-Test)
  • Re: IIS6 on W2k3 DCs
    ... How many times in big server land do I see folks that don't have backups ... >But Small Business Server 2003 runs with IIS on our domain controller. ... >Where's MY security risks these days? ... >>By referring to numerous security guides written specifically for NT4 ...
    (Focus-Microsoft)
  • Re: SBS 2003 After Service Pack 1 for SBS
    ... Controllers" groups have been added to the new CERTSVC_DCOM_ACCESS security ... we can have Certificate Services update the DCOM security settings ... down time for the server - probably over a weekend. ... Then please run command "iisreset" to refresh IIS ...
    (microsoft.public.windows.server.sbs)
  • Re: REPOST: IIS4 Security Advice
    ... Well, I assume you know you need more than the latest IIS security patch, ... win 2000, one for IIS, one for Index Server, etc.] ... After installing iislockdown ...
    (microsoft.public.inetserver.iis.security)
  • [NT] Cumulative Patch for Internet Information Services
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... security patches released for IIS 4.0 since Windows NT 4.0 Service Pack ... encoding transfer mechanism via Active Server Pages in IIS 4.0 and 5.0. ... attacker who exploited this vulnerability could overrun heap memory on the ...
    (Securiteam)