Slashdot Mirror
Microsoft Attempts to Secure IIS
billmaly writes: "Yahoo has this article about trying to make IIS more secure. Among steps is to have it install in its most secure state, putting the onus on sysadmins to remove it from that state. It looks like Microsoft may be trying to do the right thing from a security standpoint, at least on paper."
I had to test some java code being developed by (company) for a newly released (product) and needed a web server. The usual test platform server had just been taken down by nimda (ie not 3 hours earlier). Fortunately for my productivity log, an extremely capable app called Apache exists for WinNT and in under 30 minutes I had it up and running (including denying every host under the sun that was sending those annoying GET requests for /winnt/system32/cmd.exe).
:-)
The entire dev team working on the java code would have just taken the afternoon off, had I not casually mentioned the existance of my humble Pentium Pro 200 running Apache.
This caught the attention of my boss who wondered why our group was able to continue working, while many others were outside playing basketball waiting for the Admins to finish the virus updates. Who knows . . . we may shift away from simple IIS servers (for a java service on a server you don't need some big IIS machine).
From a security stand point, This little server did a good job of fending off every virus attack (a few hundred every hour). I believe two additional simple IIS servers have been temporarily changed to Apache since they don't have a need for any other service. Who knows what will be their ultimate fate. But right now they are doing their job and don't need to be updated. This may affect the purchasing policy for one or two machines here. Not a huge step towards non-M$ product use, but I am encouraged none the less.
robi
The rest of this comment is from the NTBugTraq newsgroup:
Microsoft have today announced a suite of initiatives intended to address the issues their customers face from the threat of Worms and other malcode like Nimda and Code Red.
About time.
I've been assured that substantial resources have been allocated to this new effort, but one has to wonder just who was consulted in coming up with what this program involves (if you were, drop me a line.)
Announced today was the "Microsoft Security Tool Kit";
Click here
This "Greatest Hits" CD or network download contains all of the things you should already have;
- - Latest Service Packs for OS, IIS, and IE.
- - Security Checklists for NT, W2K, and IIS.
- - A W2K-SP2 Deployment guide (the Update.msi section is worth reading if you have an Active Directory environment and use Group Policies)
- - An NT 4.0-SP6a Deployment guide for SMS.
- - IE Deployment guides.
- - Several individual Hotfixes required for NT 4.0 Terminal Server (even though they are included in the NT 4.0 SRP) - - IIS Lockdown Tool
- - URLScan
- - HFNetchk
- - Critical Update Notification 3.0 (only applies to W98/W2K according to the referenced KB article)
- - QChain
There's a difference between the download and the CD. According to the announcement page, "It (CD) includes automation scripts to quickly install all the security hotfixes recommended in the kit.", but the CD may take from 3 to 6 weeks to arrive.
I was told there would also be a "Bootstrap Client for Windows Update" within this package somewhere, but if its just the Critical Update Notification 3.0 tool then its not a "Bootstrap Client" in the sense I thought it was.
While there are additional things planned, the biggest thing missing at this stage is a re-release of the NT 4.0 Option Kit CD which contains;
1. Patched version of IIS 4.0 (one that's not vulnerable out of the box)
2. Patched versions of MDAC
3. Modifications to the samples to eliminate RDS
4. Modified default installation that doesn't install in a way known to be exploitable
5. Modified Setup program that doesn't re-install removed script mappings and other components after the user has manually removed them (since that's what many people have done to protect themselves)
In addition, what is desperately needed is some way to do the following;
a) Probe your internal network to identify IIS installations (this can be done with HFNetchk, but working with its output is no fun) /scripts, tightening
permissions, etc...
b) Completely remove the IIS installation on command (remotely!), or render it stopped
c) Query the IIS installation and alter it, removing RDS keys, updating MDAC, patching it, disabling
d) Report results in a comprehensive fashion
I don't know about the rest of you, but many people have thousands of IIS boxes to deal with. While Microsoft does sell SMS, if you used Ghost to distribute your installations it hardly seems reasonable for MS to expect you to purchase SMS to secure what you thought was a reasonable installation.
If you have more than 1000 hosts under your control, send me your suggestions for the best product/method used to get patches and service packs out.
Given that this whole initiative, supported at the highest levels in Microsoft, is designed in response to Worms that required the touching of every machine in your organization, the first thing out the door should've been something that made that problem less onerous.
There are plans in the works (for Q2-2002) for an internal version of Windows Update. I've been calling for this with Microsoft for eons now, and while its great they have finally been hit with the clue-bat it seems ridiculous that its going to be 6 months plus before we see it. Such a tool would allow Network Administrators to rely on the client's Windows Update component to provide fixes (fixes decided on by the Network Administrator). In addition, a new feature in that client (still some 3 months out) allowing it to be setup to allow automatic updates (a push mechanism), would give you a way to push out a fix quickly to all clients.
Again, about time!
Also coming out of all of this was news that Windows 2000 SP3 is not likely to ship this year.
Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
"I thought I had an Appetite for Destruction, when all I really wanted was a club sandwich."
Microsoft has done an excellent job at reducing the amount of excess water in their certifications with the new rounds of exams. I've taken and passed my Windows 2000 MCSE (after my Solaris SCNA and Cisco CCNA certifications) and I found the design exams to be especially challenging. To pass the new Windows 2000 tests, you MUST have experience with deploying their products or you WILL fail.
Cut Microsoft some slack in their certification department. They've came a long way in establishing a well-known industry standard and now they are "fine-tuning" it to ensure that its worth stays intact. As someone who has gone through the process, it holds a lot of value to myself and my clients and customers.
On a side note, pick up a Solaris book at Barnes and Noble and read it for two days. You can pass it without almost no experience, other then knowing run levels and where rc files are located.
-Pat
I wanted to post this but you were ahead of me. And it's not just a problem with IIS -- most (all?) NT "services" run as LocalSystem, which actually has even more privileges than Administrator.
Bugs and security holes are inevitable in any software, but their impact is different. Any buffer overflow in IIS is disasterous, whereas a buffer overflow in Apache will have a very limited damage. To 0wn a Unix box running Apache you need two security holes: first a hole in Apache to get unprivileged access, then another hole elsewhere that lets you get root. This is considerably harder and a lot more unlikely than a simple buffer overflow in the web server.
On top of that there is a huge problem with file system permissions. Both Unix and NT have the ability to restrict access to files. The difference is that a default installation of NT has all file permissions set to Everyone:Full Control(*). (That's like making every file and directory 777)! You have to manually lock it down! If the file system permissions are not used, running IIS as an unprivileged user won't help.
Contrast this with Unix. Even if a hole in Apache is exploited, you won't even be able to overwrite the web pages (unless another hole is used to gain root access, see above).
(*) I understand the default file permissions have been improved somewhat in windows 2000. Could somebody in the know give more details? Oh, and what's the deal with IIS running partially in the kernel? is it true or has it been debunked?
In all fairness, Unix has had its problems with root-running daemons. BIND was the latest exploit. Since then BIND guys have learned their lesson -- version 9 no longer runs as root. Will Microsoft learn? After so many years of beeing plagued with security holes, not bloody likely.
___
If you think big enough, you'll never have to do it.
I have personally seen service patches and hot fixes blue screen servers. I have a fear of installing Microsoft "fixes" on systems that are functioning - will they cause a blue screen when the inevitable reboot is required? Will they break an API my "turnkey" vendor relied on?
I have two choices:
I can pro-actively install the service packs and hot fixes, causing (at best) some downtime or (at worst) an extended period of downtime thanks to unexpected side effects. If I am pro-active about fixes, I am viewed by departmental managers and users outside of IT as a bad guy, someone who is here to wreck their server. Oh, and don't tell me to test it before I apply it... you can install the same service pack on 50 boxes and only have it blue screen on one. I've SEEN this occur, so it is always a roll of the dice.
Choice #2 is to wait until the virus/trojan/whatever hits this department. Then I am the good guy for coming to the rescue.
What would YOU do?! I'd especially like to hear from seasoned sysadmins in both Microsoft and Unix camps - what approach do you take?
-hj