300 likes | 540 Views
IIS7 Security. IIS 7 Security. IIS 6 Today: A Proven Platform. Proven Scalability Proven Security Proven Trust A solid foundation to build on. . Security Progress for IIS. Two security patches for IIS 6 since RTM (>3 yrs). 2005. 2006. 2004. 2002. 2003. 4/15 Server2003 RTM.
E N D
IIS 6 Today: A Proven Platform • Proven Scalability • Proven Security • Proven Trust A solid foundation to build on.
Security Progress for IIS Two security patches for IIS 6 since RTM (>3 yrs) 2005 2006 2004 2002 2003 4/15Server2003 RTM (WebDAVDoS) (ASP) 06/11 06-034 10/12 04-021 IIS6 4/1002-018 6/1102-028 10/30 02-062 5/2803-018 IIS 5 8 4 4 7/13 04-021 IIS 4 4 8 4 < Critical • Notes • MS02-011 & 012 not included: updates SMTP service only • ASP.NET adds: 1 – v 2.0 2 - v 1.1 3 - v 1.0 = Critical = Rollup with X updates X
Building on a Solid Foundation:IIS 7 Security Features • Modular Design: • Reduced exposure at installation and runtime • .Net Integration: • Forms Auth for any content • Use of .NET Role and Membership Providers • Built in anonymous account • Easier to administer, restore, and configure • Application Pool Isolation • Improved Sandboxing between applications • URLAuthorization and Request Filtering • New choices for improving security • Kernel mode SSL and authentication • Faster negotiation of security exchanges, fewer problems
Reduced Footprint and Specialized Servers • Features implemented as discrete modules • Modularity improves security • Reduced module set by default at install • Remove modules that you do not need • Extensibility allows security customization • Add authentication, logging, or blocking mechanisms
IIS 7 Security Features provided by .NET • Integrated pipeline enables Forms authentication with any content • Leverage existing user database with .NET Role/Membership providers • Examples: Store user names in: • Active directory or local SAM • SQL 2005 Express for static site users • ADAM for users and groups in a PHP application • DB2 mainframe users and groups in ASP.net
demo Forms Authentication with Static Content
URLAuthorization • Control access to sites, folders, or files without using NTFS • Inspired by ASP.net URL authorization, but designed for administrators • Rules are stored in .config files • Delegate control to store in web.config • Authorization rules are then portable • Xcopy and maintain security • Use Windows principles or .NET provider • Native to IIS 7
demo URL Authorization
Request Filtering • IIS 7 integrates URLScan style rules • Very strong security feature • Prevent URLs that contain “any string” • Block URLs over “X” in length • Prevent delivery of “.config” or “/bin” • Easy to read rules stored in .config • Delegate control to store in web.config • Filtering rules are then portable • Cannot be edited in UI • New error codes track rejections
demo Request Filtering
Changes in Anonymous User will Improve IT Pro experience • IUSR instead of IUSR_<servermame> • IUSR is “built in”, not a local account • Cannot logon to system with this account • No password to worry about • Same SID on all Vista/LH servers • File ACLS are valid between servers • Allow anonymous access & turn off IUSR: • Use process identity for anon access when enabled • Disabled by default
IIS_WPG replaced with IIS_IUSR • IIS_WPG local group in IIS 6 • All app pool identities must be in IIS_WPG • Creates administrative overhead • Adds complexity to hardening/pool isolation • IIS_IUSR replaces IIS_WPG • Built in group, not local • Well known SID means ACLS respected • Pool identities are automatically added
demo Disabling Anon User
Application Pool Sandbox • New IIS 7 feature significantly improves application pools isolation • Prevents attacker from reading secrets in another pools config • Works automatically, and is transparent to configuration and operation • Process identity is unchanged • Network Service by default • Note that application pools cannot read Applicationhost.config by default.
Application Sandbox: How it works • Each site is assigned to a unique pool • Occurs automatically with new site in UI • At runtime: • Unique SID for pool is “injected” into the process’ list of SIDs • Does not change process identity • A “temp” config file is created that contains only config settings for the pool • The temp config file is ACLd with unique SID • SID will be the same on other servers
demo Application Pool Sandbox
Hardening the Sandbox • Additional steps for increasing security • Disable anon user • appcmd set config -section:anonymousAuthentication -userName:"" --password • All anon access will occur as process identity • Set content for access by App Pool unique SID (with icacls) • Local content only, won’t work for UNC content • Create secure location for • ASP template cache • Compressed content • Create ASP.net temp file location for pool • appcmd set config "Default Web Site" -section:compilation -tempDirectory:%systemdrive%\inetpub\temp\aspnettemp\site%1 /commit:webroot
demo Hardening the Sandbox Advanced Hardening
Security Features moved to Kernel • Kernel Mode SSL • Improves performance • Reduces context switch to user mode • Kernel Mode Authentication • Improves performance • Kerberos functions when using custom application pool identity! • No need to use SETSPN as access to DC occurs as machine account
Encrypted Keys in .config • Passwords may be present in .config • No secrets by default • Passwords are needed for: • UNC paths • Shared Configuration • Custom Anon or App Pool identity • Passwords are encrypted when added • AES provider is the default • Encryption provider can be customized
IIS 7 Security Summary IIS 7 provides improvements and new capabilities that increase security and simplify administration
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
UNC Password Rules with Virtual Directories and Sites • IIS 6 used different rules for local vsunc • IIS 7 rules are simplified to be consistent Rule: If username and password is supplied for a site or directory, they are used to all content regardless of location.
Q&A about Security • Q: Where do I configure Read/Write properties that were in IIS 6? • A: Handler properties • Q: How do I install a Certificate • A: Install a Self Signed Cert in the UI or use wizard • A: What happened to Web Service Extensions? • Q: Implemented as ISAPI and CGI restrctions In the UI • Q: Do I need URLScan A: No.