1 / 34

IIS and .NET Security

IIS and .NET Security. Santosh Kumar Nukavarapu. Contents. Overview IIS and .NET security Security Features IIS 7.0 Authentication in ASP.NET Apache VS IIS XML ,.NET and IIS Security Flaws in IIS Code Access Security. Why Security?. To stop unauthorized access.

cade-ashley
Download Presentation

IIS and .NET Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. IIS and .NET Security Santosh Kumar Nukavarapu

  2. Contents • Overview IIS and .NET security • Security Features IIS 7.0 • Authentication in ASP.NET • Apache VS IIS • XML ,.NET and IIS • Security Flaws in IIS • Code Access Security

  3. Why Security? • To stop unauthorized access. • To provide Application level safety. • Make sure that correct response is delivered to client.

  4. .NET's only Friend: IIS • IIS authenticates user requests and hands it over to ASP.NET. • ASP.NET will look after Authorization. • Unauthorized accesses will be stopped and response will be a 401 page. • Developers set all the security settings required for ASP.NET in web.config file.

  5. Security Features in IIS 7.0 • Basic Access Authentication • Digest Access Authentication • Integrated Windows Authentication • .NET Passport Authentication • Client Certificate Mapping • Request Filtering • URL Authorization

  6. Basic Access Authentication • Web Browser provides credentials. • user name is appended with a colon and concatenated with the password. • The Result is encoded with Base64 algorithm. • Decoding is easy at server side. • Non Http compatible characters in user name and password is made compatible through encoding. • It is supported by all major browsers.

  7. Digest Access Authentication • Password is not sent as plain text as is Basic Authentication. • MD5 is used. • HA1 = MD5(username:realm:password). • HA2=MD5(method:digestURI) • Response=MD5(HA1:nonce:HA2) • Server and client nonce help to prevent replay attacks.

  8. Integrated Windows Authentication • Passwords are not sent across networks. • Authenticating mechanism such as Kerberos is used. • Windows credentials is used for Authentication. • NT domain or Active Directory account is needed. • Good for Intranet environments as clients and browsers are on same network. • Not suited for non- Microsoft browsers.

  9. .NET Passport Authentication • No need of login and logout pages for individual sites. • Centralized sign –in and sign-out. • Could be customized to maintain the look and feel of site. • Cookies are strongly encrypted. • No need to provide credentials while browsing through different participating websites. • Clicking on sign out deletes all the .NET passport cookies that were used for different participating websites.

  10. Contd.. • No server to sever communication ,all the communication to the centralized server is done through HTTP Redirects form the clients web browser. • EX: Windows Live ID

  11. Client Certificate Mapping • A certificate is a digital key. • While accessing the server this digital key will be automatically presented for authentication. • These certificates can be mapped to windows accounts in a active domain directory. • No need of Basic, Digest and integrated windows authentication as users are automatically authenticated when they log on with client certificates. • There are three ways to map client certificates: Directory Service (DS) mapping, one-to-one mapping, and many-to-one mapping.

  12. Contd.. • Three ways to map client certificates: • Directory Service (DS) mapping • one-to-one mapping • many-to-one mapping.

  13. Directory Service (DS) mapping • Directory Service (DS) mapping • Windows active directory is used to authenticate users with client certificates. • one-to-one mapping • The certificate submitted by clients browser is checked with the certificate in server and accordingly mapping is done. • Many-to-One Mapping • The certificate is searched to satisfy specific criteria .Ex :use of wild cards.

  14. Request Filtering • Filter Double-encoded Requests - This feature prevents attacks that rely on double-encoded requests. • Filter High Bit Characters - This feature defines a set of allowed file extensions that IIS 7.0 will serve. • Filter Based on File Extensions - This feature defines a set of allowed file extensions that IIS 7.0 will serve. • Filter Based on Request Limits - This filter combines three features: • 1. maxAllowedContentLength this is the upper limit on the content size. • 2. maxUrl this is the upper bound on a URL length. • 3. maxQueryString this is the upper bound on the length of a query string. • Filter by Verbs - This feature defines a list of VERBS that IIS 7.0 accepts as part of a request. • Filter Based on URL Sequences - This feature defines a list of sequences that IIS 7.0 rejects when it is part of a request.

  15. URL Authorization • IIS 7.0 makes URL Authorization much easier. • Previous versions needed to configure Access control lists in the system. • Authorization rules are put on the actual URI and not on the file system resources. • Ex: Consider there are three users Santosh,kumar and nukavarapu

  16. Only kumar is supposed to access kumarsecret.aspx page. • IIS Setup • Create three accounts and group them via Windows User manager. • The above can be done from command prompt also as below • net user santosh <password_of_your_choice> /addnet user kumar <password_of_your_choice> /addnet user nukavarapu <password_of_your_choice> /addnet localgroupkumarAndFriends /addnet localgroupkumarAndFriendssantosh /addnet localgroupkumarAndFriendskumar /add

  17. 1.  Open Explorer and go into the %systemdrive%\inetpub\wwwroot directory. 2.  Create a directory called "secure". 3.  Change into the "secure" directory and create a new file called "default.aspx". You can do this with notepad or any other text editor. 4.  Paste the following code into the default.aspx page: • <%@Language="C#"%><%    string currentUser = Request.ServerVariables["LOGON_USER"];    if (currentUser == "")currentUser = "anonymous";Response.Write("<b>Current User:</b> " + currentUser); • %> 5.  Create another file called bobsSecret.aspx and paste the following code into it: • <%@Language="C#"%><%   string currentUser = Request.ServerVariables["LOGON_USER"];    if (currentUser == "")currentUser = "anonymous";Response.Write("<b>Current User:</b> " + currentUser);Response.Write("<b>My secret:</b> I used Apache before I discovered IIS7.</b> ");%> • 6.  Now see if the two web pages work by requesting http://localhost/secure/ and http://localhost/secure/kumarSecret.aspx.

  18. Configuring URL Authorization • Now secure the two pages so that only santosh and kumar have access: • 1.  Double click the "secure" web directory again and select "Authorization Rules". • 2.  Remove the "Allow All Users" rule. • 3.  Click "Add Allow Rule…" and select the "Specified roles or user groups:" radio button and add “kumarAndFriends" and click the "OK" button. • 4.  Close all Internet Explorer windows because Internet Explorer caches the credentials that you entered in the previous step. • 5.  Open Internet Explorer and try to access the page using Fred's credentials. You do not get access. • 6.  Now try kumar's credentials or santosh's credentials. You get access.

  19. Configuring URL Authorization for a single web page • 1.Double click the "Secure" web directory again and select "Content View" at the bottom of the page. 2.  You will see a list of files in the secure folder namely "default.aspx" and “kumarSecret.aspx". 3.  Right click on bobsSecret.aspx and select "Feature View" • 4.  Now you are making only changes for the kumarSecret.aspx page as indicated in the statusbar. 5.  Select "Authorization Rules" again. You see the inherited settings, i.e. the kumarAndFriends group is allowed to access kumarSecret.aspx. 6.  Remove the “kumarAndFriends" rule. 7.  Now click "Add Allow Rule…" 8.  Click the "Specified users:" radio button, enter “kumar" and click "OK". • 9.  Close all Internet Explorer windows and request http://localhost/secure/kumarSecret.aspx10. Only by entering kumar's credentials will you get access.

  20. Apache VS IIS • Performance: • Apache Software Foundation is not supporting 64 bit technology on Windows. • So you can not use Windows64 + Apache combination. • On 64-bits systems the choice is between Windows + IIS6 or Linux + Apache. • In order to run PHP under IIS6 on 64 bit platform you have to play a lot with 32-bit emulation of IIS6 and making sure that all php exentions are loaded and executed in 32-bit mode. • Stability: • Windows and IIS6 has proprietary code. That means that in case of any vulnerability found a user has to wait and live with vulnerable system until Microsoft will fix the issue and release a fix. • Linux and Apache are open source products. This means that everyone has access to the source code and as soon as vulnerability has been found everyone who has appropriate level of knowledge can fix it. • Apache 2 had more vulnerabilities then ISS6. However, IIS6 has more critical vulnerabilities that might result of service failure or giving admin access to the hacker. • Cost • Windows setup costs include: more powerful hardware to run GUI and antivirus software • Windows and IIS6 license for the server • Linux setup costs include: hardware only. It also should not be as powerful as one for Windows to server same amount of requests. • Optional Linux installation if you are looking for Red Hat or Suse. But it is cheaper anyway and it is required only if you have some very specific requirements to go for commercial Linux release.

  21. STOP SECURITY ISSUES • Use PrincipalPermission to Demand Role-Base Security • [PrincipalPermission(SecurityAction.Demand, Role="Admin")]public class AdminOnlyPage : BasePage{   // ...}

  22. Contd.. • Securing a Particular Directory in ASP.NET for Specific Roles • <location path="Secure" >  <system.web>    <authorization>      <deny users="?" />    </authorization>  </system.web></location>

  23. Prevent SQL Injection by Using SqlParameters • Prevent SQL Injection by Using SqlParameters • using System.Data;using System.Data.SqlClient;using (SqlConnection connection = new SqlConnection(connectionString)){DataSetuserDataset = new DataSet();SqlDataAdaptermyCommand = new SqlDataAdapter(              "LoginStoredProcedure", connection);myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text;myCommand.Fill(userDataset);}

  24. Turn On Custom Errors To Keep Errors Private • <customErrors mode="On" defaultRedirect="YourErrorPage.htm" />

  25. Prevent Cross-Site Scripting Using HtmlEncode and UrlEncode • Prevent Cross-Site Scripting Using HtmlEncode and UrlEncode • Response.Write(HttpUtility.HtmlEncode(Request.Form["name"])); • Response.Write(HttpUtility.UrlEncode(urlString)); • // Encode the string input from the HTML input text fieldStringBuildersb = new StringBuilder(HttpUtility.HtmlEncode(htmlInputTxt.Text));// Selectively allow <b>and <i>sb.Replace("&lt;b&gt;", "<b>");sb.Replace("&lt;/b&gt;", "</b>");sb.Replace("&lt;i&gt;", "<i>");sb.Replace("&lt;/i&gt;", "</i>");

  26. Security Flaws in IIS • A buffer overflow involving chunked encoding with the ASP (Active Server Page) ISAPI filter. • Another buffer overflow involving HTTP header processing, in which an attacker can spoof delimiter checking and persuade IIS that delimiting characters are present when they're not. • It's possible for an invalid and very long file name to pass the include safety check, resulting in a file name bigger than its intended buffer, and obviously a buffer overflow. • A denial of service vulnerability involving the way an ISAPI filter included in FrontPage Server Extensions and ASP.NET generates a errors when a request is received containing a URL exceeding the maximum length set by the filter. IIS attempts to process the URL while returning an error message, resulting in an access violation which causes it to crash. Affects IIS 4.0, 5.0, and 5.1 • we've got three CSS (Cross-Site Scripting) vulnerabilities.

  27. Code Access Security • The .NET Framework provides a security mechanism to protect computer systems from malicious code and to provide a way to allow mobile code to run safely, mechanism called Code Access Security (CAS). • .NET allows administrators to assign a pre-defined set of permissions to an application. • These permission sets vary based on the level of trust accorded to the application. • By default, applications receive a level of trust dependent upon the evidence presented about the code's digital signature, origin, and the location of the application.

  28. ASP.NET Web applications can be further configured by assigning them trust levels. • Trust levels are configured using the <trust> element within the configuration file. • Trust levels are configured using the <trust> element within the configuration file.<trust level="Full | High | Low | None" originUrl="url" />

  29. Contd.. • The default mappings for ASP.NET are: •High:High mapping maps to web_hightrust.config .This level provides permissions that grant applications read/write access to the application directory (subject to operating system permissions) and allows the application to replace the authentication principal object. It also restricts applications from calling into non-managed code.•Low:Low mapping maps to web_lowtrust.config.This level allows applications to read from the application directory and provides limited network connectivity.•None:None mapping maps to web_notrust.config. This level provides basic execution permission and supports the application's use of isolated storage. • Example of Code:<securityPolicy>       <trustLevel name="Full" policyFile="internal" />       <trustLevel name="High" policyFile="web_hightrust.config" />       <trustLevel name="Low" policyFile="web_lowtrust.config" />       <trustLevel name="None" policyFile="web_notrust.config" /></securityPolicy>

  30. References • www.msdn.com • http://www.theregister.co.uk/2002/04/11/eight_new_iis_security_holes/ • http://learn.iis.net/page.aspx/142/understanding-iis-70-url-authorization/ • http://www.visualbuilder.com/aspnet/security/tutorial/code-access-security/

More Related