Microsoft Attempts to Secure IIS 392
billmaly writes: "Yahoo has this article about trying to make IIS more secure. Among steps is to have it install in its most secure state, putting the onus on sysadmins to remove it from that state. It looks like Microsoft may be trying to do the right thing from a security standpoint, at least on paper."
A problem of "least privilege" (Score:5, Insightful)
Admittedly, IIS does run certain scripts and perform certain functions as a "nobody" user. But most of the recent exploits were able to get an immediate "root shell" because the services being exploited did run as SYSTEM. And unless Microsoft is willing to address that problem, admins who need to enable many services and don't keep up on patches will still get rooted on a regular basis.
-sting3r
it will never be accepted (Score:4, Insightful)
It would be great to have everything disabled by default, and would be a major help for security. (That's how OpenBSD have been able to go four years without a hole in the default install...there's not much enabled in the default install). I just don't think that the average M$ shop wants to take the time involved for an average admin to get a secure-by-default product working, or pay the top dollars needed to get an admin savvy enough to already know how to do this.
Like they had any choice ? (Score:4, Insightful)
Gartner has never been Pro-Microsoft (Score:4, Insightful)
Gartner recommends whatever it's clients pay it to recommend.
Old products vs new from-scratch products (Score:3, Insightful)
The problem with this annouce is that Microsoft will start from the existing IIS product and try to secure it.
Securing something that wasn't initially coded with security in mind is very tricky. Flaws always pass on.
Have a look at bind or sendmail. They are very old servers. They are widely used. Many companies and individual people hardly audited the code. So what? A new flaw was still discovered in sendmail last week, and bind always was one of the favorite toy for kiddies.
On the other hand, software like djbdns and postfix were started later. They were started from scratch with the knowledge of all common security flaws their ancestor had. The result is that they are very secure. More than old software that was audited by hundreds of skilled people.
So while Microsoft's initiative is in the right direction, they won't get a secure product in any case. Just because they didn't rewrite it from scratch.
Re:this is a good first step, but.. (Score:5, Insightful)
Personally, I would think that rewriting from scratch would make IIS more dangerous. At least Microsoft is plugging the security holes. I would think that rewriting it from scratch might cause more new exploits, whereas fixing the old version makes it more secure with every revision.
This article, on the other hand, shows that Microsoft is trying hard to actually make its product better, instead of just saying "Here it is. New version. Use it or be forever left behind..." like they did with Office XP. I think this goes to show what a company in a non-monopoly position will do to succeed. (No one has a monopoly in web servers, and Microsoft isn't even the leader...)
This is a good thing, and it's the right choice for Microsoft. Please don't call for a rewrite, or in two years we'll all be complaining about the root exploits discovered in the new IIS...
Heh, relying on MS not to shill you? (Score:5, Insightful)
Hmm. Is this telling me that there are no patches available, and my only choice is to pay cash money and upgrade to Outlook 2000?
Yeah, it provides useful information, but it still feels like they're trying to shaft me.
-grendel drago
Re:Heh, relying on IIS admins? (Score:5, Insightful)
My point about Windows Update is that ALL of these recent high-prifile attacks have had Windows Update patches for MONTHS. Service Pack 2 blocks almost all of them as well.
I have seen entire tech department that were knocked out by Code Red. Then Code Red II. Then Nimda. Yet, as a "casual" IIS user, I was never hit AT ALL. These patches have been obviously available for MONTHS. And even after Code Red, IIS admins STILL couldn't figure out to patch a hole that has about 4 OBVIOUS places to get the patch from. Let's review.
1) Windows Update
2) Service Pack 2
3) MPSA
4) Any of the virus scanner's homepages which linked to patches after Code Red, Code Red II, and Nimda.
If IIS admins can't even patch the obvious stuff like that, there is really little hope.
As you say "Many of them prefer Linux and use it at home, but have to use IIS at work because that's been mandated."...they are the PROBLEM, not Microsoft. HFNETCHK is easily available, and if Linux users are too lazy to learn how to admin the system that they're PAID to admin, they deserve what they get. I don't care if you don't like Windows, if it's YOUR JOB to be a IIS admin, you sure as heck better learn how to do it RIGHT.
I'm sure modders are gonna hate me for saying that, but I don't care at all if you don't like the system. If it's your job, it's your job. I hate Oracle, but that doesn't mean I don't use it *right* when I have to. Is it my first choice? No. Am I gonna be a slack-ass about it just because of sour grapes if I have to you it? No.
-Jayde
P.S. Disabling Parent Paths is not a big deal if you secure the rest of you system. In fact, I doubt you would find any professional IIS web server which has Parent Paths disabled, as it has terrible effects on most ASP code. It's stupid for server-side code to be forced to code paths based on the root "./" instead of relitive paths "../" as server directory structure could easily change at any time.
Re:this is a good first step, but.. (Score:5, Insightful)
Yes. That's why sendmail and bind are the paragons of security they are today. From-scratch attempts to replace them are riddled with holes that make IIS look like a pinprick.
Re:Uh oh! (Score:2, Insightful)
For future posts replace foo, bar, and baz to ridcicule your group of choice:
"If you've run across half the foo I have in my carreer, you'd see that bar of them are complete baz."
For those needing help. This post is "Flamebait."
--
end of line
The Blame Game (Score:5, Insightful)
Bear in mind that there are lots of folks out there (thieves, terrorists, enemy governments) who would (and presumably do) break into servers and steal credit card numbers and/or sensitive corporate/government info, without telling anyone!!
If the "virus authors" weren't constantly exploiting these simple security holes, the greater public would never know they were there, because the real "bad guys" always try to go unnoticed.
MCSE requirements (Score:3, Insightful)
Re:Sounds good... [Blatant plug] (Score:4, Insightful)
Please check it out at http://www.websoup.net/wormscan/ [websoup.net]. I'm looking forward to some feedback.
Re:Uh oh! (Score:3, Insightful)
Actually, the Microsoft Certification program for 2000 is quite impressive (disclaimer: I don't have one or plan on getting one). The problem is an MCSE can not be looked at exclusively. It just says that you (potentially) have a good understanding about Windows Servers and architectures. What it doesn't do is give somebody the equivilent of a few years of solid experience. That's the real issue here, experienced vs. inexperienced (but certified) admins.
Re:this is a good first step, but.. (Score:4, Insightful)
Re:That's all great and everything, but... (Score:2, Insightful)
Now, they may not make the most defect-free software (that phrase is so not even grammatically correct, but phuk it), but they make "Good Enough" software (most times they do, there have been exceptions, like PowerPoint 98 for the Mac, don't even get me started!) - software that is good enough for the majority of users/majority of the market.
It's a case of limited returns. They could spend a lot more effort to try and track down (nearly) all the bugs, and fix (nearly) all of them, but the software would be another year late, and have cost them another year of n number of full-time people working on the product, with little to no real improvement for the end user.
Since most users wouldn't notice the difference, why on eath should they spend the extra time and money? If users will buy Office XP and live with it, defects and all, why should they spend the extra time and effort for nearly neglible results?
Now in the case of IIS, there's a lot of rhetoric about "ooh, the sysadmins should be doing their jobs", "MS should be sued", "MS should rewrite/opensource IIS", "Switch to Apache"... yadda yadda yadda. Some people use this software for company critical operations. That's their choice. Simple case is: if you use the tool, you should understand how to use it correctly.
Remember teaching your Mom how to use Word? or Outlook? Remember when she really screwed something up and couldn't find that recipe she sent Martha Stewart? After you rolled your eyes and sat down at the keyboard, you fixed the problem. Why? How? Are you a genius? No. You are a sophisticated, experienced user. Mom isn't. IMHO the same logic applies. If you are going to use the tool, understand how to use it correctly. Otherwise stop bitching and moaning about it.
I feel better now.
Exactly my point (Score:3, Insightful)
A company whose main selling point is ease of use is bound to attract lazy people to manage its products. If the average Windows 2000 sysadmin is lazy and careless, while the average Unix sysadmin is careful and meticulous, whose fault is it?
As I mentioned, fixing the blame will not solve the problem. From an outsider point of view, the whole company is a black box. The customer doesn't know and doesn't care if the sysadmin is doing his job. All the customer sees is results. So, when managers hire people, they shouldn't just consider that Windows administrators can be hired for less than Unix administrators; they should think about the overall result: will a system composed by hardware+software+people work better with a Windows or with a Unix software component?
Re:Some facts (Score:3, Insightful)
- Only LocalSystem can impersonate another user.
- LocalSystem process needs to know the password of the user to impersonate
- But: LocalSystem can also set the password!
So what's the point of having a password in the first place?
The only reason is there is an underlying "philosophy" in the NT security architecture that to log in as a user you must either know the password or destroy the existing password (thus theoretically alerting the user). It should be noted that LocalSystem can only set the password for accounts with their security information located on the local machine (so you have to get LocalSecurity on a domain controller to tinker with domain user passwords).
The shame of it all is that LocalSystem has enough access power to read the hashes out of the registry/Active Directory, set the password, login and replace the hashes with the old ones while covering up the audit trail.
I would be far more enthusiastic about NT security if they created a new privilege (at least that much is obviously extensible) which allowed a user to effectively call setuid() with no password. The priv need not be given to anyone but LocalSystem by default and it would clean up a lot of the messy stuff you have to do to get around the obstacles in the design (which in turns opens the door for bugs and security problems).
I wonder if anyone from Microsoft is reading this?
[I'm assuming you weren't questioning the point of passwords in general, just the fact that LocalSystem needed them to login as another user]