270 likes | 398 Views
Remote Applications & IIS. Terminal Services MW2K3 Chpt. 16. Benefits Centralized Deployment of Applications Supporting PC-Unfriendly Environments: Unclean, excessive heat, exposure to elements and theft. Less Processing Power Required on the Client Easier management of user interface.
E N D
Terminal Services MW2K3 Chpt. 16 • Benefits • Centralized Deployment of Applications • Supporting PC-Unfriendly Environments: • Unclean, excessive heat, exposure to elements and theft. • Less Processing Power Required on the Client • Easier management of user interface. • Remote Server Administration
Is this the Future of Networking • Not likely for two reasons: • Not all applications behave well in Terminal Server environment • Legacy applications • Some applications and users are just too demanding. • Computer-Assisted Drawing • Intensive Database applications
Windows NT 4.0 TSE v. W2K3 • Windows Server now supports: • Client side now supports richer screen color • Client side now supports sound • Publish applications to Web page • Mapping client side printers and hard drives • Support for cut and paste between local and remote session via clipboard • Load balancing with Advanced Server • New Remote Desktop Protocol, supporting multiple channels, which means more communication between client and server. • Clustering solutions • Group policy enhancement
Citrix Metaframe in a Nutshell • Multi protocol support • Application publishing • Seamless Windows • Load Balancing
What’s Missing in W2K3 TS • Supports only Windows 32 Operating systems • Does not support DOS, Unix/Linux, or MacIntosh clients • Citrix Metaframe is required for those clients. • Multi Protocol Support • ICA supports IPX/SPX and Netbeui • Seamless Client session • Support more than 256 colors • Server Farming • Load Balancing
Server and Client Requirements • Server Hardware • Load up on RAM, Processors and NIC’s • 1 CPU should be able to support up to 20 users depending on usage. • 2GB-4GB minimum RAM
Server and Client Requirements • Client Hardware • PC w/ a Win32 operating system loaded • Windows Terminal Thin Client • WYSE • HP • Handheld PC running Windows CE/PocketPC
IIS Review • World Wide Web Server • Supports security and encryption • Host site for 1 to many domains • Pass through to access HTML documents on other machines. (virtual directories) • Supports Front Page Server Extensions for easy management and web publishing. • Default install only support static content
IIS Continued The following technologies are supported in IIS 6 but are disabled after installation of IIS. • ASP: Active Server Pages • SSI: Server Side Includes • CGI: Common Gateway Interface • ISAPI: Internet Server Application Programming Interface
IIS Continued • Read-Allows user to read files from your Web Server. In most instances, you will want this option set for the root of a new site. The primary reason for disabling this option is for directories that contain CGI or ISAPI apps, which will usually be set on a subdirectory level • Run Script-if you need to allow the execution of ASP’s on your site, enable this option • Execute-if you need to allow the execution of ISAPI or CGI apps on your site, enable this option. When you enable this option, it is inclusive of the Run Scripts option as well. • Write-If the client browsers either will need to upload files on your Web server or will be writing data to a file, you will need to have write permissions enabled. • Browse-if a user does not send a request for a specific file on the Web server and there is no default document defined on the system, IIS will return an HTML representation of the files and subdirectories in the root of the site.
Security Considerations • Design and implement your Web app with security as top priority. • All it takes is one “legitimate” anonymous or authorized user. • At the application level all it takes is one bad assumption in the logic of your site design • Don’t hesitate to bring in outside expertise to the development team as well as have an unbiased third party audit your solution. • ASSUME ALL INPUT IS MALICIOUS, AND VALIDATE IT!!!
Basic Http • HTTP is essentially a basic file transfer protocol using the HTTP GET command • Ie. http://www.victim.com/files/index.html • This command requests the file index.html from the /files virtual directory for example, c:\inetpub\wwwroot\files • The server interprets the request as such: • GET /files/index.html HTTP/1.0
CGI • Common Gateway Interface • An executable variation of HTTP • Ie. http://www.victim.com/scripts/cgi.exe?variable1+variable2
ASP and ISAPI • Active Server Pages • Internet Server Application Programming Interface • Spawns inetinfo.exe process • Ie. http://www.victim.com/scripts/script.asp?variable1=x&variable2=Y • Ie. http://www.victim.com/isapi.dll?variable1&variable2
HTTP Issues • What do hackers do???? • Try to trick server into revealing data it otherwise shouldn’t • Ie. File system traversal using ../ • http://www.victim.com/../../../winnt/secret.txt
How do we prevent? • Do NOT do a default install, which does install IIS and turns everything on in Server 2000 • Default install in Server 2003 does not turn anything on • After installation, install only necessary items for IIS • Once installed apply ALL necessary hotfixes http://windowsupdate.microsoft.com/ and keep up to date on a WEEKLY basis • Move the default location of IIS install off system drive • Shutdown unnecessary sites, ie. FTP
Additional Prevention • Apply network level access control at routers, firewalls, or other devices that make up the perimeter around Web Servers. Block all non-essential communications in both directions. • Make sure to block outbound communications originating from web server to confound attackers who may compromise the web server in an attempt to tftp or ftp files from a remote system or shovel a shell to a remote listener
Additional • Block all non-essential communications to and from the web server at the host level to provide “defense ind depth”. Host-level network access control on Server 200x can be configured using TCP/IP Security or IPSec filters.
Secure IIS Checklist • Read your corporate security policy • How do we react to a break-in? • Where are the backups stored? • Who is allowed access to the server? • http://www.sans.org • http://www.baselinesoft.com
Secure IIS Checklist • Review, Update and deploy the provided hisecweb.inf template • Configure IPSec Policy • Consider setting an IPSec packet-filtering policy on every server. This provides an extra level of security if your firewalls are breached. • In general, you should block all tcp/ip protocols other than those you explicitly want to support and the ports you want to open. You can use the IPSec administration tool or the IPSecPol command line to deploy IPSec Policy
Secure IIS Checklist • Set Appropriate IIS log file ACLs • Administrators (Full Control) • System (Full Control) • Secure Telnet server…or, better yet disable it in the services.(it is disabled by default) • Set Appropriate ACLS on virtual directories
Secure IIS Checklist • Enable Logging • Load IIS tool • Right click site in question and choose properties • Click web site tab • Check the enable logging check box • Choose w3c extended log file format from the active log format drop down list • Click properties • Click the extended properties and set the following properties • Client ip address • Username • Method • URI stem • Http status • Win32 status • Useragent • Server ip address • Server port
IIS Basic Log File Sample #Software: Microsoft Internet Information Services 5.1 #Version: 1.0 #Date: 2005-03-11 12:50:34 #Fields: time c-ip cs-method cs-uri-stem sc-status 12:50:34 10.0.0.11 GET /non_existant_web_link123511.htm 404 12:50:38 10.0.0.11 HEAD /cgi-bin/ 404 12:50:38 10.0.0.11 HEAD /cgi-bin/a1stats/ 404 12:50:38 10.0.0.11 HEAD /cgi-bin/adcycle/ 404 12:50:38 10.0.0.11 HEAD /error/ 404 12:50:38 10.0.0.11 HEAD /doc/ 404 12:50:42 10.0.0.11 HEAD /~nobody/ 404 12:50:42 10.0.0.11 HEAD /site/eg/ 404 12:50:42 10.0.0.11 HEAD /cfdocs/ 404 12:50:42 10.0.0.11 HEAD /cfide/ 404 12:50:42 10.0.0.11 HEAD /cowsconf/ 404 12:50:42 10.0.0.11 HEAD /cgi-bin/cowsconf/ 404 12:50:42 10.0.0.11 HEAD /scripts/ 403 12:50:42 10.0.0.11 GET /scripts/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 500
Secure IIS Checklist • Set IP address/dns address restrictions • Not a common option to set, but if you want to restrict your website to certain users this one option is available to you. • Update Root CA certificates at the IIS Server
Secure IIS Checklist • Remove the IISADMPWD virtual directory • Directory allows you to reset NT and 2000 passwords. Used primarily for intranets • Remove unused script mappings • Disable Parent Paths • Disable IP Address in content-location • q218180
Windows Security Resources • www.ntsecurity.com • www.ntsecurity.net • www.isaserver.org • www.winguides.com/security • www.microsoft.com/security • http://msdn.microsoft.com/library/default.asp?url=/nhp/default.asp?contentid=28001191 • http://nsa2.www.conxion.com/win2k/download.htm