Slashdot Mirror
Microsoft Attempts to Secure IIS
billmaly writes: "Yahoo has this article about trying to make IIS more secure. Among steps is to have it install in its most secure state, putting the onus on sysadmins to remove it from that state. It looks like Microsoft may be trying to do the right thing from a security standpoint, at least on paper."
Well from the looks of it sound like they're doing all the right things. Just too bad for most of us who've been seeing "GET /default.ida?XXXX..." and "GET /scripts/root.exe?/c+dir HTTP/1.0" 404" in our apache logs, its can't come soon enough...
KidA
"Karma can only be portioned out by the cosmos." -Homer Simpson
This will mean that IIS Sysadmins will actually have to think...! Now I know there are a lot of intelligent Sysadmins out there running IIS, but if you've come across the people I have in the industry, you'll know that there a lot of people who aren't very tech savvy running servers.
How about with this, an increase in the Microsoft Certification program?
===> An eye for an eye makes everyone blind - MG
It's nice that they will ATTEMPT to make it install more securely by default. What are they going to do to help secure all the existing installations from the current (and future) gaping holes?
As pointed out in this CNET article, while forcing the maximum secure version and forcing uses to install all patches is a good step in the right direction, the fact that IIS has been patched so many times implies that to really improve the security of it, it needs to be rewritten from scratch, particularly since it is a closed source application and thus does not have the same QA that open source software might have.
"Pinky, you've left the lens cap of your mind on again." - P&TB
"I can see my house from here!" - ST:
work is more difficult than installing it and just having it work right away because all the features you need (...and all the ones you don't) are already activated.
It would be great to have everything disabled by default, and would be a major help for security. (That's how OpenBSD have been able to go four years without a hole in the default install...there's not much enabled in the default install). I just don't think that the average M$ shop wants to take the time involved for an average admin to get a secure-by-default product working, or pay the top dollars needed to get an admin savvy enough to already know how to do this.
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
Reading this article I smell a goat, as they say. It smacks too much of a good initiative that will be exploited. Like the recenly announced toolkit to get your system checked for vulnerabilities and fixed free (see here ). If you try to actually have it sent to you and go thru a few screens you see that you need Passport (a.k.a. "all your passwords are belong to us!") in order to have them send you a CD by snail-mail. What does a physical CD have to do with an evil service, you ask? Did I mention that the CD might be useful/coveted? Has anyone found a similar hitch with this (e.g., putting the settings in such a way that a central M$ database will check the appropriateness of all your info "to make sure it's secure", oh and to make sure you don't use it for anything that disparages M$, hotmail, MSN, etc).
I had to test some java code being developed by (company) for a newly released (product) and needed a web server. The usual test platform server had just been taken down by nimda (ie not 3 hours earlier). Fortunately for my productivity log, an extremely capable app called Apache exists for WinNT and in under 30 minutes I had it up and running (including denying every host under the sun that was sending those annoying GET requests for /winnt/system32/cmd.exe).
:-)
The entire dev team working on the java code would have just taken the afternoon off, had I not casually mentioned the existance of my humble Pentium Pro 200 running Apache.
This caught the attention of my boss who wondered why our group was able to continue working, while many others were outside playing basketball waiting for the Admins to finish the virus updates. Who knows . . . we may shift away from simple IIS servers (for a java service on a server you don't need some big IIS machine).
From a security stand point, This little server did a good job of fending off every virus attack (a few hundred every hour). I believe two additional simple IIS servers have been temporarily changed to Apache since they don't have a need for any other service. Who knows what will be their ultimate fate. But right now they are doing their job and don't need to be updated. This may affect the purchasing policy for one or two machines here. Not a huge step towards non-M$ product use, but I am encouraged none the less.
robi
Never install a peice of software as Administrator, use poweruser or something less.
If it doesnt install as that user, dont install it. Its obvious that that app was not designed with security in mind.
----- Whats wrong with this picture? http://www.revoh.org:1234/whatswrong
Remember the first time you installed Apache?
It was secure by default because you had to learn what the heck you were doing, and a fair bit about the structure of your hard drive before you could get it running.
Now IIS is catching up, having learned what happens when you appeal to the lowest common denominator. This is very good news, because it means IIS will no longer be administrated by people who haven't a clue. It's not that IIS is inherently insecure, but that it's inherently run by people who don't know how to secure it.
Apache appeals to a different crowd, and is more secure by nature for that reason...
information is immaterial
The rest of this comment is from the NTBugTraq newsgroup:
Microsoft have today announced a suite of initiatives intended to address the issues their customers face from the threat of Worms and other malcode like Nimda and Code Red.
About time.
I've been assured that substantial resources have been allocated to this new effort, but one has to wonder just who was consulted in coming up with what this program involves (if you were, drop me a line.)
Announced today was the "Microsoft Security Tool Kit";
Click here
This "Greatest Hits" CD or network download contains all of the things you should already have;
- - Latest Service Packs for OS, IIS, and IE.
- - Security Checklists for NT, W2K, and IIS.
- - A W2K-SP2 Deployment guide (the Update.msi section is worth reading if you have an Active Directory environment and use Group Policies)
- - An NT 4.0-SP6a Deployment guide for SMS.
- - IE Deployment guides.
- - Several individual Hotfixes required for NT 4.0 Terminal Server (even though they are included in the NT 4.0 SRP) - - IIS Lockdown Tool
- - URLScan
- - HFNetchk
- - Critical Update Notification 3.0 (only applies to W98/W2K according to the referenced KB article)
- - QChain
There's a difference between the download and the CD. According to the announcement page, "It (CD) includes automation scripts to quickly install all the security hotfixes recommended in the kit.", but the CD may take from 3 to 6 weeks to arrive.
I was told there would also be a "Bootstrap Client for Windows Update" within this package somewhere, but if its just the Critical Update Notification 3.0 tool then its not a "Bootstrap Client" in the sense I thought it was.
While there are additional things planned, the biggest thing missing at this stage is a re-release of the NT 4.0 Option Kit CD which contains;
1. Patched version of IIS 4.0 (one that's not vulnerable out of the box)
2. Patched versions of MDAC
3. Modifications to the samples to eliminate RDS
4. Modified default installation that doesn't install in a way known to be exploitable
5. Modified Setup program that doesn't re-install removed script mappings and other components after the user has manually removed them (since that's what many people have done to protect themselves)
In addition, what is desperately needed is some way to do the following;
a) Probe your internal network to identify IIS installations (this can be done with HFNetchk, but working with its output is no fun) /scripts, tightening
permissions, etc...
b) Completely remove the IIS installation on command (remotely!), or render it stopped
c) Query the IIS installation and alter it, removing RDS keys, updating MDAC, patching it, disabling
d) Report results in a comprehensive fashion
I don't know about the rest of you, but many people have thousands of IIS boxes to deal with. While Microsoft does sell SMS, if you used Ghost to distribute your installations it hardly seems reasonable for MS to expect you to purchase SMS to secure what you thought was a reasonable installation.
If you have more than 1000 hosts under your control, send me your suggestions for the best product/method used to get patches and service packs out.
Given that this whole initiative, supported at the highest levels in Microsoft, is designed in response to Worms that required the touching of every machine in your organization, the first thing out the door should've been something that made that problem less onerous.
There are plans in the works (for Q2-2002) for an internal version of Windows Update. I've been calling for this with Microsoft for eons now, and while its great they have finally been hit with the clue-bat it seems ridiculous that its going to be 6 months plus before we see it. Such a tool would allow Network Administrators to rely on the client's Windows Update component to provide fixes (fixes decided on by the Network Administrator). In addition, a new feature in that client (still some 3 months out) allowing it to be setup to allow automatic updates (a push mechanism), would give you a way to push out a fix quickly to all clients.
Again, about time!
Also coming out of all of this was news that Windows 2000 SP3 is not likely to ship this year.
Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
"I thought I had an Appetite for Destruction, when all I really wanted was a club sandwich."
You might be interested in EROS - the Extremely Reliable Operating System, which takes permissions resolution to its logical extreme: the capability system. If something only needs access to one directory and one port, that's all you give it.
Very interesting project.
I'm not really sure how this will help. Having a server off by default will not make it harder to break into once the server has been turned on. Not only that, the problem's exploited by worms and script kiddies are all known, sometimes months and even years in advance of an attack. If MS were truely serious, they would exstablish an independant body to certify MSCEs, make it so that the certification is much more difficult than it is now, and only provide support to customers who have certified personal on staff. On top of this, MS should guarantee backward compatibility of ALL software installed on a system after a security update is applied (within a given product version) so that admins won't be terrified to install updates.
Burn Hollywood Burn
I agree fully with your open source remark. IIS is not in itself a revenue driver for Microsoft so why not make it open source? It might make it more complex and ruin MS's Point and Click admin theme for server products. But I have said before that PHB's who think that MS's point and click admin leads to a low TCO are eating their words and probably looking for a job =P To avoid the high costs having a server exploding, IIS (Microsoft) admins should have the technical experience of a Unix admin. You can't take an accountant, put him in front of a server and call him an admin.
However, I must disagree with your statement about not considering running IIS at all. A good system analyst will weigh the value gained (in your case the data mining software) versus the risk of loss (having your server haxor'd.) If a network is designed in this way, you would already have *nix and Open Source infrastrucutre on your public area / DMZ.
Remember that IIS has an intrinsic advantage in delivering dynamic application content to desktops. I am a MCSE and work on Unix and MS systems, I would never put MS technology in the DMZ, but then again, my company couldn't survive without our MS web based thin applications internally.
Jesse Wolfe Sr. Manager Systems Integration
But look at it this way, if I put a stamp and an address on a thousand dollar bill and then put it in a mailbox, would you actually blame a poor postal worker for nicking it?
If I park a brand new Jaguar X-Type with the engine running and the door ajar in (insert local 'bad' neighbourhood here) would you not blame me for having to walk home?
If I build and sell you a house in that same 'hood, with no locks on the doors and big neon signs outside that says "FREE MONEY AND DRUGS (PLEASE DO MY WIFE ON THE WAY OUT)" would you not be slightly upset with me?
If I code a 'open ports' (someone at MS misheard 'open source') software, bully everyone into paying top dollars for it and then leave them hanging in the cold breeze when all the juniors at Scriptkiddie U exploits its shortcomings, would you not blame me?
Sure, the admins are to blame because they didn't have the guts to tell their PHBs to get a decent platform instead and the PHBs are to blame because they didn't know better than to listen to MS' marketspeak and FUDmachine (no one have ever been fired for buying MS - WELL IT'S ABOUT TIME THEY WERE!) and the scriptkiddes are to blame for walking right in, with no formal invitation.
How more inviting can you get? You install a webserver that one of the largets software publishers on this planet has honed and polished for over five years and the default mode of installation is set to "I_RUN_IIS,_COME_FUCK_ME!"
If you buy a Windows 2000 Server CD today with IIS included, it will not contain a single patch released in the last year and a half. Not one. Not even SP1. MS can not even be bothered to patch the software they are manufacturing right now, it's still the same CD image they released over a year ago. What if you bought a new Ford and it had Bridgestone tires plus a hand-written note in the glove compartment that said "Please change the tires, they are unsafe". Ralph Nader would be at Ford's throat like a pitbull on speed. MS gets away with it, time and time again.
Money for nothing, pix for free
I wanted to post this but you were ahead of me. And it's not just a problem with IIS -- most (all?) NT "services" run as LocalSystem, which actually has even more privileges than Administrator.
Bugs and security holes are inevitable in any software, but their impact is different. Any buffer overflow in IIS is disasterous, whereas a buffer overflow in Apache will have a very limited damage. To 0wn a Unix box running Apache you need two security holes: first a hole in Apache to get unprivileged access, then another hole elsewhere that lets you get root. This is considerably harder and a lot more unlikely than a simple buffer overflow in the web server.
On top of that there is a huge problem with file system permissions. Both Unix and NT have the ability to restrict access to files. The difference is that a default installation of NT has all file permissions set to Everyone:Full Control(*). (That's like making every file and directory 777)! You have to manually lock it down! If the file system permissions are not used, running IIS as an unprivileged user won't help.
Contrast this with Unix. Even if a hole in Apache is exploited, you won't even be able to overwrite the web pages (unless another hole is used to gain root access, see above).
(*) I understand the default file permissions have been improved somewhat in windows 2000. Could somebody in the know give more details? Oh, and what's the deal with IIS running partially in the kernel? is it true or has it been debunked?
In all fairness, Unix has had its problems with root-running daemons. BIND was the latest exploit. Since then BIND guys have learned their lesson -- version 9 no longer runs as root. Will Microsoft learn? After so many years of beeing plagued with security holes, not bloody likely.
___
If you think big enough, you'll never have to do it.
No this isn't. Microsoft has always tried to make everything so easy, that they just install and enable everything so you can do anything with minimal work. They're finally realising the implications. There IS a fundamental change in their strategy - shipped locked down instead of opened up. Yes, I've already mentioned (as others) that ISAPI.DLL needs to be rewritten as it's obviously got some serious security flaws. However, if IIS doesn't have tons of insecurely executable scripts installed and activated by default it lessons the issue dramatically.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
Alright. I'm sure this will get a lot of MCSE's all huffy but too bad... it's not about you anyway.
The biggest selling point for Microsoft crap is in how easy it is. It's also its biggest problem. Sure it's easy to set things up when, at install time, everything (especially the stuff the installer doesn't yet know about) is turned on by default! It is precisely this selling point that has created this problem.
You know, most people put their dangerous tools behind some level of inconvenience to prevent accidents. I have no doubt that Microsoft never intended this to happen... yet it has... I don't know how many releases of Windows had to come out before warnings about having file shares open when connected to the internet started to appear. So file shares are dangerous but exposing IIS (+addons) aren't?
A comment made by one user/admin noted that IIS by itself is not vulnerable that it is all the useless addins that make it so. Most of these addins aren't even used by the casual user. The casual user doesn't even use IIS! And that is the crux of the CodeRed problem in general. Microsoft has put dangerous tools into the hands of people who don't know how to use them so they can make more money. It's as simple as that. Microsoft is responsible for the problem and they should take appropriate measures.
By making it "too easy" people are making themselves vulnerable without their knowledge. It's out. It's too late. The best they can do is issue a RECALL on IIS and everything that comes bundled with IIS. Issuing advisories that people aren't reading and patches that people aren't downloading isn't going to get people's attention.
If they are truly interested in solving the problem, they will have to swallow their pride and make it very public that they wish to RECALL IIS! Then people will sit up and take notice and do the things they need to do.
Recalls are embarassing. They will not want to do it. But for the good of the internet, they should. Okay, I hear the laughing... they aren't interested in the public good.
What is IIS anyway? Internet Infection System?
I have personally seen service patches and hot fixes blue screen servers. I have a fear of installing Microsoft "fixes" on systems that are functioning - will they cause a blue screen when the inevitable reboot is required? Will they break an API my "turnkey" vendor relied on?
I have two choices:
I can pro-actively install the service packs and hot fixes, causing (at best) some downtime or (at worst) an extended period of downtime thanks to unexpected side effects. If I am pro-active about fixes, I am viewed by departmental managers and users outside of IT as a bad guy, someone who is here to wreck their server. Oh, and don't tell me to test it before I apply it... you can install the same service pack on 50 boxes and only have it blue screen on one. I've SEEN this occur, so it is always a roll of the dice.
Choice #2 is to wait until the virus/trojan/whatever hits this department. Then I am the good guy for coming to the rescue.
What would YOU do?! I'd especially like to hear from seasoned sysadmins in both Microsoft and Unix camps - what approach do you take?
-hj
From the article: IIS, which is used to run Web sites, is sold separately and comes bundled with Windows 2000 [...] and Windows NT.
Is sold seperately AND comes bundled? And here I was thinking that Yahoo! was just the name of the website, not a description of their writers. IIS is NOT sold seperately - period. BTW, what asshole would buy a product that comes bundled with the OS that the product requires? Duh...
Black holes are where God divided by zero