INTERNET INFORMATION SERVICES 6'0 SECURITY

1
IIS 6.0 SECURITY ARCHITECTUREIts a Whole New
World
Michael Muckin Security Architect Microsoft
Consulting Services
2
Agenda

• Setting the Stage
• IIS 6.0 Security design
• ASP.NET Security Config
• Scanning Tools
• Hardening IIS 6.0

Demos throughout
3
Setting the Stage

• No news that IIS is a primary target
• What is this Security Push and Trustworthy
  Computing?
• IIS 6.0 should be tangible evidence of these
  initiatives

4
Vulnerability Trends
Decreasing Leveling out
Application
Vertical
OS
Increasing
Network
Physical
Horizontal
5
IIS 6.0 Security Design

• Product quality
• Improve design, coding, and testing practices
• Fewer vulnerabilities out of the box
• Security conscious architecture
• Reduced attack surface
• Defense in depth
• Limit the possible damage should new
  vulnerabilities be discovered
• Always up-to-date
• Make it practical to keep systems up-to-date
  with the latest software patches

6
Product Quality

• Security stand-down
• Development practices
• /GS
• Prefix/Prefast runs
• Single String Class
• QFE and IIS core team merged
• Code review for every change
• External reviews keep us honest
• Removed legacy code
• Security design review for every feature

• Extensive test infrastructure
• External tools
• Internal tools
• IIS tools
• Buffer overflow scanner
• Cross-site scripting
• Fault injection in regular test runs

7
Reduced Attack Surface

• Windows Server 2003 disables 20 Services
• IIS is not installed on Windows Server 2003
• If you install IIS

8
Vulnerability DistributionWeb-Server only
9
Defense In Depth

• Buffer overflows
• New Low Privilege accts Network Service
  (default) and Local Service
• Default Privileges
• SeAssignPrimaryTokenPrivilege
• SeSecurityPrivilege
• SeSystemtimePrivilege
• SeAuditPrivilege
• SeChangeNotifyPrivilege
• SeUndockPrivilege
• vs. the LocalSystem account which has almost
  every system Privilege (21 total)

10
Defense In Depth

• Canonicalization issues
• Rigorous and restrictive parsing
• Default handler is restricted to a list of known
  extensions
• Denial-of-service attacks
• Fault-tolerant infrastructure
• Limits
• Cross-site scripting issues
• ASP.NET data validation controls
• Executing command-line scripts
• Secure defaults dont allow anonymous account to
  execute .exes
• Site defacements
• No write access for anonymous account in home dir

11
Secure By DefaultSecure Defaults I

• No executable VDirs
• /SCRIPTS and /MSADC
• Secure timeouts and limits
• 16k request limit
• Old legacy code removed
• ISM.DLL/.HTR
• Sub-authentication
• Known extensions
• Check if file exists

X
X
X
X
X
X
12
Secure By DefaultSecure Defaults II

• Strong ACLs on
• Logfiles
• Custom error directory
• On cache directories
• Persistent ASP template cache
• Compression cache
• IE Shipped in Hardened State on all Servers
• Admin must add Zones/settings as desired
• ASP
• ASPEnableParentPath FALSE
• Hang detection
• 4MB response buffer limit
• Internal health detection

13
Secure By DefaultSecure Defaults III

• Restrictive URL Canonicalization
• Hostname and URL rules
• A raw byte must be URL_TOKEN, per RFC 2396 and
  2732
• Alphanumeric A..Z a..z 0..9
• Hex-Escaped xx or uNNNN
• Mark - _ . ! ' ( )
• Reserved / ? _at_ ,
• Unwise \
• But Not 0x00-0x1F 0x7F " lt gt
• NTFS canonicalization
• \\?\
• Streams outlawed

14
Security Conscious ArchitectureCompartmentalizati
on

• Third-Party code runs only in Worker Processes
• Powerful sandboxing
• HTTP pre-request logging

15
Rearchitecting IISA review of IIS5
WinSock 2.0
user
kernel
TCP/IP
16
IIS 6.0 Request Processing
Inetinfo
Application Pools
FTP
XML Metabase
NNTP

SMTP
IIS 6.0
Request
Response
17
Rearchitecting IISA New Architecture for IIS6

• GOAL prevent apps from affecting system health
• Web service in INETINFO split out to do this
• HTTP.SYS kernel mode listener and request router
• WAS config and process manager
• W3 Core where apps get loaded
• Multiple W3 Cores

18
Rearchitecting IISHTTP.SYS

• What is it?
• Kernel-mode HTTP stack/listener
• Always running
• Reliability Features
• Process routing based on URL
• Request queues kernel-mode queuing
• Performance Features
• Kernel-mode response cache
• Text-based and binary logging

19
Rearchitecting IISHTTP.SYS
HTTP.SYS API
HTTP.SYS
Send Response
Listener
Req. Queue
Req. Queue
Req. Queue
Namespace Mapper
Response Cache
HTTP Engine
HTTP Parser
TCP/IP
20
Rearchitecting IISWeb Admin Service (WAS)

• Application Manager
• Manages lifetime of W3 Core(s)
• Configuration Manager
• Configures HTTP.SYS
• No application code
• Ensures reliability
• Easier to identify problems
• Hosted in SVCHOST.exe

21
Rearchitecting IISW3 Core

• What is it?
• Main web processing DLL responsible for
  processing web requests
• Mini-web server
• Contains all web request processing functionality
• Loads ISAPIs filters and extensions
• Separates request processing from rest of web
  server

22
Application PoolsApplication Isolation in
Processes

• Can create 1 or more application pools
• Each served by 1 or more processes.
• Each worker process serves only 1 pool.
• Reqs routed directly to pool by HTTP.sys
• Isolate apps based on
• Site/Customer
• Functionality
• Reliability

23
Application PoolingConfigurable Worker Process ID

• Worker process can be started as
• Network Service (default)
• Local System
• Local Service
• Configured ID

24
RecyclingWhat is it and Why use it?

• What is it?
• Periodically restart applications based on
• Uptime
• of requests
• Scheduled time
• Memory consumption
• On-demand
• Why use it?
• Refresh apps to ensure availability
• Prevent bad apps from taking over the system

25
RecyclingOverlapping Recycle
Ready for Recycle
Shut down
user
kernel
26
Countering DoSISAPI Interaction
REPORT_UNHEALTHY

• HSE_REQ_REPORT_UNHEALTHY
• Goal allow an ISAPI to report to IIS that it
  needs to be recycled.
• bResult pECB-gt ServerSupportFunction(
• pECB-gtConnID,
• HSE_REQ_REPORT_UNHEALTHY,
• psz_reason_unhealthy,
• NULL,
• NULL
• )
• ASP Hang Detection
• Used to detect when ASP threads block in
  components

27
Health DetectionCrash Detection Rapid Fail
Protection

• WAS detects process crash/AVs
• On failure
• Publish event to event log
• Check crash count
• If (Crash count gt Max Crashes in time limit)
• Disable app pool
• Else start new process
• Rapid Fail Protection
• Only allow x crashes in y minutes
• Return 503s when invoked

28
ASP.NET Secure Config

• ASP.NET Security Layers
• Configuring ASP.NET Security
• Server-side Input Validation

29
ASP.NET Security Layers

• IIS
• Authentication
• URLScan (not specific to ASP.NET)
• Static file ACLs
• ASP.NET
• Web Service Extensions
• Authorization by Role and URL
• File access by ASP mapped extensions

30
ASP.NET Accounts

• When ASP.NET is enabled a new account is
  created ASPNET and a new Group IIS_WPG
• Configurable in IIS Service Manager MMC
• For multiple Pools requiring complete isolation
• Create low-priv accounts for each Pool
• Add to IIS_WPG group
• Config each Pool with appropriate Identity
• Both ASPNET and the IUSR_xxxx accounts need Read
  and Execute (ntfs) access to ASP.NET files
  (.aspx, .asmx, etc.)
• Careful of code-behind files that are being
  accessed set ACLs appropriately (aspx.cs,
  aspx.vb)

31
ASP.NET Config Files

• Understanding the .Config files
• XML files with Web and App settings
• ACL these files tightly
• Remove Users and Power Users
• Hierarchical application of security settings
• Machine.config
• Web.config (For all ASP.NET apps)
• App1 -gt Web.config (Individual App settings)
• Resultant inherited settings
• Settings
• AuthN, AuthZ by Users, Roles (Domain and Forms)
• HTTP Verbs Allowed/Disallowed
• URLs
• File access
• Dont put Connection Strings or User/Pwds in here
  !!

32
Users and Roles

• Web.config ltsystem.webgt tag
• ltauthorizationgt
• ltallow usersSue, Joe"/gt
• ltdeny users?/gt
• lt/authorizationgt
• -----------------------------------
• ltauthorizationgt
• ltallow verbsHEAD, GET, POST
• roles"Administrators"/gt
• ltallow verbsHEAD, GET, POST
• roles"Users"/gt
• ltdeny users?/gt
• lt/authorizationgt

Note ? all unauthenticated users
33
More Granular Control

• Web.config ltlocationgt tag
• ltlocation path"ListUsers.aspx"gt
• ltsystem.webgt
• ltauthentication mode"forms"gt
• ltforms loginUrl"AdminLogin.aspx"
• protection"All"/gt
• lt/authenticationgt
• ltauthorizationgt
• ltallow users"admin"/gt
• ltdeny users/gt
• lt/authorizationgt
• lt/system.webgt
• lt/locationgt

Note all users HTTP Verbs can also be
specified within the ltlocationgt tag
34
ASP.NET Server-side ValidationC Example (1)
The Control

• lt_at_ Page Language"C" gt
• lthtmlgt
• ltheadgt
• ltscript runatservergt
• void ValidateBtn_OnClick(object sender,
  EventArgs e)
• if (Page.IsValid)
• lblOutput.Text "Page is valid."
• else
• lblOutput.Text "Page is not
  valid!"
• void ServerValidation (object source,
  ServerValidateEventArgs args)

35
ASP.NET Server-side ValidationC Example (2)
Hooking the Control

• ltform runat"server"gt
• lth3gtMy CustomValidator Examplelt/h3gt
• ltaspLabel idlblOutput runat"server"
• TextPart Number"
• Font-NameTahoma" Font-Size"10pt" /gtltbrgt
• ltpgt
• ltaspTextBox id"Text1" runat"server" /gt
• nbspnbsp
• ltaspCustomValidator id"CustomValidator1"
• ControlToValidate"Text1"
• OnServerValidate"ServerValidation"
• Display"Static"
• ErrorMessagePart Number entered is wrong!"
• ForeColor"green"
• Font-NameTahoma" Font-Size"10pt"
  runat"server"/gt
• ltpgt

36

• Scanning an IIS 6 Default Box
• Scanning an ASP.NET enabled Box
• Log Parser
• IISLockDown/URLScan
• Web Extensions

37
Summary

• Completely new Architecture
• Kernel mode request handling
• Complete Application Isolation
• Secure Defaults
• At the Code Level
• Deployment Default IIS box is only a static web
  server Admin must turn on what is needed
• IIS/ASP.NET focus on App-layer security
• Web Service Extensions
• URLScan
• ASP.Net .config files
• Server-side Controls
• gt 10,000 sites already live on IIS 6.0
• microsoft.com running production since RC1

38
Questions ???