Microsoft Attempts to Secure IIS

billmaly writes: "Yahoo has this article about trying to make IIS more secure. Among steps is to have it install in its most secure state, putting the onus on sysadmins to remove it from that state. It looks like Microsoft may be trying to do the right thing from a security standpoint, at least on paper."

A problem of "least privilege"

[sting3r]

The root of IIS's troubles is not exploitability of particular services. It is the fact that much of the IIS server code runs as SYSTEM, which is the same as "root" under UNIX - an all-powerful user. Years ago, the developers of NCSA httpd and Apache learned to make their products usable by non-root users. Currently, Apache only needs root privileges to bind to port 80 - then it completely relinquishes them. That is the way it should be and that would make 0wning an IIS box many times more difficult - because using an "ordinary user" account to get SYSTEM access on NT is a lot more difficult than on UNIX because NT doesn't have setuid bits.

Admittedly, IIS does run certain scripts and perform certain functions as a "nobody" user. But most of the recent exploits were able to get an immediate "root shell" because the services being exploited did run as SYSTEM. And unless Microsoft is willing to address that problem, admins who need to enable many services and don't keep up on patches will still get rooted on a regular basis.

-sting3r

it will never be accepted

[evenprime]

If they do they do this, they will alienate their consumer base. Many Microsoft customers tend to choose their products because of ease of use. Taking something that is insecure and knowing how much to open up to get your applications to work is more difficult than installing it and just having it work right away because all the features you need (...and all the ones you don't) are already activated.

It would be great to have everything disabled by default, and would be a major help for security. (That's how OpenBSD have been able to go four years without a hole in the default install...there's not much enabled in the default install). I just don't think that the average M$ shop wants to take the time involved for an average admin to get a secure-by-default product working, or pay the top dollars needed to get an admin savvy enough to already know how to do this.

Like they had any choice ?

[Archfeld]

With the Gartner group sending letters to all their customers RECOMMENDING they remove IIS as "an unacceptable security risk" based on the TCO of IIS rapidly exceeding the cost of the hardware, the OS and THE SUPPORT STAFF. When a nationally recognized consulting firm that supports 400 of the top 500 firms , and one that HAS BEEN PRO M$ up to this point, or at least VERY neutral, suddenly starts advocating ABANDONING your investment you know you have BIG PROBLEMS. I personally think this is TOO LITTLE TOO LATE. Why was the product not shipped like this in the first place ???

Gartner has never been Pro-Microsoft

[sheldon]

They most certainly don't have a history of being pro-Microsoft. All their TCO stuff is directed at proving desktops are really expensive and we should all go back to big iron.

Gartner recommends whatever it's clients pay it to recommend.

Old products vs new from-scratch products

[chrysalis]

By intending to secure IIS, Microsoft is doing the right thing. Unix freaks are laughing at Microsoft freaks because of code red & co. But the point is that flaws in any system is bad for the whole internet. People don't trust internet any more, they don't want to give their credit card number any more, etc. When every host on the internet will be pretty secure, e-commerce may do a real come-back.
The problem with this annouce is that Microsoft will start from the existing IIS product and try to secure it.
Securing something that wasn't initially coded with security in mind is very tricky. Flaws always pass on.
Have a look at bind or sendmail. They are very old servers. They are widely used. Many companies and individual people hardly audited the code. So what? A new flaw was still discovered in sendmail last week, and bind always was one of the favorite toy for kiddies.
On the other hand, software like djbdns and postfix were started later. They were started from scratch with the knowledge of all common security flaws their ancestor had. The result is that they are very secure. More than old software that was audited by hundreds of skilled people.
So while Microsoft's initiative is in the right direction, they won't get a secure product in any case. Just because they didn't rewrite it from scratch.

Re:this is a good first step, but..

[corky6921]

Personally, I would think that rewriting from scratch would make IIS more dangerous. At least Microsoft is plugging the security holes. I would think that rewriting it from scratch might cause more new exploits, whereas fixing the old version makes it more secure with every revision.

This article, on the other hand, shows that Microsoft is trying hard to actually make its product better, instead of just saying "Here it is. New version. Use it or be forever left behind..." like they did with Office XP. I think this goes to show what a company in a non-monopoly position will do to succeed. (No one has a monopoly in web servers, and Microsoft isn't even the leader...)

This is a good thing, and it's the right choice for Microsoft. Please don't call for a rewrite, or in two years we'll all be complaining about the root exploits discovered in the new IIS...

Heh, relying on MS not to shill you?

[Grendel Drago]

"You are running Outlook 97 or Outlook 98. You should consider upgrading to the latest version of Outlook to ensure you have the most recent product and security enhancements."

Hmm. Is this telling me that there are no patches available, and my only choice is to pay cash money and upgrade to Outlook 2000?

Yeah, it provides useful information, but it still feels like they're trying to shaft me.

-grendel drago

Re:Heh, relying on IIS admins?

[Jayde Stargunner]

While I easily see your point, it doesn't solve the fact that most IIS admins are complete morons for leaving the systems unpatched to this point.

My point about Windows Update is that ALL of these recent high-prifile attacks have had Windows Update patches for MONTHS. Service Pack 2 blocks almost all of them as well.

I have seen entire tech department that were knocked out by Code Red. Then Code Red II. Then Nimda. Yet, as a "casual" IIS user, I was never hit AT ALL. These patches have been obviously available for MONTHS. And even after Code Red, IIS admins STILL couldn't figure out to patch a hole that has about 4 OBVIOUS places to get the patch from. Let's review.

1) Windows Update
2) Service Pack 2
3) MPSA
4) Any of the virus scanner's homepages which linked to patches after Code Red, Code Red II, and Nimda.

If IIS admins can't even patch the obvious stuff like that, there is really little hope.

As you say "Many of them prefer Linux and use it at home, but have to use IIS at work because that's been mandated."...they are the PROBLEM, not Microsoft. HFNETCHK is easily available, and if Linux users are too lazy to learn how to admin the system that they're PAID to admin, they deserve what they get. I don't care if you don't like Windows, if it's YOUR JOB to be a IIS admin, you sure as heck better learn how to do it RIGHT.

I'm sure modders are gonna hate me for saying that, but I don't care at all if you don't like the system. If it's your job, it's your job. I hate Oracle, but that doesn't mean I don't use it *right* when I have to. Is it my first choice? No. Am I gonna be a slack-ass about it just because of sour grapes if I have to you it? No.

-Jayde

P.S. Disabling Parent Paths is not a big deal if you secure the rest of you system. In fact, I doubt you would find any professional IIS web server which has Parent Paths disabled, as it has terrible effects on most ASP code. It's stupid for server-side code to be forced to code paths based on the root "./" instead of relitive paths "../" as server directory structure could easily change at any time.

Re:this is a good first step, but..

[dillon_rinker]

I would think that rewriting it from scratch might cause more new exploits
Yes. That's why sendmail and bind are the paragons of security they are today. From-scratch attempts to replace them are riddled with holes that make IIS look like a pinprick.

Re:Uh oh!

[Fly]

Blah, blah. What doofus moderated the above post as "Interesting?" It might be classified as "Funny," "Flamebait," or "Troll" correctly, but certainly not "Interesting." BAH! A post having no content does not sound "Interesting" to me!

For future posts replace foo, bar, and baz to ridcicule your group of choice:

"If you've run across half the foo I have in my carreer, you'd see that bar of them are complete baz."

For those needing help. This post is "Flamebait."

--
end of line

The Blame Game

[matty]

When a (h)(cr)acker writes a virus/worm that cracks into servers and provides root access without actually doing any damage, what they are doing is letting the world know how easy it is to do so.

Bear in mind that there are lots of folks out there (thieves, terrorists, enemy governments) who would (and presumably do) break into servers and steal credit card numbers and/or sensitive corporate/government info, without telling anyone!!

If the "virus authors" weren't constantly exploiting these simple security holes, the greater public would never know they were there, because the real "bad guys" always try to go unnoticed.

MCSE requirements

[dillon_rinker]

The article hints at this, but I think that Microsoft needs to not only secure their default install for future products but make security part of their MCSE core training/testing requirements. I think they need to make a separate MCSE core test that focuses on security.

Re:Sounds good... [Blatant plug]

[JediTrainer]

I have just released my tool which can be used to generate reports about these worms by examining your Apache logs. Very configurable, lots of options, written in Java, released under the GPL.

Please check it out at http://www.websoup.net/wormscan/ [websoup.net]. I'm looking forward to some feedback.

Re:Uh oh!

[tshak]

How about with this, an increase in the Microsoft Certification program?

Actually, the Microsoft Certification program for 2000 is quite impressive (disclaimer: I don't have one or plan on getting one). The problem is an MCSE can not be looked at exclusively. It just says that you (potentially) have a good understanding about Windows Servers and architectures. What it doesn't do is give somebody the equivilent of a few years of solid experience. That's the real issue here, experienced vs. inexperienced (but certified) admins.

Re:this is a good first step, but..

[tshak]

Well, they're just repeating the Gartner report. Many of us closer to the issue agree that what needs a complete rewrite is ISAPI.DLL. This is not nearly as big of a task as rewriting IIS!

Re:That's all great and everything, but...

[andymac]

I don't work for MS, but have seen their testing and QA processes and people.

1. They do test. They have one experienced tester for every developer.
   
2. They also do fairly good test planning and automation. Lots of visibility into how they test. They are far better than most other test departments out there.
   
3. They fix a huge amount of defects in all of their products.
   
4. They do not fix all defects found.
   

Now, they may not make the most defect-free software (that phrase is so not even grammatically correct, but phuk it), but they make "Good Enough" software (most times they do, there have been exceptions, like PowerPoint 98 for the Mac, don't even get me started!) - software that is good enough for the majority of users/majority of the market.

It's a case of limited returns. They could spend a lot more effort to try and track down (nearly) all the bugs, and fix (nearly) all of them, but the software would be another year late, and have cost them another year of n number of full-time people working on the product, with little to no real improvement for the end user.

Since most users wouldn't notice the difference, why on eath should they spend the extra time and money? If users will buy Office XP and live with it, defects and all, why should they spend the extra time and effort for nearly neglible results?

Now in the case of IIS, there's a lot of rhetoric about "ooh, the sysadmins should be doing their jobs", "MS should be sued", "MS should rewrite/opensource IIS", "Switch to Apache"... yadda yadda yadda. Some people use this software for company critical operations. That's their choice. Simple case is: if you use the tool, you should understand how to use it correctly.

Remember teaching your Mom how to use Word? or Outlook? Remember when she really screwed something up and couldn't find that recipe she sent Martha Stewart? After you rolled your eyes and sat down at the keyboard, you fixed the problem. Why? How? Are you a genius? No. You are a sophisticated, experienced user. Mom isn't. IMHO the same logic applies. If you are going to use the tool, understand how to use it correctly. Otherwise stop bitching and moaning about it.

I feel better now.

Exactly my point

[mangu]

...stop proliferating security holes by your own laziness

A company whose main selling point is ease of use is bound to attract lazy people to manage its products. If the average Windows 2000 sysadmin is lazy and careless, while the average Unix sysadmin is careful and meticulous, whose fault is it?

As I mentioned, fixing the blame will not solve the problem. From an outsider point of view, the whole company is a black box. The customer doesn't know and doesn't care if the sysadmin is doing his job. All the customer sees is results. So, when managers hire people, they shouldn't just consider that Windows administrators can be hired for less than Unix administrators; they should think about the overall result: will a system composed by hardware+software+people work better with a Windows or with a Unix software component?

Re:Some facts

[throx]

Hold on, I'm confused now:
- Only LocalSystem can impersonate another user.
- LocalSystem process needs to know the password of the user to impersonate
- But: LocalSystem can also set the password!
So what's the point of having a password in the first place?

The only reason is there is an underlying "philosophy" in the NT security architecture that to log in as a user you must either know the password or destroy the existing password (thus theoretically alerting the user). It should be noted that LocalSystem can only set the password for accounts with their security information located on the local machine (so you have to get LocalSecurity on a domain controller to tinker with domain user passwords).

The shame of it all is that LocalSystem has enough access power to read the hashes out of the registry/Active Directory, set the password, login and replace the hashes with the old ones while covering up the audit trail.

I would be far more enthusiastic about NT security if they created a new privilege (at least that much is obviously extensible) which allowed a user to effectively call setuid() with no password. The priv need not be given to anyone but LocalSystem by default and it would clean up a lot of the messy stuff you have to do to get around the obstacles in the design (which in turns opens the door for bugs and security problems).

I wonder if anyone from Microsoft is reading this?

[I'm assuming you weren't questioning the point of passwords in general, just the fact that LocalSystem needed them to login as another user]