Microsoft Attempts to Secure IIS

billmaly writes: "Yahoo has this article about trying to make IIS more secure. Among steps is to have it install in its most secure state, putting the onus on sysadmins to remove it from that state. It looks like Microsoft may be trying to do the right thing from a security standpoint, at least on paper."

Power of Gartner

[augustz]

Sounds like a good thing to me.

There marketing material pointing out holes in Apache mostly focused on Tomcat the java app server, PHP etc. But these don't come installed by default, where was with IIS, you install just about everything by default.

Summary

[wiZd0m]

They will fix the problem in the next upgrade.

No Real Change & Marketing Ploy

[webword]

This is not a change in the fundamental technology. They don't seem to indicate that IIS itself will change, only that the default settings will yield more secure servers. This is only one type of security issue. What about all of the others [66.129.1.101]?

Another thing to consider is that they are not doing this to be kind, gentle, or nice. They are doing it to shore up their marketing of Hailstorm, Passport, and so forth. This is not a response to "what the users want" or they would have done this ages ago. It is a marketing ploy. It is the right thing to do, but it is a marketing ploy. Managers, CIOs, CEOs, and so forth will be able to sleep better at night.

Re:Heh, relying on IIS admins?

[McSpew]

These are the guys who have still be unable to figure out that the Buffer Overflow, etc. patches are available to them on Windows Update--or that almost all the new exploits would be fixed by getting Service Pack 2.

Um, I think you've completely missed the point. First off, not all patches are available from WindowsUpdate. In fact, precious few are. Most of the updates from WindowsUpdate apply to IE, not IIS. Second, there are a large number of exploits that have appeared since SP2 shipped. I have personally installed nearly two dozen Post-SP2 hotfixes to one server. I average between 8 and 10 post-SP2 hotfixes per server.

Mind you, actually keeping up-to-date on hotfixes actually became possible with the release of HFNETCHK [microsoft.com]. Before then, it was virtually impossible for any normal sysadmin to keep up with all of Microsoft's patches and apply only the ones they were supposed to. Also, before the release of QCHAIN [microsoft.com], it was a horrible and time-consuming process to apply hotfixes to a server, even when you knew which ones to apply, because each hotfix wanted its own reboot to complete and you couldn't just apply them all and then reboot once.

I actually use WindowsUpdate [microsoft.com], HFNETCHK and MPSA [microsoft.com] to check and make sure I catch all possible vulnerabilities. I've found that it's not uncommon for each one to catch something the others did not.

Even with the three tools I listed above, properly securing IIS (or any MS server) is still a royal pain. The damn things come preconfigured with their flies completely unzipped. MS's IIS Lockdown Tool [microsoft.com] won't even run if you've already taken some steps on your own to manually lock down IIS, and even if it does run, it doesn't turn off the "../" parent directory functionality that's enabled by default. You still have to go into IIS Admin and turn that damn thing off manually.

Let's not pick on IIS admins unfairly. Many of them prefer Linux and use it at home, but have to use IIS at work because that's been mandated. Debian makes it easy to stay patched and does a half decent job of implementing default security, but MS leaves everything wide open by default, makes it damn difficult to lock any system down effectively, installs unnecessary services by default (and won't even let you uninstall some of them) and has a half-assed mechanism for rolling hotfixes and patches out to customers.

Microsoft needs something like Symantec's LiveUpdate, which allows sysadmins to roll out tested updates to internal users on their own schedules, without physically touching every system on their networks. Yes, there are IIS admins out there who are jackasses, but there are plenty of overworked sysadmins out there who'd love to properly secure IIS, if only it weren't damn near impossible.

Easy updates are the key

[ENOENT]

This whole IIS thing is only a Microsoft problem by coincidence. Any piece of software can have security holes, so the key to reducing their effect is timely application of patches. That appears to be the main thrust of MS's "securing IIS" effort.

Unfortunately, almost nobody makes it easy to get security patches. Debian does the best job, from an admin's point-of-view--just "apt-get update && apt-get upgrade" when there's a security announcement, and you can even put this into a cron job. MS doesn't do too badly, with "Windows Update". Solaris stinks--Sun seems to go out of their way to hide security patches from visitors to their website. I don't have much experience with other platforms--there may be better systems than Debian's, but I haven't seen them.

Re:What is this?

[Tackhead]

> "It looks like Microsoft may be trying to do the right thing from a security standpoint"

In other news today, Satan said to be interested in joining US Figure Skating Team. "Yes, this is a serious bid; we've already started training now!", said the Dark One, executing a perfect double axel over what was once the Ninth Plane of Hell.

Re:Also, the power of nasty insurance premiums

[allism]

This [cnet.com] is the article to which you are referring, I think

Re:Heh, relying on IIS admins?

[Maserati]

If you do that, you run a (small but real) risk of a versioning problem with DLLS touched by more than one hotfix. This can result in early patches being overwritten by later patches, which leads to live vulnerabilities on machines you thought were secure.

In the spirit of hfnetxchk.exe [microsoft.com] there is now a tool to apply multiple hotfixes without rebooting, qchain.exe [microsoft.com]

To use this, you write a .bat file to apply the hotfixies from the command line with the "no reboot" switch. Them qchain.exe does the cleanup and ensures that the right files end up installed before rebooting once.

Or at least that's the theory. The hotfixes I was working with didn't all honor the "no reboot" switch. I don't have the list handy (I've since been laid off and don't have access to the network directory with the .bat file I was working on), but I had a roughly 40% fail rate. Your mileage may vary.

The really keen thing to do, for desktops anyway, is to use hfnetchk to identify machines needing hotfixes, a script to customize the .bat file for qchain.exe, and SMS to push the file into a login profile managed by Active Directory. This wouldn't be too great for servers, since you don't want random reboots, but much of the deployment can be automated - just keep the reboots within your existing maintenance schedule. For bonus points, have every patch logged to your maintenance log (you do keep one, right ?).

Re:IIS Secure?

[Anonymous Coward]

"Securing IIS is not nearly the brain surgery that some people make it out to be."

Part of this is that there's very little good, common sense documentation about performing basic security config changes in IIS.

You go to Microsoft's site, for example, and you either find long diatribes about "C2 certified" and ACLs and policies and planning, or you find some document which hides the forest from the trees by talking about removing the posix subsystem and moving xcopy to a different location and so on.

There's no document (that I've seen) that says in plain language "Firewall X, Turn off Y+Z, Subscribe to the mailing list and patch patch patch." -- which isn't complete but would obliviate much of the real world problem.

Re:IIS 6.0

[rabtech]

The new HTTP.SYS driver runs in kernel-space, and can respond to static content requests with very little processing or overhead, pulling the data directly from the cache.

Assuming that HTTP.SYS can't handle it, the request is passed on to a user-space process.

There is a lot more to it than just that. Much of the core code has been rewritten, and is buffer-checked among other things.

IIS 6

[alanjstr]

IIS 6 will have been through their Prefix program. Installing it will also have a wizard which will ask you what services you want.

Interview about the "Secure Windows Initiative" [computerworld.com]

Re:IIS Secure?

[Caspuh]

This [microsoft.com] may be what you are looking for.

Re:Might be of help for 1000's of machines

[r2ravens]

I manage lots of workstations and several servers in a state agency. We use Dameware [dameware.com] for remote information collection and control.

In the past we used SMS but it was waaay too slow, especially across some of our 56k lines. Dameware is a wonderful product. There may be some way to script it's use as well. I was provided with the product by the department, so I don't know what the licensing issues are, but it looks like it's around $200.00 or less for download and is available for a 30 day free trial.

I really endorse this product. Hope the info helps.

Re:Heh, relying on IIS admins?

[McSpew]

The problem is that parent paths aren't automatically blocked from going any higher than \InetPub\Webroot, which to me is a huge security hole. Yes, properly-secured NTFS ACLs on the filesystem will prevent any real damage from occurring, but NT and Win2k default to EVERYONE|Full Control on all filesystems, both at the NTFS ACL level and at the share level.

Look, if it were possible to just fix your server once and then not have to go back and fix the same flaw again (and again and again...), more NT systems would be properly patched, but Microsoft seems to have gone out of its way to hose NT 4.0 customers. Win2k does finally let you patch your install folders with updates from the service packs, but NT doesn't let you do that, and there's no good reason for that. Any time you add or remove a service in NT, you end up putting the install CD in. The second you do that, you have to re-run your service pack and reapply all of your hotfixes.

IIS 4.0 is the current version of IIS for NT 4.0. Let's say you decide you want to build an Outlook Web Access server for your organization and your company hasn't moved to Win2k Server yet, so you use NT 4.0. How do you get IIS 4.0 on that server? You use the Microsoft Option Pack 1 for NT 4.0. Guess what? That thing installs an insecure version of MDAC, an unpatched version of IIS and a host of other crap you may or may not want (such as the MS transaction server and indexing). All of it is incredibly old and almost all of it has to be patched and repatched the second you install it.

So, here's how you build your server: You install NT 4.0 and apply the latest service pack (SP6a because SP6 had heinous bugs). You install IE 4.0 or newer. Then, if you're smart, you install a version of MDAC (2.5 or newer) that sets proper registry security and is reasonably recent and free of its own security holes. Then you install the Option Pack so you can have IIS 4.0 and which insists on trying to install MDAC 1.5--be sure to deselect RDS because that's a huge security hole that Russian hackers use to steal credit card numbers. Now, you're ready to install Outlook Web Access. Think you're finished? Ha! Not even close. Next, you run HFNETCHK to find the enormous list of hotfixes you've got to download and apply. Each hotfix is in a different place on Microsoft's website, and there isn't a convenient tool you can use to just go and download the patches you need and store them in conveniently-labeled folders. Then, you download QCHAIN so you can apply those patches without having to reboot after each one. If you're smart, you'll use WindowsUpdate and MPSA to make sure you're not missing anything.

By the time you've finished with this minimum effort, you've spent no less than four or five hours just installing NT, IIS and the hotfixes, not to mention the hour or two it takes to install and configure OWA. Now, at this point, all you have is a product that's reasonably free of serious buffer overflow security flaws. You still don't have a product that's actually remotely secure. Now, you have to go and fix all of MS's idiotically optimistic NTFS permissions and find and disable any unnecessary services. Maybe you run MS's IIS Lockdown tool, which removes the IISamples folder and a few other obvious things.

By now, you've probably spent at least 8-12 hours building this server, patching the holes and fixing the default security settings.

So, you've patched the living hell out of the server and it's ready to go. You're immune to attacks, right? Almost certainly not. New holes are found in IIS every week and keeping on top of them is a huge job even if you have no other job responsibilities. Add to that the fact that any time somebody adds or removes a service from NT, you have to reapply the latest service pack and all the hotfixes (in order) and then reboot, and you've got yourself a nightmare.

Let me be clear.

There are enormous numbers of jackasses running IIS who can't figure out how to toast bread. However, there are plenty of overworked sysadmins who're only trying to keep their damn networks running who find it nearly impossible to keep their IIS servers patched and locked down because Microsoft makes it so damn difficult.

Yes, matters get a little better when you're running Windows 2k server, but things don't turn into a panacea just because you can patch your install media and some hotfixes don't require reboots. Microsoft still releases at least two or three patches for Win2k and/or IIS every month (sometimes they release that many in a week). They still automatically set file and share privileges too optimistically. They still install dozens of unnecessary services by default. They still force you to have unnecessary applications installed by default that you can't remove without pliers and a blowtorch (OutlookExpress). In short, they still don't take security maintenance seriously and until they do, it'll be tough for even conscientious admins to keep up. Newbies, idiots and lazy bastards won't have a hope.

Re:Bingo!

[rabtech]

In the next version of IIS6, there will be a kernel HTTP driver that can respond to static requests by serving directing from the cache. The input code has been rewritten, and is buffer checked among other things. HTTP doesn't do any processing at all... it just sees if the incoming URL matches a file already listed in the cache. If not, the request is bumped to user-space.

Secondly, each website under IIS6 can run as a different user. So if you host 10 websites, each one can run as a separate user account, each with different security permissions.

Lastly, yes 2000 gives you better file security out of the box. There are still some things that should be fine-tuned, but definitely not Full:Everyone.

With the .NET Server betas, they seem to be getting more fine-grained on that stuff.

Re:Devils Advocate

[compugeek007]

Sybase runs on both - currently clients cannot save files locally and print locally on Unix implementation, this is a kind of a big deal. Trust me, I had envisioned Sybase on two of my Sun 450's :(

You got me on Peoplesoft - my implemenation is version 7.3 and they did not have implementation for non IIS at that time. --MY BAD--

As for J2EE, Every company is focusing on it, more signifcantly than these two listed, Oracle is moving towards full Java implementation as well (using JDBC instead of ODBC, Java implementation of SQLNet, and Java as stored procedures.) With J2EE I would think that playing field will be evened to a great extent in the future as Java improves and its functionality allows application implementation to be truly platform independent and provide browser clients all of the same functions (print, save, blah) that the bastardized MS J+ libraries or ActiveX can now bring to a Microsoft desktop and browser.

Also remember the evil strategists at Microsoft will play the "We can just make Internet Explorer 7 work better with our new .net Java library than the standard J2EE library."

NT can't drop privs.

[throx]

The real problem isn't that the service starts as LocalSystem - even Apache starts off as root (it has to when it binds to port 80). What makes things so difficult under NT is there is no effective way to permanently and irrevokably drop privileges from a process while maintaining the ability to 'su' to another user if someone presents a username/password pair.

Even when IIS is running as a 'nobody' user, unless you have explicitly configured your script/application to run in a separate process then you'll find that a simple 'RevertToSelf()' call will grant you back all the privs that were dropped. On the flip side, without being LocalSystem you can't call 'LogonUser()' or 'CreateProcessAsUser()' from a username/password pair so you end up with catch 22.

If I'm wrong, please shoot me down in flames...

Comments from a Microsoft employee

[Thalinor]

of course i know the /. crowd wants to remain clueless and would never acknowledge that MS is doing something good. it would spoil their immature bashing fun.

heres to hoping that there are some folks left at /. that actually have a clue about these issues.

the following comment was posted by MS employee Joshua Allen at his weblog [netcrucible.com]

The IIS Plan - This interview with Brian Valentine [microsoft.com] sums up the main action plan for addressing IIS concerns. The quote that sums up his attitude best is "When we look back in a few years, we will see this as one of the critical inflection points in our company's growth."

Here are my notes, detailing the parts of the plan I found interesting:

Two initiatives for customers:
Get Secure:

• All virus-related PSS calls for all customers (not just enterprise) are now free. 1-866-PC-SAFETY.
• Premiere Support and Microsoft's Consulting Service as of today are offering a Security Assessment Service for large enterprises; this service may be for fee (at discretion of local offices), but will not be profit-driven, and will eat significant costs where customer situation warrants).
• Regularly updated Security Toolkit will be distributed. Each will include all known patches and tools, and a one-click "make my system secure." First toolkit mailed and web-distributed on October 15. As of tomorrow, the tools should be available to MS Employees to hand out to customers. All of the tools are fully supported, and are made to run on NT4, Windows 2000, and Windows XP. This is not "resource kit" or loose collection of unsupported tools. Localized versions come later, since getting tools available quickly is top priority.
• New set of additional security tools will RTM in December.
• Toolkit will not be perfect starting Oct. 14; will make continual improvements based on feedback.

Stay Secure:

• Mid 2002 availability of federated Windows Update for enterprises. This lets enterprises run their own windows update service under their own control.
• Feb 2002, Provide version of windows update that can be configured to accept and install updates with zero user intervention.
• Make security bulletins simpler and integrated with update technology so an IT administrator can simply approve a security patch and have it automatically be pushed to the whole enterprise.
• Security patches will now contain absolute minimum fix; no QFE, etc. stuff lumped in.

Internal Efforts (Not Customer-Facing):

• (Historically) Windows 2000: Hired a bunch of people to do penetration analysis and code analysis, and placed unprotected servers on the net to let hackers attempt cracking it. Built and used automated code analysis tools to detect some common security bugs.
• Windows XP: Code analysis tools have been improved to detect many more types of security bugs, and continued increases in investment in security analysis.
• Currently BrianV organizing a full pass review of how security is handled in all groups to look for deficiencies.

Public:

• BrianV con-called with 1000+ CIOs and other IT people to get feedback and comment; has handed out his e-mail to everyone.
• Any customer should be able to call that phone number above (or contact any Microsoft employee) and get the one-click "make my system secure" tool kit for no charge.
• BrianV will be point-person working with competitors, government agencies, etc. on industry-wide solutions. "We think that some of these problems require industry-wide solutions, but we realize that it is incumbent upon us to drive solutions". Brian will take a more visible role in driving these solutions.

So the way I see it, we will be successful to the degree that we:

• Assure that no customer ever again finds it difficult, confusing, or time-consuming to keep their system secure.
• Improve security going out the door so that fewer patches are required (IMO, this wouldn't have made a difference in any of the recent worms, but is still a good goal for countering potential future threats). The goal here is to be the platform with fewest known vulnerabilities that need to be patched, using any metric you care to apply.
• Be a lot more proactive in contacting, encouraging, and helping customers keep their systems secure.

And of course, huge progress in fighting worms could be made by getting the router vendors, OS vendors, and other infrastructure vendors to all work together, and hopefully that happens too.