1 / 30

IIS7 Security

IIS7 Security. IIS 7 Security. IIS 6 Today: A Proven Platform. Proven Scalability Proven Security Proven Trust A solid foundation to build on. . Security Progress for IIS. Two security patches for IIS 6 since RTM (>3 yrs). 2005. 2006. 2004. 2002. 2003. 4/15 Server2003 RTM.

Lucy
Download Presentation

IIS7 Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IIS7 Security

  2. IIS 7 Security

  3. IIS 6 Today: A Proven Platform • Proven Scalability • Proven Security • Proven Trust A solid foundation to build on.

  4. Security Progress for IIS Two security patches for IIS 6 since RTM (>3 yrs) 2005 2006 2004 2002 2003 4/15Server2003 RTM (WebDAVDoS) (ASP) 06/11 06-034 10/12 04-021 IIS6 4/1002-018 6/1102-028 10/30 02-062 5/2803-018 IIS 5 8 4 4 7/13 04-021 IIS 4 4 8 4 < Critical • Notes • MS02-011 & 012 not included: updates SMTP service only • ASP.NET adds: 1 – v 2.0 2 - v 1.1 3 - v 1.0 = Critical = Rollup with X updates X

  5. IIS 6: No Critical fixes since RTM

  6. Building on a Solid Foundation:IIS 7 Security Features • Modular Design: • Reduced exposure at installation and runtime • .Net Integration: • Forms Auth for any content • Use of .NET Role and Membership Providers • Built in anonymous account • Easier to administer, restore, and configure • Application Pool Isolation • Improved Sandboxing between applications • URLAuthorization and Request Filtering • New choices for improving security • Kernel mode SSL and authentication • Faster negotiation of security exchanges, fewer problems

  7. Reduced Footprint and Specialized Servers • Features implemented as discrete modules • Modularity improves security • Reduced module set by default at install • Remove modules that you do not need • Extensibility allows security customization • Add authentication, logging, or blocking mechanisms

  8. IIS 7 Security Features provided by .NET • Integrated pipeline enables Forms authentication with any content • Leverage existing user database with .NET Role/Membership providers • Examples: Store user names in: • Active directory or local SAM • SQL 2005 Express for static site users • ADAM for users and groups in a PHP application • DB2 mainframe users and groups in ASP.net

  9. demo Forms Authentication with Static Content

  10. URLAuthorization • Control access to sites, folders, or files without using NTFS • Inspired by ASP.net URL authorization, but designed for administrators • Rules are stored in .config files • Delegate control to store in web.config • Authorization rules are then portable • Xcopy and maintain security • Use Windows principles or .NET provider • Native to IIS 7

  11. demo URL Authorization

  12. Request Filtering • IIS 7 integrates URLScan style rules • Very strong security feature • Prevent URLs that contain “any string” • Block URLs over “X” in length • Prevent delivery of “.config” or “/bin” • Easy to read rules stored in .config • Delegate control to store in web.config • Filtering rules are then portable • Cannot be edited in UI • New error codes track rejections

  13. Request Filtering Error Codes

  14. demo Request Filtering

  15. Changes in Anonymous User will Improve IT Pro experience • IUSR instead of IUSR_<servermame> • IUSR is “built in”, not a local account • Cannot logon to system with this account • No password to worry about • Same SID on all Vista/LH servers • File ACLS are valid between servers • Allow anonymous access & turn off IUSR: • Use process identity for anon access when enabled • Disabled by default

  16. IIS_WPG replaced with IIS_IUSR • IIS_WPG local group in IIS 6 • All app pool identities must be in IIS_WPG • Creates administrative overhead • Adds complexity to hardening/pool isolation • IIS_IUSR replaces IIS_WPG • Built in group, not local • Well known SID means ACLS respected • Pool identities are automatically added

  17. demo Disabling Anon User

  18. Application Pool Sandbox • New IIS 7 feature significantly improves application pools isolation • Prevents attacker from reading secrets in another pools config • Works automatically, and is transparent to configuration and operation • Process identity is unchanged • Network Service by default • Note that application pools cannot read Applicationhost.config by default.

  19. Application Sandbox: How it works • Each site is assigned to a unique pool • Occurs automatically with new site in UI • At runtime: • Unique SID for pool is “injected” into the process’ list of SIDs • Does not change process identity • A “temp” config file is created that contains only config settings for the pool • The temp config file is ACLd with unique SID • SID will be the same on other servers

  20. demo Application Pool Sandbox

  21. Hardening the Sandbox • Additional steps for increasing security • Disable anon user • appcmd set config -section:anonymousAuthentication -userName:"" --password • All anon access will occur as process identity • Set content for access by App Pool unique SID (with icacls) • Local content only, won’t work for UNC content • Create secure location for • ASP template cache • Compressed content • Create ASP.net temp file location for pool • appcmd set config "Default Web Site" -section:compilation -tempDirectory:%systemdrive%\inetpub\temp\aspnettemp\site%1 /commit:webroot

  22. demo Hardening the Sandbox Advanced Hardening

  23. Security Features moved to Kernel • Kernel Mode SSL • Improves performance • Reduces context switch to user mode • Kernel Mode Authentication • Improves performance • Kerberos functions when using custom application pool identity! • No need to use SETSPN as access to DC occurs as machine account

  24. Encrypted Keys in .config • Passwords may be present in .config • No secrets by default • Passwords are needed for: • UNC paths • Shared Configuration • Custom Anon or App Pool identity • Passwords are encrypted when added • AES provider is the default • Encryption provider can be customized

  25. IIS 7 Security Summary IIS 7 provides improvements and new capabilities that increase security and simplify administration

  26. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

  27. UNC Password Rules with Virtual Directories and Sites • IIS 6 used different rules for local vsunc • IIS 7 rules are simplified to be consistent Rule: If username and password is supplied for a site or directory, they are used to all content regardless of location.

  28. Q&A about Security • Q: Where do I configure Read/Write properties that were in IIS 6? • A: Handler properties • Q: How do I install a Certificate • A: Install a Self Signed Cert in the UI or use wizard • A: What happened to Web Service Extensions? • Q: Implemented as ISAPI and CGI restrctions In the UI • Q: Do I need URLScan A: No.

  29. IIS7 vs ASP.net URLAuth

More Related