Slashdot Mirror
Microsoft Attempts to Secure IIS
billmaly writes: "Yahoo has this article about trying to make IIS more secure. Among steps is to have it install in its most secure state, putting the onus on sysadmins to remove it from that state. It looks like Microsoft may be trying to do the right thing from a security standpoint, at least on paper."
Sounds like a good thing to me.
There marketing material pointing out holes in Apache mostly focused on Tomcat the java app server, PHP etc. But these don't come installed by default, where was with IIS, you install just about everything by default.
Apparently every copy of Windows XP/2000 is now shipping with a pair of scissors, to be used to "secure" the ethernet connection of IIS servers.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
because 78,417 Nimda hits are more than enough for me!
Admittedly, IIS does run certain scripts and perform certain functions as a "nobody" user. But most of the recent exploits were able to get an immediate "root shell" because the services being exploited did run as SYSTEM. And unless Microsoft is willing to address that problem, admins who need to enable many services and don't keep up on patches will still get rooted on a regular basis.
-sting3r
Download source code for Apache. Tweak the headers to say "IIS" instead of "Apache". Brag about their speedy team of coders.
Open the source. Put it up for peer review. Fix the holes. I'm not saying that they should hand out the source for their whole OS, but when they have had as many debacles with one piece of software it might actually help them out quite a bit.
I refuse to install products that require IIS as well. A software provider of ours makes an ultra nice business mining product that can be nicely web enabled. I told them that I would purchase it as soon as they supported a web server that didn't have a new security flaw or bug discovered every week.
It's nice that they will ATTEMPT to make it install more securely by default. What are they going to do to help secure all the existing installations from the current (and future) gaping holes?
As pointed out in this CNET article, while forcing the maximum secure version and forcing uses to install all patches is a good step in the right direction, the fact that IIS has been patched so many times implies that to really improve the security of it, it needs to be rewritten from scratch, particularly since it is a closed source application and thus does not have the same QA that open source software might have.
"Pinky, you've left the lens cap of your mind on again." - P&TB
"I can see my house from here!" - ST:
The paper is here.
It's more involved than you might think. If you are a sysadmin, this might be important for your job security.
This is not a change in the fundamental technology. They don't seem to indicate that IIS itself will change, only that the default settings will yield more secure servers. This is only one type of security issue. What about all of the others?
Another thing to consider is that they are not doing this to be kind, gentle, or nice. They are doing it to shore up their marketing of Hailstorm, Passport, and so forth. This is not a response to "what the users want" or they would have done this ages ago. It is a marketing ploy. It is the right thing to do, but it is a marketing ploy. Managers, CIOs, CEOs, and so forth will be able to sleep better at night.
How to Download YouTube Videos
It would be great to have everything disabled by default, and would be a major help for security. (That's how OpenBSD have been able to go four years without a hole in the default install...there's not much enabled in the default install). I just don't think that the average M$ shop wants to take the time involved for an average admin to get a secure-by-default product working, or pay the top dollars needed to get an admin savvy enough to already know how to do this.
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
Microsoft's idea of making their products more secure is making it harder to copy... Seriously, if they'd spend as much time worrying about actual security as they do preventing and prosecuting piracy, it'd be more secure than Fort Knox.
1. Place unopened IIS software in bank vault.
:)
2. Close and lock vault door.
3. Eat paper on which vault lock combination is stored.
Oh, you actually wanted to use the software?
*sigh* I probably shouldn't rag on Microsoft: they needed to do this a long time ago. But in so many ways they've hoisted themselves by their own petard: by touting how easy their software is to use, by implication they've convinced businesses and technicians that they don't need much training on how to use it. Locking down IIS is one step: making sure that IIS admins know how to properly use it is another and I have yet to see any emphasis placed on education and training by Microsoft or any of its apologists.
Note: having one's connection refused by Slashdot when attempting to post a comment is just plain rude. On the other hand, the wonder isn't how well the bear dances, it's that the bear dances at all.
With the Gartner group sending letters to all their customers RECOMMENDING they remove IIS as "an unacceptable security risk" based on the TCO of IIS rapidly exceeding the cost of the hardware, the OS and THE SUPPORT STAFF. When a nationally recognized consulting firm that supports 400 of the top 500 firms , and one that HAS BEEN PRO M$ up to this point, or at least VERY neutral, suddenly starts advocating ABANDONING your investment you know you have BIG PROBLEMS. I personally think this is TOO LITTLE TOO LATE. Why was the product not shipped like this in the first place ???
errr....umm...*whooosh* *whoosh* Is this thing on ?
I had to test some java code being developed by (company) for a newly released (product) and needed a web server. The usual test platform server had just been taken down by nimda (ie not 3 hours earlier). Fortunately for my productivity log, an extremely capable app called Apache exists for WinNT and in under 30 minutes I had it up and running (including denying every host under the sun that was sending those annoying GET requests for /winnt/system32/cmd.exe).
:-)
The entire dev team working on the java code would have just taken the afternoon off, had I not casually mentioned the existance of my humble Pentium Pro 200 running Apache.
This caught the attention of my boss who wondered why our group was able to continue working, while many others were outside playing basketball waiting for the Admins to finish the virus updates. Who knows . . . we may shift away from simple IIS servers (for a java service on a server you don't need some big IIS machine).
From a security stand point, This little server did a good job of fending off every virus attack (a few hundred every hour). I believe two additional simple IIS servers have been temporarily changed to Apache since they don't have a need for any other service. Who knows what will be their ultimate fate. But right now they are doing their job and don't need to be updated. This may affect the purchasing policy for one or two machines here. Not a huge step towards non-M$ product use, but I am encouraged none the less.
robi
I would think that Microsoft would want to get out of their leadership position in enabling virus attacks and making them so painful, but I guess that's why I'm not President of the Windows Division. I don't think the industry wants to be driven too much further down that path, though - alternate web serving platforms are more like where Microsoft is driving their customers.
Well, that will be a first.
Your right to not believe: Americans United for Separation of Church and
They most certainly don't have a history of being pro-Microsoft. All their TCO stuff is directed at proving desktops are really expensive and we should all go back to big iron.
Gartner recommends whatever it's clients pay it to recommend.
Remember the first time you installed Apache?
It was secure by default because you had to learn what the heck you were doing, and a fair bit about the structure of your hard drive before you could get it running.
Now IIS is catching up, having learned what happens when you appeal to the lowest common denominator. This is very good news, because it means IIS will no longer be administrated by people who haven't a clue. It's not that IIS is inherently insecure, but that it's inherently run by people who don't know how to secure it.
Apache appeals to a different crowd, and is more secure by nature for that reason...
information is immaterial
If you don't feel like hurting good quality cables, alternatively you can use the scissors to cut out every instance of the word "secure" from the IIS documentation, and run the software.
The rest of this comment is from the NTBugTraq newsgroup:
Microsoft have today announced a suite of initiatives intended to address the issues their customers face from the threat of Worms and other malcode like Nimda and Code Red.
About time.
I've been assured that substantial resources have been allocated to this new effort, but one has to wonder just who was consulted in coming up with what this program involves (if you were, drop me a line.)
Announced today was the "Microsoft Security Tool Kit";
Click here
This "Greatest Hits" CD or network download contains all of the things you should already have;
- - Latest Service Packs for OS, IIS, and IE.
- - Security Checklists for NT, W2K, and IIS.
- - A W2K-SP2 Deployment guide (the Update.msi section is worth reading if you have an Active Directory environment and use Group Policies)
- - An NT 4.0-SP6a Deployment guide for SMS.
- - IE Deployment guides.
- - Several individual Hotfixes required for NT 4.0 Terminal Server (even though they are included in the NT 4.0 SRP) - - IIS Lockdown Tool
- - URLScan
- - HFNetchk
- - Critical Update Notification 3.0 (only applies to W98/W2K according to the referenced KB article)
- - QChain
There's a difference between the download and the CD. According to the announcement page, "It (CD) includes automation scripts to quickly install all the security hotfixes recommended in the kit.", but the CD may take from 3 to 6 weeks to arrive.
I was told there would also be a "Bootstrap Client for Windows Update" within this package somewhere, but if its just the Critical Update Notification 3.0 tool then its not a "Bootstrap Client" in the sense I thought it was.
While there are additional things planned, the biggest thing missing at this stage is a re-release of the NT 4.0 Option Kit CD which contains;
1. Patched version of IIS 4.0 (one that's not vulnerable out of the box)
2. Patched versions of MDAC
3. Modifications to the samples to eliminate RDS
4. Modified default installation that doesn't install in a way known to be exploitable
5. Modified Setup program that doesn't re-install removed script mappings and other components after the user has manually removed them (since that's what many people have done to protect themselves)
In addition, what is desperately needed is some way to do the following;
a) Probe your internal network to identify IIS installations (this can be done with HFNetchk, but working with its output is no fun) /scripts, tightening
permissions, etc...
b) Completely remove the IIS installation on command (remotely!), or render it stopped
c) Query the IIS installation and alter it, removing RDS keys, updating MDAC, patching it, disabling
d) Report results in a comprehensive fashion
I don't know about the rest of you, but many people have thousands of IIS boxes to deal with. While Microsoft does sell SMS, if you used Ghost to distribute your installations it hardly seems reasonable for MS to expect you to purchase SMS to secure what you thought was a reasonable installation.
If you have more than 1000 hosts under your control, send me your suggestions for the best product/method used to get patches and service packs out.
Given that this whole initiative, supported at the highest levels in Microsoft, is designed in response to Worms that required the touching of every machine in your organization, the first thing out the door should've been something that made that problem less onerous.
There are plans in the works (for Q2-2002) for an internal version of Windows Update. I've been calling for this with Microsoft for eons now, and while its great they have finally been hit with the clue-bat it seems ridiculous that its going to be 6 months plus before we see it. Such a tool would allow Network Administrators to rely on the client's Windows Update component to provide fixes (fixes decided on by the Network Administrator). In addition, a new feature in that client (still some 3 months out) allowing it to be setup to allow automatic updates (a push mechanism), would give you a way to push out a fix quickly to all clients.
Again, about time!
Also coming out of all of this was news that Windows 2000 SP3 is not likely to ship this year.
Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
"I thought I had an Appetite for Destruction, when all I really wanted was a club sandwich."
These are the guys who have still be unable to figure out that the Buffer Overflow, etc. patches are available to them on Windows Update--or that almost all the new exploits would be fixed by getting Service Pack 2.
Um, I think you've completely missed the point. First off, not all patches are available from WindowsUpdate. In fact, precious few are. Most of the updates from WindowsUpdate apply to IE, not IIS. Second, there are a large number of exploits that have appeared since SP2 shipped. I have personally installed nearly two dozen Post-SP2 hotfixes to one server. I average between 8 and 10 post-SP2 hotfixes per server.
Mind you, actually keeping up-to-date on hotfixes actually became possible with the release of HFNETCHK. Before then, it was virtually impossible for any normal sysadmin to keep up with all of Microsoft's patches and apply only the ones they were supposed to. Also, before the release of QCHAIN, it was a horrible and time-consuming process to apply hotfixes to a server, even when you knew which ones to apply, because each hotfix wanted its own reboot to complete and you couldn't just apply them all and then reboot once.
I actually use WindowsUpdate, HFNETCHK and MPSA to check and make sure I catch all possible vulnerabilities. I've found that it's not uncommon for each one to catch something the others did not.
Even with the three tools I listed above, properly securing IIS (or any MS server) is still a royal pain. The damn things come preconfigured with their flies completely unzipped. MS's IIS Lockdown Tool won't even run if you've already taken some steps on your own to manually lock down IIS, and even if it does run, it doesn't turn off the "../" parent directory functionality that's enabled by default. You still have to go into IIS Admin and turn that damn thing off manually.
Let's not pick on IIS admins unfairly. Many of them prefer Linux and use it at home, but have to use IIS at work because that's been mandated. Debian makes it easy to stay patched and does a half decent job of implementing default security, but MS leaves everything wide open by default, makes it damn difficult to lock any system down effectively, installs unnecessary services by default (and won't even let you uninstall some of them) and has a half-assed mechanism for rolling hotfixes and patches out to customers.
Microsoft needs something like Symantec's LiveUpdate, which allows sysadmins to roll out tested updates to internal users on their own schedules, without physically touching every system on their networks. Yes, there are IIS admins out there who are jackasses, but there are plenty of overworked sysadmins out there who'd love to properly secure IIS, if only it weren't damn near impossible.
In other news, Microsoft's hardware division announced a plan to make water flow uphill.
A paperclip comes up and asks you, "Would you like to have the server start? Would you like to allow connections from outside 127.0.0.1? Would you like to run scripts? Would you like to be able to access files not residing on the read only floppy? Would you like to have all comments automatically read by Outlook?"
This whole IIS thing is only a Microsoft problem by coincidence. Any piece of software can have security holes, so the key to reducing their effect is timely application of patches. That appears to be the main thrust of MS's "securing IIS" effort.
Unfortunately, almost nobody makes it easy to get security patches. Debian does the best job, from an admin's point-of-view--just "apt-get update && apt-get upgrade" when there's a security announcement, and you can even put this into a cron job. MS doesn't do too badly, with "Windows Update". Solaris stinks--Sun seems to go out of their way to hide security patches from visitors to their website. I don't have much experience with other platforms--there may be better systems than Debian's, but I haven't seen them.
That's "Mr. Soulless Automaton" to you, Bub.
Uhm I heard from a web developer for middleware systems that uses IIS that IIS 6.0 is going to run in kernel memory. Maybe this is a bad thing? Executing ASP code in kernel memory? Just.... maybe?
Thank God. Since MS usually tries to do the wrong thing, on purpose. Now they are doing the right thing on paper.
I'm not really sure how this will help. Having a server off by default will not make it harder to break into once the server has been turned on. Not only that, the problem's exploited by worms and script kiddies are all known, sometimes months and even years in advance of an attack. If MS were truely serious, they would exstablish an independant body to certify MSCEs, make it so that the certification is much more difficult than it is now, and only provide support to customers who have certified personal on staff. On top of this, MS should guarantee backward compatibility of ALL software installed on a system after a security update is applied (within a given product version) so that admins won't be terrified to install updates.
Burn Hollywood Burn
In other news today, Satan said to be interested in joining US Figure Skating Team. "Yes, this is a serious bid; we've already started training now!", said the Dark One, executing a perfect double axel over what was once the Ninth Plane of Hell.
By intending to secure IIS, Microsoft is doing the right thing. Unix freaks are laughing at Microsoft freaks because of code red & co. But the point is that flaws in any system is bad for the whole internet. People don't trust internet any more, they don't want to give their credit card number any more, etc. When every host on the internet will be pretty secure, e-commerce may do a real come-back.
The problem with this annouce is that Microsoft will start from the existing IIS product and try to secure it.
Securing something that wasn't initially coded with security in mind is very tricky. Flaws always pass on.
Have a look at bind or sendmail. They are very old servers. They are widely used. Many companies and individual people hardly audited the code. So what? A new flaw was still discovered in sendmail last week, and bind always was one of the favorite toy for kiddies.
On the other hand, software like djbdns and postfix were started later. They were started from scratch with the knowledge of all common security flaws their ancestor had. The result is that they are very secure. More than old software that was audited by hundreds of skilled people.
So while Microsoft's initiative is in the right direction, they won't get a secure product in any case. Just because they didn't rewrite it from scratch.
{{.sig}}
"You are running Outlook 97 or Outlook 98. You should consider upgrading to the latest version of Outlook to ensure you have the most recent product and security enhancements."
Hmm. Is this telling me that there are no patches available, and my only choice is to pay cash money and upgrade to Outlook 2000?
Yeah, it provides useful information, but it still feels like they're trying to shaft me.
-grendel drago
Laws do not persuade just because they threaten. --Seneca
While I easily see your point, it doesn't solve the fact that most IIS admins are complete morons for leaving the systems unpatched to this point.
My point about Windows Update is that ALL of these recent high-prifile attacks have had Windows Update patches for MONTHS. Service Pack 2 blocks almost all of them as well.
I have seen entire tech department that were knocked out by Code Red. Then Code Red II. Then Nimda. Yet, as a "casual" IIS user, I was never hit AT ALL. These patches have been obviously available for MONTHS. And even after Code Red, IIS admins STILL couldn't figure out to patch a hole that has about 4 OBVIOUS places to get the patch from. Let's review.
1) Windows Update
2) Service Pack 2
3) MPSA
4) Any of the virus scanner's homepages which linked to patches after Code Red, Code Red II, and Nimda.
If IIS admins can't even patch the obvious stuff like that, there is really little hope.
As you say "Many of them prefer Linux and use it at home, but have to use IIS at work because that's been mandated."...they are the PROBLEM, not Microsoft. HFNETCHK is easily available, and if Linux users are too lazy to learn how to admin the system that they're PAID to admin, they deserve what they get. I don't care if you don't like Windows, if it's YOUR JOB to be a IIS admin, you sure as heck better learn how to do it RIGHT.
I'm sure modders are gonna hate me for saying that, but I don't care at all if you don't like the system. If it's your job, it's your job. I hate Oracle, but that doesn't mean I don't use it *right* when I have to. Is it my first choice? No. Am I gonna be a slack-ass about it just because of sour grapes if I have to you it? No.
-Jayde
P.S. Disabling Parent Paths is not a big deal if you secure the rest of you system. In fact, I doubt you would find any professional IIS web server which has Parent Paths disabled, as it has terrible effects on most ASP code. It's stupid for server-side code to be forced to code paths based on the root "./" instead of relitive paths "../" as server directory structure could easily change at any time.
What's a sig?
In the spirit of hfnetxchk.exe there is now a tool to apply multiple hotfixes without rebooting, qchain.exe
To use this, you write a
Or at least that's the theory. The hotfixes I was working with didn't all honor the "no reboot" switch. I don't have the list handy (I've since been laid off and don't have access to the network directory with the
The really keen thing to do, for desktops anyway, is to use hfnetchk to identify machines needing hotfixes, a script to customize the
Veteran, Bermuda Triangle Expeditionary Force, 1992-1951
But look at it this way, if I put a stamp and an address on a thousand dollar bill and then put it in a mailbox, would you actually blame a poor postal worker for nicking it?
If I park a brand new Jaguar X-Type with the engine running and the door ajar in (insert local 'bad' neighbourhood here) would you not blame me for having to walk home?
If I build and sell you a house in that same 'hood, with no locks on the doors and big neon signs outside that says "FREE MONEY AND DRUGS (PLEASE DO MY WIFE ON THE WAY OUT)" would you not be slightly upset with me?
If I code a 'open ports' (someone at MS misheard 'open source') software, bully everyone into paying top dollars for it and then leave them hanging in the cold breeze when all the juniors at Scriptkiddie U exploits its shortcomings, would you not blame me?
Sure, the admins are to blame because they didn't have the guts to tell their PHBs to get a decent platform instead and the PHBs are to blame because they didn't know better than to listen to MS' marketspeak and FUDmachine (no one have ever been fired for buying MS - WELL IT'S ABOUT TIME THEY WERE!) and the scriptkiddes are to blame for walking right in, with no formal invitation.
How more inviting can you get? You install a webserver that one of the largets software publishers on this planet has honed and polished for over five years and the default mode of installation is set to "I_RUN_IIS,_COME_FUCK_ME!"
If you buy a Windows 2000 Server CD today with IIS included, it will not contain a single patch released in the last year and a half. Not one. Not even SP1. MS can not even be bothered to patch the software they are manufacturing right now, it's still the same CD image they released over a year ago. What if you bought a new Ford and it had Bridgestone tires plus a hand-written note in the glove compartment that said "Please change the tires, they are unsafe". Ralph Nader would be at Ford's throat like a pitbull on speed. MS gets away with it, time and time again.
Money for nothing, pix for free
When a (h)(cr)acker writes a virus/worm that cracks into servers and provides root access without actually doing any damage, what they are doing is letting the world know how easy it is to do so.
Bear in mind that there are lots of folks out there (thieves, terrorists, enemy governments) who would (and presumably do) break into servers and steal credit card numbers and/or sensitive corporate/government info, without telling anyone!!
If the "virus authors" weren't constantly exploiting these simple security holes, the greater public would never know they were there, because the real "bad guys" always try to go unnoticed.
Dear Microsoft,
Thank you for your recent ammouncement that (someday) you will secure IIS.
Enclosed please find a blank, signed check.
When a more secure IIS is ready, please fill in the amount on the check, deposit it, and then ship me the new IIS. I'm patient. I'll wait until it's ready.
I know you're working very hard and that the benefit of end users is the number one concern of Microsoft.
Your loyal lackey,
MCSE guy.
Those who would give up liberty in exchange for security and DRM should switch to Microsoft Palladium!
The article hints at this, but I think that Microsoft needs to not only secure their default install for future products but make security part of their MCSE core training/testing requirements. I think they need to make a separate MCSE core test that focuses on security.
Comment removed based on user account deletion
I have just released my tool which can be used to generate reports about these worms by examining your Apache logs. Very configurable, lots of options, written in Java, released under the GPL.
Please check it out at http://www.websoup.net/wormscan/. I'm looking forward to some feedback.
You can accomplish anything you set your mind to. The impossible just takes a little longer.
I wanted to post this but you were ahead of me. And it's not just a problem with IIS -- most (all?) NT "services" run as LocalSystem, which actually has even more privileges than Administrator.
Bugs and security holes are inevitable in any software, but their impact is different. Any buffer overflow in IIS is disasterous, whereas a buffer overflow in Apache will have a very limited damage. To 0wn a Unix box running Apache you need two security holes: first a hole in Apache to get unprivileged access, then another hole elsewhere that lets you get root. This is considerably harder and a lot more unlikely than a simple buffer overflow in the web server.
On top of that there is a huge problem with file system permissions. Both Unix and NT have the ability to restrict access to files. The difference is that a default installation of NT has all file permissions set to Everyone:Full Control(*). (That's like making every file and directory 777)! You have to manually lock it down! If the file system permissions are not used, running IIS as an unprivileged user won't help.
Contrast this with Unix. Even if a hole in Apache is exploited, you won't even be able to overwrite the web pages (unless another hole is used to gain root access, see above).
(*) I understand the default file permissions have been improved somewhat in windows 2000. Could somebody in the know give more details? Oh, and what's the deal with IIS running partially in the kernel? is it true or has it been debunked?
In all fairness, Unix has had its problems with root-running daemons. BIND was the latest exploit. Since then BIND guys have learned their lesson -- version 9 no longer runs as root. Will Microsoft learn? After so many years of beeing plagued with security holes, not bloody likely.
___
If you think big enough, you'll never have to do it.
Bleh!
How about with this, an increase in the Microsoft Certification program?
Actually, the Microsoft Certification program for 2000 is quite impressive (disclaimer: I don't have one or plan on getting one). The problem is an MCSE can not be looked at exclusively. It just says that you (potentially) have a good understanding about Windows Servers and architectures. What it doesn't do is give somebody the equivilent of a few years of solid experience. That's the real issue here, experienced vs. inexperienced (but certified) admins.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
Interview about the "Secure Windows Initiative"
Alright. I'm sure this will get a lot of MCSE's all huffy but too bad... it's not about you anyway.
The biggest selling point for Microsoft crap is in how easy it is. It's also its biggest problem. Sure it's easy to set things up when, at install time, everything (especially the stuff the installer doesn't yet know about) is turned on by default! It is precisely this selling point that has created this problem.
You know, most people put their dangerous tools behind some level of inconvenience to prevent accidents. I have no doubt that Microsoft never intended this to happen... yet it has... I don't know how many releases of Windows had to come out before warnings about having file shares open when connected to the internet started to appear. So file shares are dangerous but exposing IIS (+addons) aren't?
A comment made by one user/admin noted that IIS by itself is not vulnerable that it is all the useless addins that make it so. Most of these addins aren't even used by the casual user. The casual user doesn't even use IIS! And that is the crux of the CodeRed problem in general. Microsoft has put dangerous tools into the hands of people who don't know how to use them so they can make more money. It's as simple as that. Microsoft is responsible for the problem and they should take appropriate measures.
By making it "too easy" people are making themselves vulnerable without their knowledge. It's out. It's too late. The best they can do is issue a RECALL on IIS and everything that comes bundled with IIS. Issuing advisories that people aren't reading and patches that people aren't downloading isn't going to get people's attention.
If they are truly interested in solving the problem, they will have to swallow their pride and make it very public that they wish to RECALL IIS! Then people will sit up and take notice and do the things they need to do.
Recalls are embarassing. They will not want to do it. But for the good of the internet, they should. Okay, I hear the laughing... they aren't interested in the public good.
What is IIS anyway? Internet Infection System?
A company whose main selling point is ease of use is bound to attract lazy people to manage its products. If the average Windows 2000 sysadmin is lazy and careless, while the average Unix sysadmin is careful and meticulous, whose fault is it?
As I mentioned, fixing the blame will not solve the problem. From an outsider point of view, the whole company is a black box. The customer doesn't know and doesn't care if the sysadmin is doing his job. All the customer sees is results. So, when managers hire people, they shouldn't just consider that Windows administrators can be hired for less than Unix administrators; they should think about the overall result: will a system composed by hardware+software+people work better with a Windows or with a Unix software component?
I manage lots of workstations and several servers in a state agency. We use Dameware for remote information collection and control.
In the past we used SMS but it was waaay too slow, especially across some of our 56k lines. Dameware is a wonderful product. There may be some way to script it's use as well. I was provided with the product by the department, so I don't know what the licensing issues are, but it looks like it's around $200.00 or less for download and is available for a 30 day free trial.
I really endorse this product. Hope the info helps.
War is Peace. Freedom is Slavery. Ignorance is Strength. - George Orwell or George Bush?
The problem is that parent paths aren't automatically blocked from going any higher than \InetPub\Webroot, which to me is a huge security hole. Yes, properly-secured NTFS ACLs on the filesystem will prevent any real damage from occurring, but NT and Win2k default to EVERYONE|Full Control on all filesystems, both at the NTFS ACL level and at the share level.
Look, if it were possible to just fix your server once and then not have to go back and fix the same flaw again (and again and again...), more NT systems would be properly patched, but Microsoft seems to have gone out of its way to hose NT 4.0 customers. Win2k does finally let you patch your install folders with updates from the service packs, but NT doesn't let you do that, and there's no good reason for that. Any time you add or remove a service in NT, you end up putting the install CD in. The second you do that, you have to re-run your service pack and reapply all of your hotfixes.
IIS 4.0 is the current version of IIS for NT 4.0. Let's say you decide you want to build an Outlook Web Access server for your organization and your company hasn't moved to Win2k Server yet, so you use NT 4.0. How do you get IIS 4.0 on that server? You use the Microsoft Option Pack 1 for NT 4.0. Guess what? That thing installs an insecure version of MDAC, an unpatched version of IIS and a host of other crap you may or may not want (such as the MS transaction server and indexing). All of it is incredibly old and almost all of it has to be patched and repatched the second you install it.
So, here's how you build your server: You install NT 4.0 and apply the latest service pack (SP6a because SP6 had heinous bugs). You install IE 4.0 or newer. Then, if you're smart, you install a version of MDAC (2.5 or newer) that sets proper registry security and is reasonably recent and free of its own security holes. Then you install the Option Pack so you can have IIS 4.0 and which insists on trying to install MDAC 1.5--be sure to deselect RDS because that's a huge security hole that Russian hackers use to steal credit card numbers. Now, you're ready to install Outlook Web Access. Think you're finished? Ha! Not even close. Next, you run HFNETCHK to find the enormous list of hotfixes you've got to download and apply. Each hotfix is in a different place on Microsoft's website, and there isn't a convenient tool you can use to just go and download the patches you need and store them in conveniently-labeled folders. Then, you download QCHAIN so you can apply those patches without having to reboot after each one. If you're smart, you'll use WindowsUpdate and MPSA to make sure you're not missing anything.
By the time you've finished with this minimum effort, you've spent no less than four or five hours just installing NT, IIS and the hotfixes, not to mention the hour or two it takes to install and configure OWA. Now, at this point, all you have is a product that's reasonably free of serious buffer overflow security flaws. You still don't have a product that's actually remotely secure. Now, you have to go and fix all of MS's idiotically optimistic NTFS permissions and find and disable any unnecessary services. Maybe you run MS's IIS Lockdown tool, which removes the IISamples folder and a few other obvious things.
By now, you've probably spent at least 8-12 hours building this server, patching the holes and fixing the default security settings.
So, you've patched the living hell out of the server and it's ready to go. You're immune to attacks, right? Almost certainly not. New holes are found in IIS every week and keeping on top of them is a huge job even if you have no other job responsibilities. Add to that the fact that any time somebody adds or removes a service from NT, you have to reapply the latest service pack and all the hotfixes (in order) and then reboot, and you've got yourself a nightmare.
Let me be clear.
There are enormous numbers of jackasses running IIS who can't figure out how to toast bread. However, there are plenty of overworked sysadmins who're only trying to keep their damn networks running who find it nearly impossible to keep their IIS servers patched and locked down because Microsoft makes it so damn difficult.
Yes, matters get a little better when you're running Windows 2k server, but things don't turn into a panacea just because you can patch your install media and some hotfixes don't require reboots. Microsoft still releases at least two or three patches for Win2k and/or IIS every month (sometimes they release that many in a week). They still automatically set file and share privileges too optimistically. They still install dozens of unnecessary services by default. They still force you to have unnecessary applications installed by default that you can't remove without pliers and a blowtorch (OutlookExpress). In short, they still don't take security maintenance seriously and until they do, it'll be tough for even conscientious admins to keep up. Newbies, idiots and lazy bastards won't have a hope.
I have personally seen service patches and hot fixes blue screen servers. I have a fear of installing Microsoft "fixes" on systems that are functioning - will they cause a blue screen when the inevitable reboot is required? Will they break an API my "turnkey" vendor relied on?
I have two choices:
I can pro-actively install the service packs and hot fixes, causing (at best) some downtime or (at worst) an extended period of downtime thanks to unexpected side effects. If I am pro-active about fixes, I am viewed by departmental managers and users outside of IT as a bad guy, someone who is here to wreck their server. Oh, and don't tell me to test it before I apply it... you can install the same service pack on 50 boxes and only have it blue screen on one. I've SEEN this occur, so it is always a roll of the dice.
Choice #2 is to wait until the virus/trojan/whatever hits this department. Then I am the good guy for coming to the rescue.
What would YOU do?! I'd especially like to hear from seasoned sysadmins in both Microsoft and Unix camps - what approach do you take?
-hj
The real problem isn't that the service starts as LocalSystem - even Apache starts off as root (it has to when it binds to port 80). What makes things so difficult under NT is there is no effective way to permanently and irrevokably drop privileges from a process while maintaining the ability to 'su' to another user if someone presents a username/password pair.
Even when IIS is running as a 'nobody' user, unless you have explicitly configured your script/application to run in a separate process then you'll find that a simple 'RevertToSelf()' call will grant you back all the privs that were dropped. On the flip side, without being LocalSystem you can't call 'LogonUser()' or 'CreateProcessAsUser()' from a username/password pair so you end up with catch 22.
If I'm wrong, please shoot me down in flames...
Fear: When you see B8 00 4C CD 21 and know what it means
Hold on, I'm confused now:
- Only LocalSystem can impersonate another user.
- LocalSystem process needs to know the password of the user to impersonate
- But: LocalSystem can also set the password!
So what's the point of having a password in the first place?
The only reason is there is an underlying "philosophy" in the NT security architecture that to log in as a user you must either know the password or destroy the existing password (thus theoretically alerting the user). It should be noted that LocalSystem can only set the password for accounts with their security information located on the local machine (so you have to get LocalSecurity on a domain controller to tinker with domain user passwords).
The shame of it all is that LocalSystem has enough access power to read the hashes out of the registry/Active Directory, set the password, login and replace the hashes with the old ones while covering up the audit trail.
I would be far more enthusiastic about NT security if they created a new privilege (at least that much is obviously extensible) which allowed a user to effectively call setuid() with no password. The priv need not be given to anyone but LocalSystem by default and it would clean up a lot of the messy stuff you have to do to get around the obstacles in the design (which in turns opens the door for bugs and security problems).
I wonder if anyone from Microsoft is reading this?
[I'm assuming you weren't questioning the point of passwords in general, just the fact that LocalSystem needed them to login as another user]
Fear: When you see B8 00 4C CD 21 and know what it means
heres to hoping that there are some folks left at
the following comment was posted by MS employee Joshua Allen at his weblog
The IIS Plan - This interview with Brian Valentine sums up the main action plan for addressing IIS concerns. The quote that sums up his attitude best is "When we look back in a few years, we will see this as one of the critical inflection points in our company's growth."
Here are my notes, detailing the parts of the plan I found interesting:
Two initiatives for customers:
Get Secure:
Stay Secure:
Internal Efforts (Not Customer-Facing):
Public:
So the way I see it, we will be successful to the degree that we:
- Assure that no customer ever again finds it difficult, confusing, or time-consuming to keep their system secure.
- Improve security going out the door so that fewer patches are required (IMO, this wouldn't have made a difference in any of the recent worms, but is still a good goal for countering potential future threats). The goal here is to be the platform with fewest known vulnerabilities that need to be patched, using any metric you care to apply.
- Be a lot more proactive in contacting, encouraging, and helping customers keep their systems secure.
And of course, huge progress in fighting worms could be made by getting the router vendors, OS vendors, and other infrastructure vendors to all work together, and hopefully that happens too.