Forgot your password?
typodupeerror
Microsoft

Microsoft Attempts to Secure IIS 392

Posted by michael
from the taking-their-own-sweet-time dept.
billmaly writes: "Yahoo has this article about trying to make IIS more secure. Among steps is to have it install in its most secure state, putting the onus on sysadmins to remove it from that state. It looks like Microsoft may be trying to do the right thing from a security standpoint, at least on paper."
This discussion has been archived. No new comments can be posted.

Microsoft Attempts to Secure IIS

Comments Filter:
  • Power of Gartner (Score:4, Informative)

    by augustz (18082) on Wednesday October 03, 2001 @04:38PM (#2385421) Homepage
    Sounds like a good thing to me.

    There marketing material pointing out holes in Apache mostly focused on Tomcat the java app server, PHP etc. But these don't come installed by default, where was with IIS, you install just about everything by default.
  • Hmm... (Score:4, Funny)

    by Wakko Warner (324) on Wednesday October 03, 2001 @04:38PM (#2385425) Homepage Journal
    Apparently every copy of Windows XP/2000 is now shipping with a pair of scissors, to be used to "secure" the ethernet connection of IIS servers.

    - A.P.
  • by drodver (410899) on Wednesday October 03, 2001 @04:38PM (#2385426)
    because 78,417 Nimda hits are more than enough for me!
  • by sting3r (519844) on Wednesday October 03, 2001 @04:40PM (#2385436) Homepage
    The root of IIS's troubles is not exploitability of particular services. It is the fact that much of the IIS server code runs as SYSTEM, which is the same as "root" under UNIX - an all-powerful user. Years ago, the developers of NCSA httpd and Apache learned to make their products usable by non-root users. Currently, Apache only needs root privileges to bind to port 80 - then it completely relinquishes them. That is the way it should be and that would make 0wning an IIS box many times more difficult - because using an "ordinary user" account to get SYSTEM access on NT is a lot more difficult than on UNIX because NT doesn't have setuid bits.

    Admittedly, IIS does run certain scripts and perform certain functions as a "nobody" user. But most of the recent exploits were able to get an immediate "root shell" because the services being exploited did run as SYSTEM. And unless Microsoft is willing to address that problem, admins who need to enable many services and don't keep up on patches will still get rooted on a regular basis.

    -sting3r

    • You might be interested in EROS - the Extremely Reliable Operating System [eros-os.org], which takes permissions resolution to its logical extreme: the capability system. If something only needs access to one directory and one port, that's all you give it.

      Very interesting project.
    • Bingo! (Score:5, Interesting)

      by RelliK (4466) on Wednesday October 03, 2001 @06:52PM (#2386093)
      I wanted to post this but you were ahead of me. And it's not just a problem with IIS -- most (all?) NT "services" run as LocalSystem, which actually has even more privileges than Administrator.

      Bugs and security holes are inevitable in any software, but their impact is different. Any buffer overflow in IIS is disasterous, whereas a buffer overflow in Apache will have a very limited damage. To 0wn a Unix box running Apache you need two security holes: first a hole in Apache to get unprivileged access, then another hole elsewhere that lets you get root. This is considerably harder and a lot more unlikely than a simple buffer overflow in the web server.

      On top of that there is a huge problem with file system permissions. Both Unix and NT have the ability to restrict access to files. The difference is that a default installation of NT has all file permissions set to Everyone:Full Control(*). (That's like making every file and directory 777)! You have to manually lock it down! If the file system permissions are not used, running IIS as an unprivileged user won't help.

      Contrast this with Unix. Even if a hole in Apache is exploited, you won't even be able to overwrite the web pages (unless another hole is used to gain root access, see above).

      (*) I understand the default file permissions have been improved somewhat in windows 2000. Could somebody in the know give more details? Oh, and what's the deal with IIS running partially in the kernel? is it true or has it been debunked?

      In all fairness, Unix has had its problems with root-running daemons. BIND was the latest exploit. Since then BIND guys have learned their lesson -- version 9 no longer runs as root. Will Microsoft learn? After so many years of beeing plagued with security holes, not bloody likely.
      • Re:Bingo! (Score:4, Informative)

        by rabtech (223758) on Wednesday October 03, 2001 @09:43PM (#2386585) Homepage
        In the next version of IIS6, there will be a kernel HTTP driver that can respond to static requests by serving directing from the cache. The input code has been rewritten, and is buffer checked among other things. HTTP doesn't do any processing at all... it just sees if the incoming URL matches a file already listed in the cache. If not, the request is bumped to user-space.

        Secondly, each website under IIS6 can run as a different user. So if you host 10 websites, each one can run as a separate user account, each with different security permissions.

        Lastly, yes 2000 gives you better file security out of the box. There are still some things that should be fine-tuned, but definitely not Full:Everyone.

        With the .NET Server betas, they seem to be getting more fine-grained on that stuff.
    • By default, IIS runs as a special account IUSR_machinename on the internet. For intranets it will often run with the end user's credentials. Of course you can create any service account to run IIS if you're worried about a dictionary attack on the IUSR_machinename account.

      In fact, one of microsoft's Security recommendations is to make a special folder in system32 (pseudo-equivilant of /bin), move files like the command and scripting shells into it, and allowing only Administrators and System to access it (similar to moving that junk to /sbin)

      The problem is that even a low priviledge account falls under the "Everybody" group, which has a wide latitude by default.

      It also doesn't help that some shops are too cheap to shell out $300 for the W2K Resource Kit or a TechNet Subscription. Then maybe people would also stop complaining about the lack of MS documentation.
    • NT can't drop privs. (Score:3, Informative)

      by throx (42621)
      The real problem isn't that the service starts as LocalSystem - even Apache starts off as root (it has to when it binds to port 80). What makes things so difficult under NT is there is no effective way to permanently and irrevokably drop privileges from a process while maintaining the ability to 'su' to another user if someone presents a username/password pair.

      Even when IIS is running as a 'nobody' user, unless you have explicitly configured your script/application to run in a separate process then you'll find that a simple 'RevertToSelf()' call will grant you back all the privs that were dropped. On the flip side, without being LocalSystem you can't call 'LogonUser()' or 'CreateProcessAsUser()' from a username/password pair so you end up with catch 22.

      If I'm wrong, please shoot me down in flames...
  • by Anonymous Coward on Wednesday October 03, 2001 @04:40PM (#2385438)
    Download source code for Apache. Tweak the headers to say "IIS" instead of "Apache". Brag about their speedy team of coders.
  • IIS Secure? (Score:5, Troll)

    by zarathustra93 (164244) on Wednesday October 03, 2001 @04:40PM (#2385441) Homepage
    Open the source. Put it up for peer review. Fix the holes. I'm not saying that they should hand out the source for their whole OS, but when they have had as many debacles with one piece of software it might actually help them out quite a bit.

    I refuse to install products that require IIS as well. A software provider of ours makes an ultra nice business mining product that can be nicely web enabled. I told them that I would purchase it as soon as they supported a web server that didn't have a new security flaw or bug discovered every week.
    • Re:IIS Secure? (Score:2, Interesting)

      by compugeek007 (464717)
      I agree fully with your open source remark. IIS is not in itself a revenue driver for Microsoft so why not make it open source? It might make it more complex and ruin MS's Point and Click admin theme for server products. But I have said before that PHB's who think that MS's point and click admin leads to a low TCO are eating their words and probably looking for a job =P To avoid the high costs having a server exploding, IIS (Microsoft) admins should have the technical experience of a Unix admin. You can't take an accountant, put him in front of a server and call him an admin.

      However, I must disagree with your statement about not considering running IIS at all. A good system analyst will weigh the value gained (in your case the data mining software) versus the risk of loss (having your server haxor'd.) If a network is designed in this way, you would already have *nix and Open Source infrastrucutre on your public area / DMZ.

      Remember that IIS has an intrinsic advantage in delivering dynamic application content to desktops. I am a MCSE and work on Unix and MS systems, I would never put MS technology in the DMZ, but then again, my company couldn't survive without our MS web based thin applications internally.
      • Remember that IIS has an intrinsic advantage in delivering dynamic application content to desktops.

        Really? To any desktops? Or just to Windows desktops?

        I would never put MS technology in the DMZ

        Me niether.

        but then again, my company couldn't survive without our MS web based thin applications internally.

        But this sounds like it reinforces my first point. MS stuff is nicely integrates with other MS stuff. Maybe that's what you mean by "has an intrinsic advantage". And if you wouldn't put it in a DMZ, then that leaves only the internal applications you mention.

        I must disagree with your [previous poster] statement about not considering running IIS at all

        Well, maybe in this scenerio IIS would be okay. An internal application, quickly developed, and integrated with other MS stuff. (I'm assuming Windows-only on the desktop. But that could be wrong.)
      • I'll throw out a few thoughts for the sake of arguement.

        What about mergers, business parterships, extranets and other results of a dynamic business environment? What if you find yourself happing to open the application to others? Sure, the first few are easy, change the firewall rules. But what if their servers get infected with the next worm du juor?

        And please tell me what is IIS's intrinsic advantage in delivering dynamic application content to desktops?

    • They have EVERYTHING to lose my opening up IIS. If they open it up, and a better product emerges 6 months down, that will be clear proof that open-source methodologies are better at producing secure, less bug-ridden software.

      After bashing open-source for as long as they have, why would Microsoft want to give it any possible praise?

  • Sounds good... (Score:2, Interesting)

    by RadioheadKid (461411)
    Well from the looks of it sound like they're doing all the right things. Just too bad for most of us who've been seeing "GET /default.ida?XXXX..." and "GET /scripts/root.exe?/c+dir HTTP/1.0" 404" in our apache logs, its can't come soon enough...

    KidA

  • Two step process? (Score:2, Redundant)

    by jlockard (140979)
    So, like what are they going to do?

    Step 1: Install IIS
    Step 2: Uninstall IIS
  • Summary (Score:2, Informative)

    by wiZd0m (192990)
    They will fix the problem in the next upgrade.
  • Uh oh! (Score:2, Interesting)

    by nilstar (412094)
    This will mean that IIS Sysadmins will actually have to think...! Now I know there are a lot of intelligent Sysadmins out there running IIS, but if you've come across the people I have in the industry, you'll know that there a lot of people who aren't very tech savvy running servers.

    How about with this, an increase in the Microsoft Certification program?
    • Re:Uh oh! (Score:2, Insightful)

      by Fly (18255)
      Blah, blah. What doofus moderated the above post as "Interesting?" It might be classified as "Funny," "Flamebait," or "Troll" correctly, but certainly not "Interesting." BAH! A post having no content does not sound "Interesting" to me!

      For future posts replace foo, bar, and baz to ridcicule your group of choice:

      "If you've run across half the foo I have in my carreer, you'd see that bar of them are complete baz."

      For those needing help. This post is "Flamebait."

      --
      end of line

    • Re:Uh oh! (Score:3, Insightful)

      by tshak (173364)
      How about with this, an increase in the Microsoft Certification program?

      Actually, the Microsoft Certification program for 2000 is quite impressive (disclaimer: I don't have one or plan on getting one). The problem is an MCSE can not be looked at exclusively. It just says that you (potentially) have a good understanding about Windows Servers and architectures. What it doesn't do is give somebody the equivilent of a few years of solid experience. That's the real issue here, experienced vs. inexperienced (but certified) admins.
  • Secure IIS - NOT! (Score:3, Interesting)

    by fjaffe (469551) on Wednesday October 03, 2001 @04:41PM (#2385452)
    It's nice that they will ATTEMPT to make it install more securely by default. What are they going to do to help secure all the existing installations from the current (and future) gaping holes?
  • by Masem (1171) on Wednesday October 03, 2001 @04:46PM (#2385465)
    As pointed out in this CNET article [cnet.com], while forcing the maximum secure version and forcing uses to install all patches is a good step in the right direction, the fact that IIS has been patched so many times implies that to really improve the security of it, it needs to be rewritten from scratch, particularly since it is a closed source application and thus does not have the same QA that open source software might have.
    • by corky6921 (240602) on Wednesday October 03, 2001 @05:28PM (#2385711) Homepage

      Personally, I would think that rewriting from scratch would make IIS more dangerous. At least Microsoft is plugging the security holes. I would think that rewriting it from scratch might cause more new exploits, whereas fixing the old version makes it more secure with every revision.

      This article, on the other hand, shows that Microsoft is trying hard to actually make its product better, instead of just saying "Here it is. New version. Use it or be forever left behind..." like they did with Office XP. I think this goes to show what a company in a non-monopoly position will do to succeed. (No one has a monopoly in web servers, and Microsoft isn't even the leader...)

      This is a good thing, and it's the right choice for Microsoft. Please don't call for a rewrite, or in two years we'll all be complaining about the root exploits discovered in the new IIS...

      • by dillon_rinker (17944) on Wednesday October 03, 2001 @05:48PM (#2385818) Homepage
        I would think that rewriting it from scratch might cause more new exploits
        Yes. That's why sendmail and bind are the paragons of security they are today. From-scratch attempts to replace them are riddled with holes that make IIS look like a pinprick.
        • Yes. That's why sendmail and bind are the paragons of security they are today. From-scratch attempts to replace them are riddled with holes that make IIS look like a pinprick.

          Oh come on. We're talking apples and oranges here. Postfix, qmail and djbdns were written by UNIX guys who knew what they were doing. IIS would be rewritten by Microsoft. Completely different story.
    • Do you have any idea where the name Apache came from? Think about it... Apache Server. A...Pache...Server. A Patchy Server. There you go. So, since Apache is a bunch of patches, shouldn't it be writen from scratch again too, with a different name?

      It's a good thing you said "might have" when refering to open source QA. The QA of open source seems to be pretty good, so long as you're a nerd doing nerdy things with it. Trying to get lusers to test open source stuff just doesn't happen much. Any software company can just pay some people for a couple hours for them to try to use their app so they can learn what needs to be QAed. We don't have that kind of luxury. So, yea, I guess my point's just that open source QA is different than closed...both have their strengths. I don't have any concrete evidence of Apache QA vs. IIS QA, so I'm not going to congecture about how effective they are in comparison.
      • Well it is being re-written from scratch. Same name though.

        http://httpd.apache.org/docs-2.0/new_features_2_ 0. html
        Many times the original design has been stressed past its breaking point. Either due to lack of foresight or due to lack of a crystal ball, some projects are better off being rewritten. Believe it or not, sometimes rewriting saves time.
    • by tshak (173364) on Wednesday October 03, 2001 @06:56PM (#2386108) Homepage
      Well, they're just repeating the Gartner report. Many of us closer to the issue agree that what needs a complete rewrite is ISAPI.DLL. This is not nearly as big of a task as rewriting IIS!
  • by Nindalf (526257) on Wednesday October 03, 2001 @04:46PM (#2385471)
    The paper is here. [auckland.ac.nz]

    It's more involved than you might think. If you are a sysadmin, this might be important for your job security.
  • by webword (82711) on Wednesday October 03, 2001 @04:47PM (#2385475) Homepage
    This is not a change in the fundamental technology. They don't seem to indicate that IIS itself will change, only that the default settings will yield more secure servers. This is only one type of security issue. What about all of the others [66.129.1.101]?

    Another thing to consider is that they are not doing this to be kind, gentle, or nice. They are doing it to shore up their marketing of Hailstorm, Passport, and so forth. This is not a response to "what the users want" or they would have done this ages ago. It is a marketing ploy. It is the right thing to do, but it is a marketing ploy. Managers, CIOs, CEOs, and so forth will be able to sleep better at night.

    • by tshak (173364) on Wednesday October 03, 2001 @07:02PM (#2386120) Homepage
      No this isn't. Microsoft has always tried to make everything so easy, that they just install and enable everything so you can do anything with minimal work. They're finally realising the implications. There IS a fundamental change in their strategy - shipped locked down instead of opened up. Yes, I've already mentioned (as others) that ISAPI.DLL needs to be rewritten as it's obviously got some serious security flaws. However, if IIS doesn't have tons of insecurely executable scripts installed and activated by default it lessons the issue dramatically.
  • by evenprime (324363) on Wednesday October 03, 2001 @04:49PM (#2385480) Homepage Journal
    If they do they do this, they will alienate their consumer base. Many Microsoft customers tend to choose their products because of ease of use. Taking something that is insecure and knowing how much to open up to get your applications to work is more difficult than installing it and just having it work right away because all the features you need (...and all the ones you don't) are already activated.

    It would be great to have everything disabled by default, and would be a major help for security. (That's how OpenBSD have been able to go four years without a hole in the default install...there's not much enabled in the default install). I just don't think that the average M$ shop wants to take the time involved for an average admin to get a secure-by-default product working, or pay the top dollars needed to get an admin savvy enough to already know how to do this.

  • by Desco (46185) <<desco911> <at> <yahoo.com>> on Wednesday October 03, 2001 @04:55PM (#2385496)
    Microsoft's idea of making their products more secure is making it harder to copy... Seriously, if they'd spend as much time worrying about actual security as they do preventing and prosecuting piracy, it'd be more secure than Fort Knox.
  • by Rocketboy (32971) on Wednesday October 03, 2001 @04:56PM (#2385499)
    1. Place unopened IIS software in bank vault.
    2. Close and lock vault door.
    3. Eat paper on which vault lock combination is stored.

    Oh, you actually wanted to use the software?

    *sigh* I probably shouldn't rag on Microsoft: they needed to do this a long time ago. But in so many ways they've hoisted themselves by their own petard: by touting how easy their software is to use, by implication they've convinced businesses and technicians that they don't need much training on how to use it. Locking down IIS is one step: making sure that IIS admins know how to properly use it is another and I have yet to see any emphasis placed on education and training by Microsoft or any of its apologists.

    Note: having one's connection refused by Slashdot when attempting to post a comment is just plain rude. On the other hand, the wonder isn't how well the bear dances, it's that the bear dances at all. :)
  • by Archfeld (6757) <treboreel@live.com> on Wednesday October 03, 2001 @04:56PM (#2385504) Journal
    With the Gartner group sending letters to all their customers RECOMMENDING they remove IIS as "an unacceptable security risk" based on the TCO of IIS rapidly exceeding the cost of the hardware, the OS and THE SUPPORT STAFF. When a nationally recognized consulting firm that supports 400 of the top 500 firms , and one that HAS BEEN PRO M$ up to this point, or at least VERY neutral, suddenly starts advocating ABANDONING your investment you know you have BIG PROBLEMS. I personally think this is TOO LITTLE TOO LATE. Why was the product not shipped like this in the first place ???
  • If they do they do this, they will alienate their consumer base. Many Microsoft customers tend to choose their products because of ease of use. Taking something that is insecure and knowing how much to open up to get your applications to
    work is more difficult than installing it and just having it work right away because all the features you need (...and all the ones you don't) are already activated.


    It would be great to have everything disabled by default, and would be a major help for security. (That's how OpenBSD have been able to go four years without a hole in the default install...there's not much enabled in the default install). I just don't think that the average M$ shop wants to take the time involved for an average admin to get a secure-by-default product working, or pay the top dollars needed to get an admin savvy enough to already know how to do this.

  • where's the hitch? (Score:2, Interesting)

    by shibut (208631)
    Reading this article I smell a goat, as they say. It smacks too much of a good initiative that will be exploited. Like the recenly announced toolkit to get your system checked for vulnerabilities and fixed free (see here [microsoft.com]). If you try to actually have it sent to you and go thru a few screens you see that you need Passport (a.k.a. "all your passwords are belong to us!") in order to have them send you a CD by snail-mail. What does a physical CD have to do with an evil service, you ask? Did I mention that the CD might be useful/coveted? Has anyone found a similar hitch with this (e.g., putting the settings in such a way that a central M$ database will check the appropriateness of all your info "to make sure it's secure", oh and to make sure you don't use it for anything that disparages M$, hotmail, MSN, etc).
    • I tried using the lockdown tool after I manually did a little house cleaning. Specifically, deleting the iissamples folder. The tool wouldn't run without that folder. Now that makes me feel secure. I restored it from the recycling bin and the tools proceeded.

      Of course, what was I thinking by deleting the samples folder, they've never had any security issues with those files.
  • by robi2106 (464558) on Wednesday October 03, 2001 @04:59PM (#2385525) Homepage Journal
    I had to test some java code being developed by (company) for a newly released (product) and needed a web server. The usual test platform server had just been taken down by nimda (ie not 3 hours earlier). Fortunately for my productivity log, an extremely capable app called Apache exists for WinNT and in under 30 minutes I had it up and running (including denying every host under the sun that was sending those annoying GET requests for /winnt/system32/cmd.exe).

    The entire dev team working on the java code would have just taken the afternoon off, had I not casually mentioned the existance of my humble Pentium Pro 200 running Apache. :-)

    This caught the attention of my boss who wondered why our group was able to continue working, while many others were outside playing basketball waiting for the Admins to finish the virus updates. Who knows . . . we may shift away from simple IIS servers (for a java service on a server you don't need some big IIS machine).

    From a security stand point, This little server did a good job of fending off every virus attack (a few hundred every hour). I believe two additional simple IIS servers have been temporarily changed to Apache since they don't have a need for any other service. Who knows what will be their ultimate fate. But right now they are doing their job and don't need to be updated. This may affect the purchasing policy for one or two machines here. Not a huge step towards non-M$ product use, but I am encouraged none the less.

    robi
    • Geez I'd be pissed if I couldn't play basketball with the others because some smartass set up a non MS web server.

      If there's one thing MS has done well - it's looking after developers! While all the non MS developers are inside getting OOS, sore eyes and fat butts, the MS developers get regular exercise breaks in the sunshine.
  • by ch-chuck (9622)
    Just read on cnet where Ray Noorda of Novell used to call the guys at Msft Bill "Pearly" Gates who promises you the heavens while Steve "The Embalmer" prepares the body for burial.

  • fun quotes (Score:4, Troll)

    by ethereal (13958) on Wednesday October 03, 2001 @05:01PM (#2385540) Journal
    ``With the virus attacks of late and the numbers of those and how vicious those attacks have been ... it's incumbent on Microsoft, being in the leadership position we're in, to help drive forward the industry in this area,'' Brian Valentine, senior vice president of the Windows Division at Microsoft, said in an interview.

    I would think that Microsoft would want to get out of their leadership position in enabling virus attacks and making them so painful, but I guess that's why I'm not President of the Windows Division. I don't think the industry wants to be driven too much further down that path, though - alternate web serving platforms are more like where Microsoft is driving their customers.

    ``We can't just sit back and think about Microsoft,'' said Valentine, who is leading Microsoft's new security task force.

    Well, that will be a first.

    • I would think that Microsoft would want to get out of their leadership position in enabling virus attacks and making them so painful

      Well, the time is about ripe. I think not only the SW, but also the accompanying viruses and worms were made in Redmond. MS used these "tools" to track down and identify users not paying the proper licences. Now that they have served their purpose, and MS is moving over to a pay-by-the-minute licencing model, they don't need those
      "tools" anymore.

      I can see that they may get IIS fixed, but I am not sure how they are going to deal with VB. VB is a dangerous smurf in sheeps clothing.

    • The interesting thing is: they're not the leaders. Not in Web servers. You saw the Netcraft survey results a few days ago. Apache 60% or so, IIS holds about half that. Half.

      Excellent spin, to imply that the reason for all the vicious attacks is market leadership. But they don't have it, and that isn't the reason.


    • > "it's incumbent on Microsoft, being in the leadership position we're in"

      Funny, but I've never heard the concept of loss leader applied to security before.
  • Never install a peice of software as Administrator, use poweruser or something less.

    If it doesnt install as that user, dont install it. Its obvious that that app was not designed with security in mind.
  • by Water Paradox (231902) on Wednesday October 03, 2001 @05:02PM (#2385550) Homepage
    Remember the first time you installed Apache?

    It was secure by default because you had to learn what the heck you were doing, and a fair bit about the structure of your hard drive before you could get it running.

    Now IIS is catching up, having learned what happens when you appeal to the lowest common denominator. This is very good news, because it means IIS will no longer be administrated by people who haven't a clue. It's not that IIS is inherently insecure, but that it's inherently run by people who don't know how to secure it.

    Apache appeals to a different crowd, and is more secure by nature for that reason...
  • Quote: "With the virus attacks of late and the numbers of those and how vicious those attacks have been ... it's incumbent on Microsoft, being in the leadership position we're in, to help drive forward the industry in this area," Brian Valentine, senior vice president of the Windows Division at Microsoft, said in an interview

    They have to drive forward the industry? They are playing catchup. They are implimenting security features that have been in Apache for years at this stage, and setting defaults that should have been set at day one. It's typical of Microsoft to try and fix things up once they have totally broken, then try to sell it as a feature, and to try and say "Look what good things we've done in combating this problem", when all along there should never have been a problem in the first place.

  • by CmdrMightyTaco (517355) on Wednesday October 03, 2001 @05:03PM (#2385562) Homepage
    In a related topic, MS released another tool set today to help admins secure their boxen...

    The rest of this comment is from the NTBugTraq newsgroup:

    Microsoft have today announced a suite of initiatives intended to address the issues their customers face from the threat of Worms and other malcode like Nimda and Code Red.

    About time.

    I've been assured that substantial resources have been allocated to this new effort, but one has to wonder just who was consulted in coming up with what this program involves (if you were, drop me a line.)

    Announced today was the "Microsoft Security Tool Kit";

    Click here [microsoft.com]

    This "Greatest Hits" CD or network download contains all of the things you should already have;

    - - Latest Service Packs for OS, IIS, and IE.
    - - Security Checklists for NT, W2K, and IIS.
    - - A W2K-SP2 Deployment guide (the Update.msi section is worth reading if you have an Active Directory environment and use Group Policies)
    - - An NT 4.0-SP6a Deployment guide for SMS.
    - - IE Deployment guides.
    - - Several individual Hotfixes required for NT 4.0 Terminal Server (even though they are included in the NT 4.0 SRP) - - IIS Lockdown Tool
    - - URLScan
    - - HFNetchk
    - - Critical Update Notification 3.0 (only applies to W98/W2K according to the referenced KB article)
    - - QChain

    There's a difference between the download and the CD. According to the announcement page, "It (CD) includes automation scripts to quickly install all the security hotfixes recommended in the kit.", but the CD may take from 3 to 6 weeks to arrive.

    I was told there would also be a "Bootstrap Client for Windows Update" within this package somewhere, but if its just the Critical Update Notification 3.0 tool then its not a "Bootstrap Client" in the sense I thought it was.

    While there are additional things planned, the biggest thing missing at this stage is a re-release of the NT 4.0 Option Kit CD which contains;

    1. Patched version of IIS 4.0 (one that's not vulnerable out of the box)
    2. Patched versions of MDAC
    3. Modifications to the samples to eliminate RDS
    4. Modified default installation that doesn't install in a way known to be exploitable
    5. Modified Setup program that doesn't re-install removed script mappings and other components after the user has manually removed them (since that's what many people have done to protect themselves)

    In addition, what is desperately needed is some way to do the following;

    a) Probe your internal network to identify IIS installations (this can be done with HFNetchk, but working with its output is no fun)
    b) Completely remove the IIS installation on command (remotely!), or render it stopped
    c) Query the IIS installation and alter it, removing RDS keys, updating MDAC, patching it, disabling /scripts, tightening permissions, etc...
    d) Report results in a comprehensive fashion

    I don't know about the rest of you, but many people have thousands of IIS boxes to deal with. While Microsoft does sell SMS, if you used Ghost to distribute your installations it hardly seems reasonable for MS to expect you to purchase SMS to secure what you thought was a reasonable installation.

    If you have more than 1000 hosts under your control, send me your suggestions for the best product/method used to get patches and service packs out.

    Given that this whole initiative, supported at the highest levels in Microsoft, is designed in response to Worms that required the touching of every machine in your organization, the first thing out the door should've been something that made that problem less onerous.

    There are plans in the works (for Q2-2002) for an internal version of Windows Update. I've been calling for this with Microsoft for eons now, and while its great they have finally been hit with the clue-bat it seems ridiculous that its going to be 6 months plus before we see it. Such a tool would allow Network Administrators to rely on the client's Windows Update component to provide fixes (fixes decided on by the Network Administrator). In addition, a new feature in that client (still some 3 months out) allowing it to be setup to allow automatic updates (a push mechanism), would give you a way to push out a fix quickly to all clients.

    Again, about time!

    Also coming out of all of this was news that Windows 2000 SP3 is not likely to ship this year.

    Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

    • Wow! (Score:3, Funny)

      by crisco (4669)
      All that fits on one CD?

      :)

    • by r2ravens (22773) on Wednesday October 03, 2001 @08:24PM (#2386417)
      I manage lots of workstations and several servers in a state agency. We use Dameware [dameware.com] for remote information collection and control.

      In the past we used SMS but it was waaay too slow, especially across some of our 56k lines. Dameware is a wonderful product. There may be some way to script it's use as well. I was provided with the product by the department, so I don't know what the licensing issues are, but it looks like it's around $200.00 or less for download and is available for a 30 day free trial.

      I really endorse this product. Hope the info helps.

  • New (Score:5, Funny)

    by mlknowle (175506) on Wednesday October 03, 2001 @05:07PM (#2385590) Homepage Journal
    In other news, Microsoft's hardware division announced a plan to make water flow uphill.
  • by blogan (84463) on Wednesday October 03, 2001 @05:09PM (#2385602)
    A paperclip comes up and asks you, "Would you like to have the server start? Would you like to allow connections from outside 127.0.0.1? Would you like to run scripts? Would you like to be able to access files not residing on the read only floppy? Would you like to have all comments automatically read by Outlook?"
  • by ENOENT (25325) on Wednesday October 03, 2001 @05:11PM (#2385612) Homepage Journal
    This whole IIS thing is only a Microsoft problem by coincidence. Any piece of software can have security holes, so the key to reducing their effect is timely application of patches. That appears to be the main thrust of MS's "securing IIS" effort.

    Unfortunately, almost nobody makes it easy to get security patches. Debian does the best job, from an admin's point-of-view--just "apt-get update && apt-get upgrade" when there's a security announcement, and you can even put this into a cron job. MS doesn't do too badly, with "Windows Update". Solaris stinks--Sun seems to go out of their way to hide security patches from visitors to their website. I don't have much experience with other platforms--there may be better systems than Debian's, but I haven't seen them.

    • Another problem is that Microsoft likes to play games with their updates. Some patches open the security holes closed by other patches. Some patches totally break the system (e.g. Service Pack 2 was know as Service Pack of Death). Some break only third party software (e.g. Service Pack 6 broke Lotus). Whether this is intentional or not we will never know, but Microsoft has no credibility left, so you can pretty much assume the worst.

      I don't have much experience with other platforms--there may be better systems than Debian's

      Doubt it. Only FreeBSD is even comparable with its cvsup (though it needs to compile stuff from source). No other systems I've seen even come close.

  • by isa-kuruption (317695) <`ten.noitpuruk' `ta' `noitpuruk'> on Wednesday October 03, 2001 @05:17PM (#2385643) Homepage
    Uhm I heard from a web developer for middleware systems that uses IIS that IIS 6.0 is going to run in kernel memory. Maybe this is a bad thing? Executing ASP code in kernel memory? Just.... maybe?

    • Re:IIS 6.0 (Score:4, Informative)

      by rabtech (223758) on Wednesday October 03, 2001 @06:31PM (#2386014) Homepage
      The new HTTP.SYS driver runs in kernel-space, and can respond to static content requests with very little processing or overhead, pulling the data directly from the cache.

      Assuming that HTTP.SYS can't handle it, the request is passed on to a user-space process.

      There is a lot more to it than just that. Much of the core code has been rewritten, and is buffer-checked among other things.
    • That's odd. I thought it's already running partially in the kernel
  • sarcasm? (Score:5, Funny)

    by Anonymous Coward on Wednesday October 03, 2001 @05:18PM (#2385649)
    "It looks like Microsoft may be trying to do the right thing from a security standpoint, at least on paper."

    Thank God. Since MS usually tries to do the wrong thing, on purpose. Now they are doing the right thing on paper.

  • I don't get it. (Score:3, Interesting)

    by Auckerman (223266) on Wednesday October 03, 2001 @05:18PM (#2385652)
    I'm not really sure how this will help. Having a server off by default will not make it harder to break into once the server has been turned on. Not only that, the problem's exploited by worms and script kiddies are all known, sometimes months and even years in advance of an attack. If MS were truely serious, they would exstablish an independant body to certify MSCEs, make it so that the certification is much more difficult than it is now, and only provide support to customers who have certified personal on staff. On top of this, MS should guarantee backward compatibility of ALL software installed on a system after a security update is applied (within a given product version) so that admins won't be terrified to install updates.
    • Re:I don't get it. (Score:5, Interesting)

      by PatJensen (170806) on Wednesday October 03, 2001 @05:46PM (#2385812) Homepage
      Before you go shooting on the MCSE bandwagon, you need to realize that Windows 2000 has been out for over a year now. There are less then a few thousand MCSEs, as former Windows NT 4.0 MCSEs are finding the tests to be MUCH harder then before. After December, once the NT 4.0 MCSEs have expired and they no longer hold their certification, it will go further in eliminating watered down MCSEs.

      Microsoft has done an excellent job at reducing the amount of excess water in their certifications with the new rounds of exams. I've taken and passed my Windows 2000 MCSE (after my Solaris SCNA and Cisco CCNA certifications) and I found the design exams to be especially challenging. To pass the new Windows 2000 tests, you MUST have experience with deploying their products or you WILL fail.

      Cut Microsoft some slack in their certification department. They've came a long way in establishing a well-known industry standard and now they are "fine-tuning" it to ensure that its worth stays intact. As someone who has gone through the process, it holds a lot of value to myself and my clients and customers.

      On a side note, pick up a Solaris book at Barnes and Noble and read it for two days. You can pass it without almost no experience, other then knowing run levels and where rc files are located.

      -Pat

      • by danheskett (178529) <danheskett AT gmail DOT com> on Wednesday October 03, 2001 @06:24PM (#2385982)
        There are less then a few thousand MCSEs

        That is simply untrue. Counting all MCSEs, and according to MS's own stats, there are well over 1.5 million MCP's (people who have passed one test) and well over 250,000 MCSE's (world wide, of course).

        For the more obscure certs, there are less than 10,000 MSDBA's (database admins), and somewhere around 25,000 MSCD (developers).

        However, you are correct that MCSE "pool" is being thinned by expired NT 4.0 certs and the general increase in the difficulty of tests.

        Other than though, you are correct. Solaris certs. are a big funny joke, if you ask me. But I can say, also as a person on the track to MSCE status, that, without a doubt, the new tests REQUIRE real experience and skill, and they are indeed rather difficult.
        • Dan,

          I misstated in my post how many current MCSEs there are. I was actually stating Windows 2000 MCSEs, in referring to the amount of NT 4.0 MCSEs that will be washed up soon.

          Thanks for replying and correcting me. Good luck on your certification.

          -Pat

  • When IIS 1st came out there was a "recommended" list of things to do to the OS and IIS to make it "secure". I'm sure that the new "secure" version of the install will do most of these things. When I started using IIS (version 3) and found the paperwork for making it secure - I thought to myself - why don't they just do this stuff from the start....

    I really think that this is a good thing. It might actually help reduce the number of script kiddie type attacks over all - because it will actually force people to learn that you DON'T leave the admin site running and you DON'T use the default web site to run YOUR site from, etc, etc... Let's face it - if your PHB's force you to use it (cough, cough) than you should at least know how.

    It really is about time they did this, heck the way the install is now - it almost hacks itself!!

  • by chrysalis (50680) on Wednesday October 03, 2001 @05:26PM (#2385688) Homepage
    By intending to secure IIS, Microsoft is doing the right thing. Unix freaks are laughing at Microsoft freaks because of code red & co. But the point is that flaws in any system is bad for the whole internet. People don't trust internet any more, they don't want to give their credit card number any more, etc. When every host on the internet will be pretty secure, e-commerce may do a real come-back.
    The problem with this annouce is that Microsoft will start from the existing IIS product and try to secure it.
    Securing something that wasn't initially coded with security in mind is very tricky. Flaws always pass on.
    Have a look at bind or sendmail. They are very old servers. They are widely used. Many companies and individual people hardly audited the code. So what? A new flaw was still discovered in sendmail last week, and bind always was one of the favorite toy for kiddies.
    On the other hand, software like djbdns and postfix were started later. They were started from scratch with the knowledge of all common security flaws their ancestor had. The result is that they are very secure. More than old software that was audited by hundreds of skilled people.
    So while Microsoft's initiative is in the right direction, they won't get a secure product in any case. Just because they didn't rewrite it from scratch.

  • If M$ is sincere, this is of course welcome news.

    The problem is that M$ have a history of promising "initiatives" of this nature, then never following through once the smoke has cleared a bit.

    And that's assuming it isn't just pure FUD, as in this [novell.com] lovely example.


    sPh

  • by ReelOddeeo (115880) on Wednesday October 03, 2001 @06:11PM (#2385923)
    Dear Microsoft,

    Thank you for your recent ammouncement that (someday) you will secure IIS.

    Enclosed please find a blank, signed check.

    When a more secure IIS is ready, please fill in the amount on the check, deposit it, and then ship me the new IIS. I'm patient. I'll wait until it's ready.

    I know you're working very hard and that the benefit of end users is the number one concern of Microsoft.

    Your loyal lackey,

    MCSE guy.
  • MCSE requirements (Score:3, Insightful)

    by dillon_rinker (17944) on Wednesday October 03, 2001 @06:18PM (#2385956) Homepage
    The article hints at this, but I think that Microsoft needs to not only secure their default install for future products but make security part of their MCSE core training/testing requirements. I think they need to make a separate MCSE core test that focuses on security.
  • IIS 6 (Score:3, Informative)

    by alanjstr (131045) on Wednesday October 03, 2001 @07:07PM (#2386143) Homepage
    IIS 6 will have been through their Prefix program. Installing it will also have a wizard which will ask you what services you want.

    Interview about the "Secure Windows Initiative" [computerworld.com]

  • by erroneus (253617) on Wednesday October 03, 2001 @07:15PM (#2386170) Homepage
    Alright. I'm sure this will get a lot of MCSE's all huffy but too bad... it's not about you anyway.

    The biggest selling point for Microsoft crap is in how easy it is. It's also its biggest problem. Sure it's easy to set things up when, at install time, everything (especially the stuff the installer doesn't yet know about) is turned on by default! It is precisely this selling point that has created this problem.

    You know, most people put their dangerous tools behind some level of inconvenience to prevent accidents. I have no doubt that Microsoft never intended this to happen... yet it has... I don't know how many releases of Windows had to come out before warnings about having file shares open when connected to the internet started to appear. So file shares are dangerous but exposing IIS (+addons) aren't?

    A comment made by one user/admin noted that IIS by itself is not vulnerable that it is all the useless addins that make it so. Most of these addins aren't even used by the casual user. The casual user doesn't even use IIS! And that is the crux of the CodeRed problem in general. Microsoft has put dangerous tools into the hands of people who don't know how to use them so they can make more money. It's as simple as that. Microsoft is responsible for the problem and they should take appropriate measures.

    By making it "too easy" people are making themselves vulnerable without their knowledge. It's out. It's too late. The best they can do is issue a RECALL on IIS and everything that comes bundled with IIS. Issuing advisories that people aren't reading and patches that people aren't downloading isn't going to get people's attention.

    If they are truly interested in solving the problem, they will have to swallow their pride and make it very public that they wish to RECALL IIS! Then people will sit up and take notice and do the things they need to do.

    Recalls are embarassing. They will not want to do it. But for the good of the internet, they should. Okay, I hear the laughing... they aren't interested in the public good.

    What is IIS anyway? Internet Infection System?
  • by Thalinor (4731) on Thursday October 04, 2001 @06:48AM (#2387599) Homepage
    of course i know the /. crowd wants to remain clueless and would never acknowledge that MS is doing something good. it would spoil their immature bashing fun.

    heres to hoping that there are some folks left at /. that actually have a clue about these issues.

    the following comment was posted by MS employee Joshua Allen at his weblog [netcrucible.com]

    The IIS Plan - This interview with Brian Valentine [microsoft.com] sums up the main action plan for addressing IIS concerns. The quote that sums up his attitude best is "When we look back in a few years, we will see this as one of the critical inflection points in our company's growth."

    Here are my notes, detailing the parts of the plan I found interesting:

    Two initiatives for customers:
    Get Secure:

    • All virus-related PSS calls for all customers (not just enterprise) are now free. 1-866-PC-SAFETY.
    • Premiere Support and Microsoft's Consulting Service as of today are offering a Security Assessment Service for large enterprises; this service may be for fee (at discretion of local offices), but will not be profit-driven, and will eat significant costs where customer situation warrants).
    • Regularly updated Security Toolkit will be distributed. Each will include all known patches and tools, and a one-click "make my system secure." First toolkit mailed and web-distributed on October 15. As of tomorrow, the tools should be available to MS Employees to hand out to customers. All of the tools are fully supported, and are made to run on NT4, Windows 2000, and Windows XP. This is not "resource kit" or loose collection of unsupported tools. Localized versions come later, since getting tools available quickly is top priority.
    • New set of additional security tools will RTM in December.
    • Toolkit will not be perfect starting Oct. 14; will make continual improvements based on feedback.

    Stay Secure:
    • Mid 2002 availability of federated Windows Update for enterprises. This lets enterprises run their own windows update service under their own control.
    • Feb 2002, Provide version of windows update that can be configured to accept and install updates with zero user intervention.
    • Make security bulletins simpler and integrated with update technology so an IT administrator can simply approve a security patch and have it automatically be pushed to the whole enterprise.
    • Security patches will now contain absolute minimum fix; no QFE, etc. stuff lumped in.

    Internal Efforts (Not Customer-Facing):

    • (Historically) Windows 2000: Hired a bunch of people to do penetration analysis and code analysis, and placed unprotected servers on the net to let hackers attempt cracking it. Built and used automated code analysis tools to detect some common security bugs.
    • Windows XP: Code analysis tools have been improved to detect many more types of security bugs, and continued increases in investment in security analysis.
    • Currently BrianV organizing a full pass review of how security is handled in all groups to look for deficiencies.

    Public:

    • BrianV con-called with 1000+ CIOs and other IT people to get feedback and comment; has handed out his e-mail to everyone.
    • Any customer should be able to call that phone number above (or contact any Microsoft employee) and get the one-click "make my system secure" tool kit for no charge.
    • BrianV will be point-person working with competitors, government agencies, etc. on industry-wide solutions. "We think that some of these problems require industry-wide solutions, but we realize that it is incumbent upon us to drive solutions". Brian will take a more visible role in driving these solutions.

    So the way I see it, we will be successful to the degree that we:

    • Assure that no customer ever again finds it difficult, confusing, or time-consuming to keep their system secure.
    • Improve security going out the door so that fewer patches are required (IMO, this wouldn't have made a difference in any of the recent worms, but is still a good goal for countering potential future threats). The goal here is to be the platform with fewest known vulnerabilities that need to be patched, using any metric you care to apply.
    • Be a lot more proactive in contacting, encouraging, and helping customers keep their systems secure.
    And of course, huge progress in fighting worms could be made by getting the router vendors, OS vendors, and other infrastructure vendors to all work together, and hopefully that happens too.

If a camel is a horse designed by a committee, then a consensus forecast is a camel's behind. -- Edgar R. Fiedler

Working...