Enterprise Network Security Solutions

Perils and Pitfalls of IIS Web
Security
Eugene Schultz, Global Integrity Corporation (an SAIC
Company) and Purdue University
Black Hat Conference
Las Vegas, Nevada
July 8, 1999
Copyright 1999, Global Integrity Corporation - All Rights Reserved
Copying these materials without the explicit, written permission of
Global Integrity Corporation is prohibited.
Agenda
Introduction
Vulnerabilities
Solutions
Conclusion
Copyright 1999, Global Integrity Corporation
2
Surprise, surprise?
25 June 1999: Federal Computers Vulnerable
“According to federal officials, federal websites and
computer systems are particularly vulnerable to
outside attacks because they lack two important
elements: adherence to security plans and qualified
personnel to maintain security measures.”
http://www.newspage.com/cgi-bin/NA.GetStory?story=h0624132.500
&date=19990625&level1=46510&level2=46515&level3=821
Copyright 1999, Global Integrity Corporation
3
About the IIS Web server
Very widely used Web server package
Main advantages
Price
Ease
of development and maintenance
Server itself can be implemented using
CGI
ISAPI
ASP
Copyright 1999, Global Integrity Corporation
4
A related component---Front Page
Supports development and maintenance of
Web pages
Consists of
Explorer
(client side)
Editor (client side)
Server
Server Extensions (for managing and referencing
HTML pages)
FrontPage “Bots” perform tasks such as
automatically creating a table of contents
Copyright 1999, Global Integrity Corporation
5
IIS Web authentication*
Basic authentication---to determine
identification and rights of client
First check--to see if user is anonymous
 If
anonymous access fails, server sends back information
about other types of authentication that are available
 If user is authenticated, server determines whether user’s
credentials are sufficient to allow access to resources
Second--challenge-response authentication
 If
anonymous access fails, IIS will normally attempt
challenge-response authentication
Last resort--cleartext authentication
* - Most events that occur are transparent to users---exception, when the
type of authentication used requires users to enter a usernamepassword sequence
Copyright 1999, Global Integrity Corporation
6
MSV1_0 authentication
4. Retrieval of
entries from
SAM
database
1. Authentication request
5. Encryption
of nonce
2. 8-byte
nonce
SERVER
6. Comparison
of encrypted
nonces
3. Encrypted
nonce
CLIENT
Copyright 1999, Global Integrity Corporation
7
Choosing IIS Web authentication
WWW Service Properties for EXCELSIOR
X
Service Directories Logging Advanced
Connection Timeout:
600
seconds
Maximum Connections 1000
Anonymous Logon
Username
Password
Password Authentication
Allow Anonymous
Basic (Clear Text)
Windows NT Challenge/Response
OK
Copyright 1999, Global Integrity Corporation
Cancel
Apply
Help
8
Basic IIS access control methods
Authentication
Limited execution environment
NTFS permissions
Internet Service Manager settings
Copyright 1999, Global Integrity Corporation
9
Exposures in IIS Web services
Incompatibility of authentication schemes
drives cleartext authentication as the
common denominator
Web users are authenticated either as local
users or domain users
 Local
access short circuits many security controls
 Unauthorized access to Web server can result in
unauthorized domain-wide access
IIS runs as SYSTEM
Copyright 1999, Global Integrity Corporation
10
Exposures in IIS Web services
Buffer overflow conditions abound
IUSR_Servername account is created either
in a domain or on a member server of an IIS
Web server
ASP page access is not properly limited
Front Page vulnerabilities allow a variety of
undesirable outcomes, including
Unauthorized,
privileged access to Web server
Ability to remotely read and write to any file
Denial of service
Copyright 1999, Global Integrity Corporation
11
Exposures in IIS Web services
Vulnerabilities in Active Server itself can
result in a wide range of undesirable
outcomes from a security perspective
Denial
of service
Ability to modify Web page content
Ability to read and/or alter files that are not part of
the Web server
Bots may allow unauthorized reads/writes of
Web page content
Most Web servers themselves are not wellwritten from a security perspective
Copyright 1999, Global Integrity Corporation
12
Example 1
A potential buffer overflow condition in the
ISAPI extension ISM.DLL (a filter used to
process .HTR files) allows
Someone
to crash IIS by sending a long argument
(FORMAT: GET /[overflow].htr HTTP/1.0)
Execution of rogue code
Version affected: IIS 4.0 (SPs 4 and 5)
Problem: lack of proper bounds checking
Solutions: Apply hot fix, or remove the script
mapping for .HTR files from ISAPI.DLL
Copyright 1999, Global Integrity Corporation
13
Example 2
A bug allows anyone to use a default .asp
page to view and also to modify source code
by requesting a file from a virtual directory
(simply enter ../)
Problem: normal processing of the file is
circumvented
Several variants of this bug exist
Found in IIS 3.0 and 4.0
Patch is available (but best solution may be
to remove all default .asp pages)
Copyright 1999, Global Integrity Corporation
14
Example 3
A bug allows CGI scripts that require
authentication to be run without any
authentication
Version affected: IIS 3.0
Is really more of a limitation in an intended
security feature than a vulnerability
Upgrade to IIS 4.0
Copyright 1999, Global Integrity Corporation
15
Example 4
Someone can discover the path to a virtual
directory
Requires only connecting to the
“msdownload” directory at a site, then
pressing Refresh/Reload
Can facilitate an attacker’s efforts to locate
resources to attack
All versions are affected
No patch available yet
Copyright 1999, Global Integrity Corporation
16
Example 5
A malformed GET request can crash IIS,
causing data corruption
Requires that more than one virtual server
run on one machine
Problem: quitting inetinfo.exe by one server
fails to produce a file handle for TEMP files
that the other needs for data writes
Problem is robust across different releases
Hot fix (see Q192296) available
Copyright 1999, Global Integrity Corporation
17
Example 6
An unprivileged user can create an ISAPI
extension to load rogue CGIs that run as
SYSTEM
GetExtensionVersion()
Default()
Applies to any Web server that supports
ISAPI extensions
Exploit code posted widely over the net
All versions are affected
Solution: do not allow users to load CGIs
Copyright 1999, Global Integrity Corporation
18
Example 7
An anonymous user can use NetBIOS
mechanisms to remotely reach
\%systemroot%\system32\inetsrv\iisadmpwd
(virtual directory /IISADMPWD) to start up
HTR files
Passwords
can be changed without authorization
Information about accounts is readable
Best solution is debatable
Delete
/IISADMPWD?
Filter traffic bound for TCP port 139?
Copyright 1999, Global Integrity Corporation
19
Example 8
An unauthorized user can access cached
files without being authenticated
Requires that
More
than one virtual server run on one machine
Both servers have the identical physical and virtual
directory for each target file
This bug is found in all versions of IIS
Problem: failure to recheck credentials after
a cached file is initially accessed
Solutions: Allow only one virtual server on
any machine, or disable caching
Copyright 1999, Global Integrity Corporation
20
Example 9
IIS may fail to log successful HTTP requests
Requests include
File
name
Default.asp
Request method (the attacker must make this very
long---at least 10140 bytes)
May be found only in particular releases (e.g.,
IIS 4.0 server that was upgraded)
No suitable solution so far, but try installing
IIS 4.0 instead of upgrading from IIS 3.0
Copyright 1999, Global Integrity Corporation
21
Example 10
Under certain conditions, calling one or more
ASPs may cause 100% CPU utilization
\exair\root\search\advsearch.asp
\exair\root\search\query.asp
\exair\root\search\search.asp
Default exair page and the DLLs it references
must not be in memory
Best solution: delete \exair and everything
below it
Copyright 1999, Global Integrity Corporation
22
IIS-specific Web security measures
Consider running a Web server that does not
run as SYSTEM
Run the most recent version of IIS Web server
Avoid running IIS on domain controllers
Ensure that the IUSR_<servername> account
has a strong password
Dedicate Web-accessible volumes to HTTPbased access
Copyright 1999, Global Integrity Corporation
23
IIS-specific Web security
measures
 Use Internet Service Manager to set
access permissions (read and/or write)
 Ensure that Front Page extensions have
appropriate NTFS permissions
 Avoid Active Server implementations
when security needs are higher
 Use Active Server only to access a
Microsoft transaction component (i.e.,
don’t put code in Active Server itself)
Copyright 1999, Global Integrity Corporation
24
IIS-specific Web security measures
Consider enabling IP filtering
Disable the NetBIOS layer of networking
Use SSL, HTTP-S, or PCT to encrypt sessions
It is generally best to deploy IIS as an internal
Web server
Patch, patch, patch...
Copyright 1999, Global Integrity Corporation
25
Placement of external IIS servers
INTERNET OR EXTERNAL NETWORK
SERVER SHOULD NOT
BE PART OF ANY NT
DOMAIN
ROUTER
IIS WEB SERVER
DMZ
FIREWALL
INTERNAL NETWORK
SECURITY PERIMETER
Copyright 1999, Global Integrity Corporation
26
TFTP
Trivial File Transfer
Copyright 1999, Global Integrity Corporation
27
TFTP
Trivial File Transfer
Copyright 1999, Global Integrity Corporation
28
IIS-specific Web security measures
 Consider enabling IP filtering
 Disable the NetBIOS layer of networking
 Use SSL, HTTP-S, or PCT to encrypt
sessions
 It is generally best to deploy IIS as an
internal Web server
 Patch, patch, patch...
(continued from previous slide)
Conclusion
 We haven’t even looked into security-related
vulnerabilities in


Browsers
IIS FTP
 Choose your poison---CGI, ISAPI, or ASP
 Securing IIS requires paying attention to




IIS and its many vulnerabilities
The many extensions and filters that are typically
part of the IIS environment
The Web application
Windows NT itself
Conclusion
 The number of reported bugs has
increased dramatically over the last year
 The problem is only going to get worse in
the next version
Fronting server
Cache box
(continued from previous slide)
TCP/IP Services and NT Domains
Serious concern: NT web servers or
firewalls running within an NT
domain (and, thus, effectively within
NT’s security perimeter)
Recommendations:
Run
each firewall as a domainindependent NT platform
Run Web servers as domainindependent NT platforms or as part of a
Copyright 1999, Global
Integrity
Corporation domain
Web
server
32
TCP/IP Services and NT Domains
INTERNET
SERVERS
THAT ARE NOT
PART OF AN
NT DOMAIN
ROUTER
NT
EXTERNAL
WEB
SERVER
NT FIREWALL
INTERNAL NETWORK
Continued
SECURITY PERIMETER
Copyright 1999, Global Integrity Corporation
33
Sniffer Attacks
Logical or physical sniffers
Data in packet headers for NT logon
packets is vulnerable
FTP and telnet-based logons are in
cleartext
Network Monitor (NM) tool part Back
Office
Solution: inspecting for
unauthorized sniffers, use of VPN’s,
Copyright 1999, Global Integrity Corporation
34
Password Transmission in
Heterogeneous Environments
Windows NT
Unix
Cleartext
password
Copyright 1999, Global Integrity Corporation
35
PPTP-Protected Transmissions
Host
Host
PPTP
RAS Server
Copyright 1999, Global Integrity Corporation
RAS Server
36
Password Cracking
The Windows NT security model
attempts to provide strong protection
against password cracking
Strong
password encryption algorithm
Cleartext passwords are not sent over the
net during conventional NT authentication
Security Accounts Manager (SAM)
Database is not accessible to interactive
users
Accounts
Policy Settings guard against 37
Copyright 1999,
Global
Integrity Corporation
Password Cracking
Solutions
PPTP
Exceptionally
strong passwords
Third-party authentication
Copyright 1999, Global Integrity Corporation
38
Exploitation of SMB
SMB servers have weak
authorization requirements for file
transfers
SMB has numerous back-door
mechanisms
Concerns:
It
is relatively easy to trick SMB into
transferring files that are not otherwise
available for access
Copyright 1999, Global Integrity Corporation
39
Considerations for Access to
Other Platforms
Windows NT does not recognize
permissions from any operating
system other than NTFS
Most NT-compatibility programs
require that
A
privileged user remotely logon to the
NT domain to establish remote access
All subsequent access not be interfered
with by the OS on which files are stored
Copyright 1999, Global Integrity Corporation
40
Case Study: Gateway Services for
Netware
Service that allows Windows NT
access to resources on NetWare
services
Files
Directories
Printers
Allows NT Server to serve as
nondedicated gateway
Uses NWLink to connect to, then
Copyright 1999, Global Integrity Corporation
41
So What’s The Problem?
“Gaps” in the Windows NT security
model
Faulty implementations that result in
security exposures
Security weaknesses in logic of
design of network service programs
Backdoors in protocols
Immaturity of Windows NT as an
operating system
Copyright 1999, Global Integrity Corporation
42
Cracks in the NT Security Infrastructure
It takes time to learn how to
compromise security in a new
operating system
Much of “the new” in Windows NT is
really “the old,” after all
Many network security control
mechanisms don’t go far enough
New services and utilities keep
getting added to Windows NT’s
Copyright 1999, Global Integrity Corporation
43
Conclusion
Windows NT has many security-related
“bells and whistles” that really are not
so important
NT domains in many respects
constitute “steel doors in grass huts”
NT-based TCP/IP services will
increasingly constitute the greatest
threat to security
Most critical tools
Third-party
Copyright 1999, Global Integrity Corporation
authentication tools
44
Conclusion
The problem of dealing with Windows
NT network vulnerabilities is
exacerbated by
The
immaturity of this operating system
Microsoft’s approach to dealing with NTrelated vulnerabilities
The lack of a clearinghouse for NT-related
vulnerability information
Windows 2000 may provide a stronger
framework on which to build security
Copyright 1999, Global Integrity Corporation
45